From 545b7dccce57f0b29151fdb27a247f3cc149f217 Mon Sep 17 00:00:00 2001 From: langfingaz Date: Thu, 29 Apr 2021 14:24:57 +0200 Subject: [PATCH] gnupg and smartcard packages --- pkg/de-p1st-gnupg/99_gnupg.sh | 9 +++ pkg/de-p1st-gnupg/PKGBUILD | 8 +- pkg/de-p1st-gnupg/README.md | 78 +++++++++++++++++++- pkg/de-p1st-gnupg/gpg-agent.conf | 6 ++ pkg/de-p1st-smartcard/README.md | 18 +++++ pkg/de-p1st-smartcard/opensc.conf.holoscript | 5 ++ pkg/de-p1st-smartcard/systemd.preset | 1 + 7 files changed, 120 insertions(+), 5 deletions(-) create mode 100644 pkg/de-p1st-gnupg/99_gnupg.sh create mode 100644 pkg/de-p1st-gnupg/gpg-agent.conf create mode 100644 pkg/de-p1st-smartcard/README.md create mode 100644 pkg/de-p1st-smartcard/opensc.conf.holoscript create mode 100644 pkg/de-p1st-smartcard/systemd.preset diff --git a/pkg/de-p1st-gnupg/99_gnupg.sh b/pkg/de-p1st-gnupg/99_gnupg.sh new file mode 100644 index 0000000..451caa8 --- /dev/null +++ b/pkg/de-p1st-gnupg/99_gnupg.sh @@ -0,0 +1,9 @@ +GPG_TTY=$(tty) +export GPG_TTY +gpg-connect-agent updatestartuptty /bye >/dev/null + +unset SSH_AGENT_PID +if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then + SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" + export SSH_AUTH_SOCK +fi diff --git a/pkg/de-p1st-gnupg/PKGBUILD b/pkg/de-p1st-gnupg/PKGBUILD index 404492c..6667ef2 100644 --- a/pkg/de-p1st-gnupg/PKGBUILD +++ b/pkg/de-p1st-gnupg/PKGBUILD @@ -2,7 +2,7 @@ _pkgname=gnupg _reponame=arch pkgname="de-p1st-$_pkgname" -pkgver=0.0.1 +pkgver=0.0.2 pkgrel=1 pkgdesc="gnupg with configuration" arch=('any') @@ -24,7 +24,9 @@ noextract=() sha256sums=('SKIP' 'SKIP') build() { + # copy gpg.conf from duraconf harded configs git repo as gpg.conf.template cp duraconf/configs/gnupg/gpg.conf "${_reponame}/pkg/${pkgname}/gpg.conf.template" + cd "${_reponame}/pkg/${pkgname}" # gpg.conf.template -> gpg.conf @@ -34,5 +36,7 @@ build() { package() { cd "${_reponame}/pkg/${pkgname}" - install -Dm0644 gpg.conf "$pkgdir"/etc/gnupg/gpgconf.conf + install -Dm0644 gpg.conf "$pkgdir"/etc/skel/.gnupg/gpg.conf + install -Dm0644 gpg-agent.conf "$pkgdir"/etc/skel/.gnupg/gpg-agent.conf + install -Dm0644 99_gnupg.sh "$pkgdir"/etc/profile.d/99_gnupg.sh } diff --git a/pkg/de-p1st-gnupg/README.md b/pkg/de-p1st-gnupg/README.md index 9c5c787..bda9441 100644 --- a/pkg/de-p1st-gnupg/README.md +++ b/pkg/de-p1st-gnupg/README.md @@ -1,9 +1,81 @@ # gnupg +One can use `/etc/gnupg/gpgconf.conf` to configure gpg and gpg-agent. However, not all options are available ... + +```shell +gpgconf --list-options gpg +gpgconf --list-options gpg-agent +``` + +Using a smartcard: +* [](https://www.kuketz-blog.de/gnupg-public-key-authentifizierung-nitrokey-teil3/) +* [](https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html) + +Note about login shell: + +> `/etc/profile` This file should be sourced by all POSIX sh-compatible shells upon login: it sets up $PATH and other environment variables and application-specific (/etc/profile.d/*.sh) settings upon login. + + +## gpg.conf + +Location: `~/.gnupg/gpg.conf` + * https://riseup.net/en/security/message-security/openpgp/best-practices * https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf + +## gpg-agent.conf -The gpg configuration can be placed in: -* `~/.gnupg/gpg.conf` -* `/etc/gnupg/gpgconf.conf` +Location: `~/.gnupg/gpg-agent.conf` +``` +# List pinentries: pacman -Ql pinentry | grep /usr/bin/ +# If a graphical application shall use ones smartcard one needs to specify a graphical pinentry program. +pinentry-program /usr/bin/pinentry-gnome3 + +# Enable ssh to use a smartcard for authentification. +enable-ssh-support +``` + +Debug options: + +``` +debug-pinentry +debug ipc +verbose +log-file /home/__USER__/.gnupg/logfile.log +``` + +`gnupg` depends on `pinentry` and `pinentry-gnome3` is part of `pinentry`. + +``` +$ pacman -F /usr/bin/pinentry-gnome3 +usr/bin/pinentry-gnome3 is owned by core/pinentry 1.1.1-1 +``` + +## Graphical Login: /etc/profile.d/*.sh, bashrc, .zshrc.local + +* Archwiki: [GnuPG#Configure_pinentry_to_use_the_correct_TTY](https://wiki.archlinux.org/index.php/GnuPG#Configure_pinentry_to_use_the_correct_TTY) +* These two shell lines are demanded by the gnupg documentation in the chapter `Invoking GPG-AGENT` +* man 1 gpg-agent -> EXAMPLES -> set env variable GPG_TTY in your login shell + +One's login shell should run this: + +```shell +GPG_TTY=$(tty) +export GPG_TTY +gpg-connect-agent updatestartuptty /bye >/dev/null +``` + +## SSH_AUTH_SOCK: /etc/profile.d/*.sh, bashrc, .zshrc.local + +* Archwiki: [GnuPG#Set_SSH_AUTH_SOCK](https://wiki.archlinux.org/index.php/GnuPG#Set_SSH_AUTH_SOCK) + +One's login shell should run this: + +```shell +unset SSH_AGENT_PID +if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then + SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" + export SSH_AUTH_SOCK +fi +``` diff --git a/pkg/de-p1st-gnupg/gpg-agent.conf b/pkg/de-p1st-gnupg/gpg-agent.conf new file mode 100644 index 0000000..3c096d1 --- /dev/null +++ b/pkg/de-p1st-gnupg/gpg-agent.conf @@ -0,0 +1,6 @@ +# List pinentries: pacman -Ql pinentry | grep /usr/bin/ +# If a graphical application shall use ones smartcard one needs to specify a graphical pinentry program. +pinentry-program /usr/bin/pinentry-gnome3 + +# Enable ssh to use a smartcard for authentification. +enable-ssh-support diff --git a/pkg/de-p1st-smartcard/README.md b/pkg/de-p1st-smartcard/README.md new file mode 100644 index 0000000..9249b2a --- /dev/null +++ b/pkg/de-p1st-smartcard/README.md @@ -0,0 +1,18 @@ +## Using a smartcard + +* [](https://wiki.archlinux.org/index.php/Smartcards) + +``` +sudo pacman -S ccid opensc +``` + +* If the card reader does not have a PIN pad, append the line(s) and set `enable_pinpad = false` in the opensc configuration file `/etc/opensc.conf`: + +``` +echo "enable_pinpad = false" | sudo tee -a /etc/opensc.conf >/dev/null +sudo systemctl enable --now pcscd.service +``` + +## Configuration + +* `sudo pacman -S de-p1st-gnupg` diff --git a/pkg/de-p1st-smartcard/opensc.conf.holoscript b/pkg/de-p1st-smartcard/opensc.conf.holoscript new file mode 100644 index 0000000..31e4c4e --- /dev/null +++ b/pkg/de-p1st-smartcard/opensc.conf.holoscript @@ -0,0 +1,5 @@ +#!/bin/sh +# stdin: default config +# stdout: modified config +cat +echo 'enable_pinpad = false' diff --git a/pkg/de-p1st-smartcard/systemd.preset b/pkg/de-p1st-smartcard/systemd.preset new file mode 100644 index 0000000..9da53e2 --- /dev/null +++ b/pkg/de-p1st-smartcard/systemd.preset @@ -0,0 +1 @@ +enable pcscd.service \ No newline at end of file