From 0721effd725bf519f9091e9a05d9933a8ef0740f Mon Sep 17 00:00:00 2001 From: Daniel Langbein Date: Tue, 15 Jun 2021 12:39:36 +0200 Subject: [PATCH] gnupg --- pkg/de-p1st-dns/TESTED | 1 + ...F3D3DDAC22802258FC044B6C47C753F0823002.pub | 74 +++++++++++++++++++ pkg/de-p1st-gnupg/99_import_pubkey.sh | 16 ++++ pkg/de-p1st-gnupg/PKGBUILD | 9 ++- pkg/de-p1st-gnupg/README.md | 60 ++++++++++++--- ...oloscript => interactive-shell.holoscript} | 10 ++- pkg/de-p1st-installer/PKGBUILD | 2 +- pkg/de-p1st-installer/example-vbox.cfg | 5 +- 8 files changed, 160 insertions(+), 17 deletions(-) create mode 100644 pkg/de-p1st-dns/TESTED create mode 100644 pkg/de-p1st-gnupg/94F3D3DDAC22802258FC044B6C47C753F0823002.pub create mode 100644 pkg/de-p1st-gnupg/99_import_pubkey.sh rename pkg/de-p1st-gnupg/{zshrc.holoscript => interactive-shell.holoscript} (72%) diff --git a/pkg/de-p1st-dns/TESTED b/pkg/de-p1st-dns/TESTED new file mode 100644 index 0000000..18956aa --- /dev/null +++ b/pkg/de-p1st-dns/TESTED @@ -0,0 +1 @@ +no output on port 53 but encrypted output on 853 \ No newline at end of file diff --git a/pkg/de-p1st-gnupg/94F3D3DDAC22802258FC044B6C47C753F0823002.pub b/pkg/de-p1st-gnupg/94F3D3DDAC22802258FC044B6C47C753F0823002.pub new file mode 100644 index 0000000..70296d4 --- /dev/null +++ b/pkg/de-p1st-gnupg/94F3D3DDAC22802258FC044B6C47C753F0823002.pub @@ -0,0 +1,74 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF5AoWEBEAC5Hkcg9dQvIc+kUR33WYGUe2fMDi7X5ZlUOavAQ4BZpOSO0ewt +b/x7Oc3stVvfWjkPhiOeCBmdpzcNDI6Ep1Pn7pcLVYlQ1o6imB0YvzdIDCGxQFZp +toQNj2iKcFPEoA5LKVTXzKlahbrNrL99DQ/m8R4Y9Xjhw/jSS4L5hCAdLfFHmSEk +9gkUHlUNA0udeeXHQykJzAPYXaRjzXm3h3dVerRmOaDDYfhwyozyT0cnlEOG5011 +B03+qO/jlzqqJBkPRpy+ingVo7LQE4zkw0I3yQi6/IJNtFmEzXP1E381vyKuAJtf +P8SF+KNtYjJwPBVVcFfXAbyRab91F+QO8Rd31TOF/xPP0w8L5qFMqxhOsrs8xwOr +YhVn/xV9KjKFRI6gsmr7QKRt4ISyJXCKASN/GsOUe3ed36EhXxVGk7dzb7b05A1s +Xfpa37pKgA1AEjE5hxCCuMkQfjW8FvEosrJ+bSYTK9gdHcPo4SjYqjoBfW1rrhNG +3r7HbHg6ZTZkeN67udXdmGNomhHvUQbPCZQ48fZoVTHglOx0ucQ7qcnFGU0AItWj +qu7OH9fsQyHy0nXbddJyYmOsSBhMhzAHOT+VzWIOawmpKc2fgP9jQjwfovvADaxc +BGTUU+nFviDcMBDtKRswME8vj+8sbVsaDfHZvTOuD61OGIVzJiLFWJSSqwARAQAB +tCVEYW5pZWwgTGFuZ2JlaW4gPGRhbmllbEBzeXN0ZW1saS5vcmc+iQJOBBMBCgA4 +FiEElPPT3awigCJY/ARLbEfHU/CCMAIFAl5AoWECGwMFCwkIBwMFFQoJCAsFFgID +AQACHgECF4AACgkQbEfHU/CCMALcNhAAif0ulNF9Iv4CnrwSncnvWsP8qv9ZR+dN +GKkmhRVHiuFI+RGPsZmNRDIh8OCDX0N3ZsRZnKqhIHTOo2MH7XKgANE5abvpS2EO +iaXqDVcfFhwlQm/fngo2ZO0CVN+UBdxbfqPh+/EGfSMklo41a/DBJSZHObMStMfS +Qk8H6SDYI4z/BN26UByjd3VWG/SQhvbu3i8TYXtdxbjLA/HGCczJEH31jR/J/upO +8WHI5ijm0uvsPXfc1plVTOqrUwUl6R6ynqGAMvJZqjBm4ITcvgh9Q8iFxD5jeemJ +ltM1u5GzG/km+Gb57TCd2MHD3WMad4QL+gkMPJUHEjhb1ez/+vatmwALNSNOkYUI +AIU2TJ/CQfVe4SHeoCgb4G2PCMi2wFczrYafAfCZggZWifMkclD5R2lri53ax3XZ +3tuw1J0GxibK+acKEajhzX9VNP9KcsJaoncqGY0KMJp2/sg0o2ocNrPqzUyhyP49 +p/qcpugWmZebzV/zE4zjhC1ZZJXad2SYqylC5QzuCRq0WBC8idv3SeNLnm63IsHu +bBs9tFNdbP5FjgfVrDvo18UXC80MvtoaGrEq568iTp/XjZQ4vhmrynBES9Ah7vsR +uLhcJRTqqb5AprXPQ5OEWudhuqIzOZbT2pJlYToyD/l4pQEsxFIf9UMSlJeVmL7y +RE7iZCw0Bcy5Ag0EXkChYQEQAPt7FK6vYfGXK9glVI5IOoG97kMGnISmwioFl/lr +SfLeH/60VgQSrq2bHvbV2YcroaC3JhUZUcPQXc0zPOMMiOIALgLVYDJSH7+iTqz6 +YcwFXCcoY0WFtdglisCJjjXC+SyxOBHCrCP8KhkO9vlf/UyMahPZPjMb74Uvobbi +Jng8E8Un09nJiD2VfM6HQkd57BodXmBznb79ZatMrqbd9dPbiMDuWe6q3JvDVmqR +EZhmFOtbbtB6APlEB5jIuvS2qQETX9o/Jonw7QntBZ/x/F4G+lgZo8KOJC6UvsVd +GLhsqfIT0Wml631gldEv5uWvF04Vjs6G1MsrCUB2wNHYPLN38w1VewI5qy6RBe52 +dHpVOoIXXMPNy+1thU8bgCiwhbuWFNXFJvwgnYqAc4K7IxQWXTlC4uH1cWAN46t3 +GsWORZj5igx5+H9LKQ3gPke6xiiKQaEsjJ0gurO9gtZO6a2HwDxCBi/2/Yo3NI7T +o4Z1VVYS/L906o9A4hSZz+Hpy17/roXkzgzxLCfC/cP6nL1nYSBXCQCCQN5FQ9DQ +S04YJDa9yN0WDF/wDS/fKVC1CckHFKwSBeBTvIcOkwpdMNdg2tqbBFYBBSZpWwHQ +esL2D5Edg6ZNanKsouLp0pXi5bxr/q79wAJDh6jua3yl0Qf0HG0b+Ox4ebwFxNtD +AY2XABEBAAGJAjYEGAEKACAWIQSU89PdrCKAIlj8BEtsR8dT8IIwAgUCXkChYQIb +DAAKCRBsR8dT8IIwAsSiEACvYTFz8r79p3BOufn9vVqT3iy7Dq38Tz2otcTQJLmp +TausS0ICza0VOs3zg5c5DkyDm87FXYUzHxM6qLZKQI0oyEOCih8hNoLHnZ5j2ZQM +O7RUOzbXHBiB7trxcWKC6bgWIBRq11IdnZzIKeWaWxCDxt5MzeZD6gGJGb8zfvLS +44JWmsnH3hEfXF6cO3yBWxptka9K0+ZD6RB93Kfaubs0cLaQKRwMuM+22icgvIpv +/yISodwY9ELvlqgHDJjUQkBMrgEXeXreOsDh1qJAFHFxbhgXUIs2OUXrt39FKpZo +bgQOO0yp8rFAf1gAcKVwI9kUWPYyK2zamKvloQQEn4zH87dwCJdCXgPcfx+XKD62 +FkZM9Ea2eMjtujcfoqZ6w0oZCvOxi/XadUReXj/4BZVFL0nWUCD2/5rX5I3iT1QW +48LhCx/Ny0b8pcnwHqctJ6KnuOBR3QZuLhd7hvKYOMTUVQa9aEBFkmm7T75aKUki +HNw3d2fqOY/+Z9ZvFRKGY31d9w14m05usLXqUQBZf/efcfsk/pcHP2Pn0ckSxuwo +zHFIACkPMFgSfkZsBOVItp1JxeUp2pvFIhGkzOdWh5N9ufGmD66cSR3MCO/wynsU +N+Glr782PDpzcUjpsirIoYir6I//yhDrRlKDE41Gp4r3bXNcFvgHmS/653ybqWl4 +9LkCDQReQKOcARAAqYIoQIPEM7uavgBlxy0e6fq60tcgdCpWW/2PxMGU9eRIRLbF +DKgTEYmNE3YykFNG66MsoGZ8pnHC5gl74oRIJN85P4T/FRA5jecJhNrUQT0eJUo6 +PBNUfDe/RvoGhZMIvd0GIeezLBn2vZOLbxqyctMmg+xqz6rUH/iCLr1deFiUAKp4 +pE3WxakY5OSRnmq2C1O40imvvTZkeyUPTRMaMiD4JkP6XdF3NqrfJOVBn89xzPTA +JiFUN9MISuptYmGfJ8RInR6363kMfDTmu7o6OM0J1dTWL0VIzm6/6siIT1Og2C09 +plUTbqUBSseiyN/DuFNd4XroFBaid876IN2g7K4hYr/I8yQCb1l8e0N06ioaohvV +U5MAcNTQ2wgDlyohHTH4gmG3Qn6TYHXqVO+WzJaCXEkEFVKqB9rUIUm8Ci7kRYDp +8mh6b1m4nlwUXFJ3xvIIOKeI6osMeZWsHhHjiDg/4uxtTI8ew49nLZ0/yC2rf8bH +/mNFuHia923OS/YIYMOsLCmzUqsIxVAhXB3AESt4L0h/oTtvwaYDFaMr2YzuTzbl +Kn7Ge2yCLOXA3cgf5ct4qyrmkc9ft8dceID4EojnI4ux8T8KIM4T7Mn6ESxzbfbS +eV+JxdiM9TOUUyaW2QoushI/vUPORVYw++gRFrmXtfJEa8Ibi3/14CnRfbUAEQEA +AYkCNgQYAQoAIBYhBJTz092sIoAiWPwES2xHx1PwgjACBQJeQKOcAhsgAAoJEGxH +x1PwgjACWlsQAKOWGqOjBBEeS5bhhJ/6KgoDE7+qgIwPcqxEILYT+z96rTWmVC7I +/7yext3ZAWf1gzT7+5Pp9IU8CvJf1TEaf/55roCuQ5R/EdVn81m7znBh9ADxKSTS +xvKYa//gako4VIOj9Ejo4uExyCZiMSuWz62mcP43SghdL6ZOJW7jLtaNaZcN0bdv +DJABfLsYIkBclYgK8yF07XwuXJ2pdYkP4lWpq4/282Or7CkwXtm25n+EepZfsPsx +TlRJezYrnaEi7Anl3CU3eyCbTAoKp4DGzYxlnek7VKlMRaxTAoA4RU5F3TqZIOdm +yG+2ol7Csn5shpvY+kNHeDe0v0vfpkhMOxHOQKvO5ApwKvAc3KuQaHbnCudY7fU0 +T+wqTAJEARz4KI8+ncYRBl7hUuiiR3sT/Q11mvl79Cldly8JJ1jRrXZVQzS2Y2S6 +tXVBxNckuyVTw7oR1jyq9pv5oVArBbxnNTuMhoptVrDqh2ifkMWHwqqVGy07YKy/ +qKYRlU2YOkdGz91RPcABf5uip+q6fqO1JAT8ddi0O9xuIUhvzKcOx2sxIVrGuejx +XvsYEEf0HuHQ1mcOgWZLUYjt2UwClz9LRX/5pmPb2CUyf4Nt2PNgpNSk6jMAsw9c +HOIRJevfUeTtJUGLzI5+40eR0a6ZYovb5L1SzR9EZjMKIdQvz7wQdPes +=McwK +-----END PGP PUBLIC KEY BLOCK----- diff --git a/pkg/de-p1st-gnupg/99_import_pubkey.sh b/pkg/de-p1st-gnupg/99_import_pubkey.sh new file mode 100644 index 0000000..bbe9fc9 --- /dev/null +++ b/pkg/de-p1st-gnupg/99_import_pubkey.sh @@ -0,0 +1,16 @@ +function import-pubkey() { + echo "Importing public key ..." + + gpg --import /usr/share/gnupg/94F3D3DDAC22802258FC044B6C47C753F0823002.pub || { + echo "p1st: Error importing pubkey!"; + return 1; + } + echo "94F3D3DDAC22802258FC044B6C47C753F0823002:6:" | gpg --import-ownertrust || { + echo "p1st: Error changing trust!" + return 1; + } +} + +if ! gpg --export-ownertrust | grep --quiet '^94F3D3DDAC22802258FC044B6C47C753F0823002:6:$'; then + import-pubkey +fi diff --git a/pkg/de-p1st-gnupg/PKGBUILD b/pkg/de-p1st-gnupg/PKGBUILD index eadd75e..d823fcd 100644 --- a/pkg/de-p1st-gnupg/PKGBUILD +++ b/pkg/de-p1st-gnupg/PKGBUILD @@ -2,8 +2,8 @@ _pkgname=gnupg _reponame=arch pkgname="de-p1st-$_pkgname" -pkgver=0.0.5 -pkgrel=2 +pkgver=0.0.6 +pkgrel=1 pkgdesc="gnupg with configuration" arch=('any') url="https://codeberg.org/privacy1st/${_reponame}" @@ -32,5 +32,8 @@ package() { install -Dm0600 gpg.conf "$pkgdir"/etc/skel/.gnupg/gpg.conf install -Dm0600 gpg-agent.conf "$pkgdir"/etc/skel/.gnupg/gpg-agent.conf - install -Dm0544 zshrc.holoscript "$pkgdir"/usr/share/holo/files/"$pkgname"/etc/zsh/zshrc.holoscript + install -Dm0544 interactive-shell.holoscript "$pkgdir"/usr/share/holo/files/"$pkgname"/etc/bash.bashrc.holoscript + install -Dm0544 interactive-shell.holoscript "$pkgdir"/usr/share/holo/files/"$pkgname"/etc/zsh/zshrc.holoscript + + install -Dm0644 99_import_pubkey.sh "$pkgdir"/etc/profile.d/99_import_pubkey.sh } diff --git a/pkg/de-p1st-gnupg/README.md b/pkg/de-p1st-gnupg/README.md index f5153af..8735f9a 100644 --- a/pkg/de-p1st-gnupg/README.md +++ b/pkg/de-p1st-gnupg/README.md @@ -6,7 +6,40 @@ * default to terminal-pinentry * `de-p1st-gnupg-x11` then changes the /etc/skel files to use graphical-pinentry +**TODO**: +To use a smartcard on a new computer, one has to import and then trust the public key! + +```shell +gpg --import 94F3D3DDAC22802258FC044B6C47C753F0823002.pub +``` + +And then trust the key: + +```shell +gpg --edit-key 0x94F3D3DDAC22802258FC044B6C47C753F0823002 +trust +5 +y +quit +``` + +or + +```shell +printf "5\ny\nquit\n" | gpg --command-fd 0 --expert --edit-key 0x94F3D3DDAC22802258FC044B6C47C753F0823002 trust +``` + +or + +```shell +echo "94F3D3DDAC22802258FC044B6C47C753F0823002:6:" | gpg --import-ownertrust +``` + +See also: +* [export/import ownertrust](https://superuser.com/a/1125128) + +--- GnuPG german mini HowTo: * [pdf](GnuPG_MiniHowto_ger_20200215.pdf) @@ -22,11 +55,6 @@ Using a smartcard: * kuketz-blog.de: [gnupg-public-key-authentifizierung-nitrokey-teil3](https://www.kuketz-blog.de/gnupg-public-key-authentifizierung-nitrokey-teil3/) * [gnupg.org -> Invoking-GPG_AGENT](https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html) -Note about login shell: - -> `/etc/profile` This file should be sourced by all POSIX sh-compatible shells upon login: it sets up $PATH and other environment variables and application-specific (/etc/profile.d/*.sh) settings upon login. - - ## gpg.conf Location: `~/.gnupg/gpg.conf` @@ -69,7 +97,7 @@ usr/bin/pinentry-gnome3 is owned by core/pinentry 1.1.1-1 * These two shell lines are demanded by the gnupg documentation in the chapter `Invoking GPG-AGENT` * man 1 gpg-agent -> EXAMPLES -> set env variable GPG_TTY in your login shell -One's login shell should run this: +One's interactive, non-login shell, should run this: ```shell GPG_TTY=$(tty) @@ -81,7 +109,7 @@ gpg-connect-agent updatestartuptty /bye >/dev/null * Archwiki: [GnuPG#Set_SSH_AUTH_SOCK](https://wiki.archlinux.org/index.php/GnuPG#Set_SSH_AUTH_SOCK) -One's login shell should run the following. +One's interactive, non-login shell, should run this: ```shell unset SSH_AGENT_PID @@ -91,9 +119,21 @@ if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then fi ``` +## Note about "interactive, non-login, shell" ---- +The gnupg manual is talking about "login shell" but mentions "~/.bashrc", +so I assume they mean a "interactive, non-login, shell". +See https://wiki.archlinux.org/title/bash#Configuration_files + +Correct files to set `SSH_AGENT_PID` and `GPG_TTY`: + +* `/etc/bash.bashrc` +* `/etc/zsh/zshrc` + +These not work: -**Note**: * `/etc/profile.d/99_gnupg.sh` does **not** work! -* `/etc/X11/xinit/xinitrc.d/` \ No newline at end of file + > `/etc/profile` This file should be sourced by all POSIX sh-compatible shells + > upon login: it sets up $PATH and other environment variables and application-specific + > (/etc/profile.d/*.sh) settings upon login. +* `/etc/X11/xinit/xinitrc.d/` diff --git a/pkg/de-p1st-gnupg/zshrc.holoscript b/pkg/de-p1st-gnupg/interactive-shell.holoscript similarity index 72% rename from pkg/de-p1st-gnupg/zshrc.holoscript rename to pkg/de-p1st-gnupg/interactive-shell.holoscript index 5f44bf0..9a41395 100644 --- a/pkg/de-p1st-gnupg/zshrc.holoscript +++ b/pkg/de-p1st-gnupg/interactive-shell.holoscript @@ -3,7 +3,8 @@ # stdout: modified config cat -echo 'GPG_TTY=$(tty) +echo ' +GPG_TTY=$(tty) export GPG_TTY gpg-connect-agent updatestartuptty /bye >/dev/null @@ -11,4 +12,9 @@ unset SSH_AGENT_PID if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" export SSH_AUTH_SOCK -fi' \ No newline at end of file +fi' + +# Source import of public key +if [ -f ~/import-pubkey ]; then + . /etc/bashrc +fi \ No newline at end of file diff --git a/pkg/de-p1st-installer/PKGBUILD b/pkg/de-p1st-installer/PKGBUILD index 3b2a895..8b87d4f 100644 --- a/pkg/de-p1st-installer/PKGBUILD +++ b/pkg/de-p1st-installer/PKGBUILD @@ -2,7 +2,7 @@ _pkgname=installer _reponame=arch pkgname="de-p1st-$_pkgname" -pkgver=0.1.9 +pkgver=0.1.10 pkgrel=1 pkgdesc="Bash script to install Arch Linux" arch=('any') diff --git a/pkg/de-p1st-installer/example-vbox.cfg b/pkg/de-p1st-installer/example-vbox.cfg index c114edf..44a49ce 100644 --- a/pkg/de-p1st-installer/example-vbox.cfg +++ b/pkg/de-p1st-installer/example-vbox.cfg @@ -42,5 +42,8 @@ ADDITIONAL_PKGS+=('mkinitcpio' 'de-p1st-kernel-lts' 'de-p1st-ucode-placeholder' # # XFCE4 desktop with HiDPI ADDITIONAL_PKGS+=('de-p1st-gpu-generic' 'de-p1st-xfce4-hidpi' 'de-p1st-sddm-autologin-yoda' 'de-p1st-sddm-theme-default') +# # smartcard -ADDITIONAL_PKGS+=('de-p1st-smartcard') \ No newline at end of file +ADDITIONAL_PKGS+=('de-p1st-smartcard') +# other programs +ADDITIONAL_PKGS+=('nextcloud-client' 'keepassxc' 'xournalpp')