mirror of
https://codeberg.org/privacy1st/arch
synced 2024-12-23 01:16:04 +01:00
gnupg and smartcard packages
This commit is contained in:
parent
001bed5a80
commit
545b7dccce
9
pkg/de-p1st-gnupg/99_gnupg.sh
Normal file
9
pkg/de-p1st-gnupg/99_gnupg.sh
Normal file
@ -0,0 +1,9 @@
|
||||
GPG_TTY=$(tty)
|
||||
export GPG_TTY
|
||||
gpg-connect-agent updatestartuptty /bye >/dev/null
|
||||
|
||||
unset SSH_AGENT_PID
|
||||
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
|
||||
SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
|
||||
export SSH_AUTH_SOCK
|
||||
fi
|
@ -2,7 +2,7 @@
|
||||
_pkgname=gnupg
|
||||
_reponame=arch
|
||||
pkgname="de-p1st-$_pkgname"
|
||||
pkgver=0.0.1
|
||||
pkgver=0.0.2
|
||||
pkgrel=1
|
||||
pkgdesc="gnupg with configuration"
|
||||
arch=('any')
|
||||
@ -24,7 +24,9 @@ noextract=()
|
||||
sha256sums=('SKIP' 'SKIP')
|
||||
|
||||
build() {
|
||||
# copy gpg.conf from duraconf harded configs git repo as gpg.conf.template
|
||||
cp duraconf/configs/gnupg/gpg.conf "${_reponame}/pkg/${pkgname}/gpg.conf.template"
|
||||
|
||||
cd "${_reponame}/pkg/${pkgname}"
|
||||
|
||||
# gpg.conf.template -> gpg.conf
|
||||
@ -34,5 +36,7 @@ build() {
|
||||
package() {
|
||||
cd "${_reponame}/pkg/${pkgname}"
|
||||
|
||||
install -Dm0644 gpg.conf "$pkgdir"/etc/gnupg/gpgconf.conf
|
||||
install -Dm0644 gpg.conf "$pkgdir"/etc/skel/.gnupg/gpg.conf
|
||||
install -Dm0644 gpg-agent.conf "$pkgdir"/etc/skel/.gnupg/gpg-agent.conf
|
||||
install -Dm0644 99_gnupg.sh "$pkgdir"/etc/profile.d/99_gnupg.sh
|
||||
}
|
||||
|
@ -1,9 +1,81 @@
|
||||
# gnupg
|
||||
|
||||
One can use `/etc/gnupg/gpgconf.conf` to configure gpg and gpg-agent. However, not all options are available ...
|
||||
|
||||
```shell
|
||||
gpgconf --list-options gpg
|
||||
gpgconf --list-options gpg-agent
|
||||
```
|
||||
|
||||
Using a smartcard:
|
||||
* [](https://www.kuketz-blog.de/gnupg-public-key-authentifizierung-nitrokey-teil3/)
|
||||
* [](https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html)
|
||||
|
||||
Note about login shell:
|
||||
|
||||
> `/etc/profile` This file should be sourced by all POSIX sh-compatible shells upon login: it sets up $PATH and other environment variables and application-specific (/etc/profile.d/*.sh) settings upon login.
|
||||
|
||||
|
||||
## gpg.conf
|
||||
|
||||
Location: `~/.gnupg/gpg.conf`
|
||||
|
||||
* https://riseup.net/en/security/message-security/openpgp/best-practices
|
||||
* https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf
|
||||
|
||||
The gpg configuration can be placed in:
|
||||
* `~/.gnupg/gpg.conf`
|
||||
* `/etc/gnupg/gpgconf.conf`
|
||||
## gpg-agent.conf
|
||||
|
||||
Location: `~/.gnupg/gpg-agent.conf`
|
||||
|
||||
```
|
||||
# List pinentries: pacman -Ql pinentry | grep /usr/bin/
|
||||
# If a graphical application shall use ones smartcard one needs to specify a graphical pinentry program.
|
||||
pinentry-program /usr/bin/pinentry-gnome3
|
||||
|
||||
# Enable ssh to use a smartcard for authentification.
|
||||
enable-ssh-support
|
||||
```
|
||||
|
||||
Debug options:
|
||||
|
||||
```
|
||||
debug-pinentry
|
||||
debug ipc
|
||||
verbose
|
||||
log-file /home/__USER__/.gnupg/logfile.log
|
||||
```
|
||||
|
||||
`gnupg` depends on `pinentry` and `pinentry-gnome3` is part of `pinentry`.
|
||||
|
||||
```
|
||||
$ pacman -F /usr/bin/pinentry-gnome3
|
||||
usr/bin/pinentry-gnome3 is owned by core/pinentry 1.1.1-1
|
||||
```
|
||||
|
||||
## Graphical Login: /etc/profile.d/*.sh, bashrc, .zshrc.local
|
||||
|
||||
* Archwiki: [GnuPG#Configure_pinentry_to_use_the_correct_TTY](https://wiki.archlinux.org/index.php/GnuPG#Configure_pinentry_to_use_the_correct_TTY)
|
||||
* These two shell lines are demanded by the gnupg documentation in the chapter `Invoking GPG-AGENT`
|
||||
* man 1 gpg-agent -> EXAMPLES -> set env variable GPG_TTY in your login shell
|
||||
|
||||
One's login shell should run this:
|
||||
|
||||
```shell
|
||||
GPG_TTY=$(tty)
|
||||
export GPG_TTY
|
||||
gpg-connect-agent updatestartuptty /bye >/dev/null
|
||||
```
|
||||
|
||||
## SSH_AUTH_SOCK: /etc/profile.d/*.sh, bashrc, .zshrc.local
|
||||
|
||||
* Archwiki: [GnuPG#Set_SSH_AUTH_SOCK](https://wiki.archlinux.org/index.php/GnuPG#Set_SSH_AUTH_SOCK)
|
||||
|
||||
One's login shell should run this:
|
||||
|
||||
```shell
|
||||
unset SSH_AGENT_PID
|
||||
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
|
||||
SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
|
||||
export SSH_AUTH_SOCK
|
||||
fi
|
||||
```
|
||||
|
6
pkg/de-p1st-gnupg/gpg-agent.conf
Normal file
6
pkg/de-p1st-gnupg/gpg-agent.conf
Normal file
@ -0,0 +1,6 @@
|
||||
# List pinentries: pacman -Ql pinentry | grep /usr/bin/
|
||||
# If a graphical application shall use ones smartcard one needs to specify a graphical pinentry program.
|
||||
pinentry-program /usr/bin/pinentry-gnome3
|
||||
|
||||
# Enable ssh to use a smartcard for authentification.
|
||||
enable-ssh-support
|
18
pkg/de-p1st-smartcard/README.md
Normal file
18
pkg/de-p1st-smartcard/README.md
Normal file
@ -0,0 +1,18 @@
|
||||
## Using a smartcard
|
||||
|
||||
* [](https://wiki.archlinux.org/index.php/Smartcards)
|
||||
|
||||
```
|
||||
sudo pacman -S ccid opensc
|
||||
```
|
||||
|
||||
* If the card reader does not have a PIN pad, append the line(s) and set `enable_pinpad = false` in the opensc configuration file `/etc/opensc.conf`:
|
||||
|
||||
```
|
||||
echo "enable_pinpad = false" | sudo tee -a /etc/opensc.conf >/dev/null
|
||||
sudo systemctl enable --now pcscd.service
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
||||
* `sudo pacman -S de-p1st-gnupg`
|
5
pkg/de-p1st-smartcard/opensc.conf.holoscript
Normal file
5
pkg/de-p1st-smartcard/opensc.conf.holoscript
Normal file
@ -0,0 +1,5 @@
|
||||
#!/bin/sh
|
||||
# stdin: default config
|
||||
# stdout: modified config
|
||||
cat
|
||||
echo 'enable_pinpad = false'
|
1
pkg/de-p1st-smartcard/systemd.preset
Normal file
1
pkg/de-p1st-smartcard/systemd.preset
Normal file
@ -0,0 +1 @@
|
||||
enable pcscd.service
|
Loading…
Reference in New Issue
Block a user