2021-04-29 12:09:36 +02:00
# gnupg
2021-04-29 15:02:25 +02:00
**TODO**:
* Currently using graphical pinentry ... this would mean dependend on X11/wayland
* could this be done with holo?
* default to terminal-pinentry
* `de-p1st-gnupg-x11` then changes the /etc/skel files to use graphical-pinentry
2021-05-31 17:32:20 +02:00
GnuPG german mini HowTo:
* [pdf ](GnuPG_MiniHowto_ger_20200215.pdf )
2021-04-29 15:02:25 +02:00
2021-04-29 14:24:57 +02:00
One can use `/etc/gnupg/gpgconf.conf` to configure gpg and gpg-agent. However, not all options are available ...
```shell
gpgconf --list-options gpg
gpgconf --list-options gpg-agent
```
Using a smartcard:
2021-04-29 15:02:25 +02:00
* kuketz-blog.de: [gnupg-public-key-authentifizierung-nitrokey-teil3 ](https://www.kuketz-blog.de/gnupg-public-key-authentifizierung-nitrokey-teil3/ )
* [gnupg.org -> Invoking-GPG_AGENT ](https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html )
2021-04-29 14:24:57 +02:00
Note about login shell:
> `/etc/profile` This file should be sourced by all POSIX sh-compatible shells upon login: it sets up $PATH and other environment variables and application-specific (/etc/profile.d/*.sh) settings upon login.
## gpg.conf
Location: `~/.gnupg/gpg.conf`
2021-04-29 12:09:36 +02:00
* https://riseup.net/en/security/message-security/openpgp/best-practices
* https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf
2021-04-29 14:24:57 +02:00
## gpg-agent.conf
Location: `~/.gnupg/gpg-agent.conf`
```
# List pinentries: pacman -Ql pinentry | grep /usr/bin/
# If a graphical application shall use ones smartcard one needs to specify a graphical pinentry program.
pinentry-program /usr/bin/pinentry-gnome3
# Enable ssh to use a smartcard for authentification.
enable-ssh-support
```
Debug options:
```
debug-pinentry
debug ipc
verbose
log-file /home/__USER__/.gnupg/logfile.log
```
`gnupg` depends on `pinentry` and `pinentry-gnome3` is part of `pinentry` .
```
$ pacman -F /usr/bin/pinentry-gnome3
usr/bin/pinentry-gnome3 is owned by core/pinentry 1.1.1-1
```
## Graphical Login: /etc/profile.d/*.sh, bashrc, .zshrc.local
* Archwiki: [GnuPG#Configure_pinentry_to_use_the_correct_TTY ](https://wiki.archlinux.org/index.php/GnuPG#Configure_pinentry_to_use_the_correct_TTY )
* These two shell lines are demanded by the gnupg documentation in the chapter `Invoking GPG-AGENT`
* man 1 gpg-agent -> EXAMPLES -> set env variable GPG_TTY in your login shell
One's login shell should run this:
```shell
GPG_TTY=$(tty)
export GPG_TTY
gpg-connect-agent updatestartuptty /bye >/dev/null
```
## SSH_AUTH_SOCK: /etc/profile.d/*.sh, bashrc, .zshrc.local
* Archwiki: [GnuPG#Set_SSH_AUTH_SOCK ](https://wiki.archlinux.org/index.php/GnuPG#Set_SSH_AUTH_SOCK )
2021-04-29 12:09:36 +02:00
2021-04-29 14:24:57 +02:00
One's login shell should run this:
2021-04-29 12:09:36 +02:00
2021-04-29 14:24:57 +02:00
```shell
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
export SSH_AUTH_SOCK
fi
```