Mirror/arch
1
0
Fork 0
mirror of https://codeberg.org/privacy1st/arch synced 2024-12-23 01:16:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

gnupg and smartcard packages

Browse Source
This commit is contained in:
Daniel Langbein 2021-04-29 14:24:57 +02:00
parent 001bed5a80
commit 545b7dccce
7 changed files with 120 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pkg/de-p1st-gnupg/99_gnupg.sh Normal file
View File

@ -0,0 +1,9 @@
GPG_TTY=$(tty)
export GPG_TTY
gpg-connect-agent updatestartuptty /bye >/dev/null
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
export SSH_AUTH_SOCK
fi

8
pkg/de-p1st-gnupg/PKGBUILD
View File

@ -2,7 +2,7 @@
_pkgname=gnupg _pkgname=gnupg
_reponame=arch _reponame=arch
pkgname="de-p1st-$_pkgname" pkgname="de-p1st-$_pkgname"
pkgver=0.0.1 pkgver=0.0.2
pkgrel=1 pkgrel=1
pkgdesc="gnupg with configuration" pkgdesc="gnupg with configuration"
arch=('any') arch=('any')
@ -24,7 +24,9 @@ noextract=()
sha256sums=('SKIP' 'SKIP') sha256sums=('SKIP' 'SKIP')
build() { build() {
# copy gpg.conf from duraconf harded configs git repo as gpg.conf.template
cp duraconf/configs/gnupg/gpg.conf "${_reponame}/pkg/${pkgname}/gpg.conf.template" cp duraconf/configs/gnupg/gpg.conf "${_reponame}/pkg/${pkgname}/gpg.conf.template"
cd "${_reponame}/pkg/${pkgname}" cd "${_reponame}/pkg/${pkgname}"
# gpg.conf.template -> gpg.conf # gpg.conf.template -> gpg.conf
@ -34,5 +36,7 @@ build() {
package() { package() {
cd "${_reponame}/pkg/${pkgname}" cd "${_reponame}/pkg/${pkgname}"
install -Dm0644 gpg.conf "$pkgdir"/etc/gnupg/gpgconf.conf install -Dm0644 gpg.conf "$pkgdir"/etc/skel/.gnupg/gpg.conf
install -Dm0644 gpg-agent.conf "$pkgdir"/etc/skel/.gnupg/gpg-agent.conf
install -Dm0644 99_gnupg.sh "$pkgdir"/etc/profile.d/99_gnupg.sh
} }

78
pkg/de-p1st-gnupg/README.md
View File

@ -1,9 +1,81 @@
# gnupg # gnupg
One can use `/etc/gnupg/gpgconf.conf` to configure gpg and gpg-agent. However, not all options are available ...
```shell
gpgconf --list-options gpg
gpgconf --list-options gpg-agent
```
Using a smartcard:
* [](https://www.kuketz-blog.de/gnupg-public-key-authentifizierung-nitrokey-teil3/)
* [](https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html)
Note about login shell:
> `/etc/profile` This file should be sourced by all POSIX sh-compatible shells upon login: it sets up $PATH and other environment variables and application-specific (/etc/profile.d/*.sh) settings upon login.
## gpg.conf
Location: `~/.gnupg/gpg.conf`
* https://riseup.net/en/security/message-security/openpgp/best-practices * https://riseup.net/en/security/message-security/openpgp/best-practices
* https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf * https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf
The gpg configuration can be placed in: ## gpg-agent.conf
* `~/.gnupg/gpg.conf`
* `/etc/gnupg/gpgconf.conf`
Location: `~/.gnupg/gpg-agent.conf`
```
# List pinentries: pacman -Ql pinentry | grep /usr/bin/
# If a graphical application shall use ones smartcard one needs to specify a graphical pinentry program.
pinentry-program /usr/bin/pinentry-gnome3
# Enable ssh to use a smartcard for authentification.
enable-ssh-support
```
Debug options:
```
debug-pinentry
debug ipc
verbose
log-file /home/__USER__/.gnupg/logfile.log
```
`gnupg` depends on `pinentry` and `pinentry-gnome3` is part of `pinentry`.
```
$ pacman -F /usr/bin/pinentry-gnome3
usr/bin/pinentry-gnome3 is owned by core/pinentry 1.1.1-1
```
## Graphical Login: /etc/profile.d/*.sh, bashrc, .zshrc.local
* Archwiki: [GnuPG#Configure_pinentry_to_use_the_correct_TTY](https://wiki.archlinux.org/index.php/GnuPG#Configure_pinentry_to_use_the_correct_TTY)
* These two shell lines are demanded by the gnupg documentation in the chapter `Invoking GPG-AGENT`
* man 1 gpg-agent -> EXAMPLES -> set env variable GPG_TTY in your login shell
One's login shell should run this:
```shell
GPG_TTY=$(tty)
export GPG_TTY
gpg-connect-agent updatestartuptty /bye >/dev/null
```
## SSH_AUTH_SOCK: /etc/profile.d/*.sh, bashrc, .zshrc.local
* Archwiki: [GnuPG#Set_SSH_AUTH_SOCK](https://wiki.archlinux.org/index.php/GnuPG#Set_SSH_AUTH_SOCK)
One's login shell should run this:
```shell
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
export SSH_AUTH_SOCK
fi
```

6
pkg/de-p1st-gnupg/gpg-agent.conf Normal file
View File

@ -0,0 +1,6 @@
# List pinentries: pacman -Ql pinentry | grep /usr/bin/
# If a graphical application shall use ones smartcard one needs to specify a graphical pinentry program.
pinentry-program /usr/bin/pinentry-gnome3
# Enable ssh to use a smartcard for authentification.
enable-ssh-support

18
pkg/de-p1st-smartcard/README.md Normal file
View File

@ -0,0 +1,18 @@
## Using a smartcard
* [](https://wiki.archlinux.org/index.php/Smartcards)
```
sudo pacman -S ccid opensc
```
* If the card reader does not have a PIN pad, append the line(s) and set `enable_pinpad = false` in the opensc configuration file `/etc/opensc.conf`:
```
echo "enable_pinpad = false" | sudo tee -a /etc/opensc.conf >/dev/null
sudo systemctl enable --now pcscd.service
```
## Configuration
* `sudo pacman -S de-p1st-gnupg`

5
pkg/de-p1st-smartcard/opensc.conf.holoscript Normal file
View File

@ -0,0 +1,5 @@
#!/bin/sh
# stdin: default config
# stdout: modified config
cat
echo 'enable_pinpad = false'

1
pkg/de-p1st-smartcard/systemd.preset Normal file
View File

@ -0,0 +1 @@
enable pcscd.service