mirror of
https://codeberg.org/privacy1st/arch
synced 2024-12-24 01:16:05 +01:00
93 lines
2.7 KiB
Markdown
93 lines
2.7 KiB
Markdown
# gnupg
|
|
|
|
**TODO**:
|
|
* Currently using graphical pinentry ... this would mean dependend on X11/wayland
|
|
* could this be done with holo?
|
|
* default to terminal-pinentry
|
|
* `de-p1st-gnupg-x11` then changes the /etc/skel files to use graphical-pinentry
|
|
|
|
|
|
|
|
GnuPG german mini HowTo:
|
|
* [pdf](GnuPG_MiniHowto_ger_20200215.pdf)
|
|
|
|
One can use `/etc/gnupg/gpgconf.conf` to configure gpg and gpg-agent. However, not all options are available ...
|
|
|
|
```shell
|
|
gpgconf --list-options gpg
|
|
gpgconf --list-options gpg-agent
|
|
```
|
|
|
|
Using a smartcard:
|
|
* kuketz-blog.de: [gnupg-public-key-authentifizierung-nitrokey-teil3](https://www.kuketz-blog.de/gnupg-public-key-authentifizierung-nitrokey-teil3/)
|
|
* [gnupg.org -> Invoking-GPG_AGENT](https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html)
|
|
|
|
Note about login shell:
|
|
|
|
> `/etc/profile` This file should be sourced by all POSIX sh-compatible shells upon login: it sets up $PATH and other environment variables and application-specific (/etc/profile.d/*.sh) settings upon login.
|
|
|
|
|
|
## gpg.conf
|
|
|
|
Location: `~/.gnupg/gpg.conf`
|
|
|
|
* https://riseup.net/en/security/message-security/openpgp/best-practices
|
|
* https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf
|
|
|
|
## gpg-agent.conf
|
|
|
|
Location: `~/.gnupg/gpg-agent.conf`
|
|
|
|
```
|
|
# List pinentries: pacman -Ql pinentry | grep /usr/bin/
|
|
# If a graphical application shall use ones smartcard one needs to specify a graphical pinentry program.
|
|
pinentry-program /usr/bin/pinentry-gnome3
|
|
|
|
# Enable ssh to use a smartcard for authentification.
|
|
enable-ssh-support
|
|
```
|
|
|
|
Debug options:
|
|
|
|
```
|
|
debug-pinentry
|
|
debug ipc
|
|
verbose
|
|
log-file /home/__USER__/.gnupg/logfile.log
|
|
```
|
|
|
|
`gnupg` depends on `pinentry` and `pinentry-gnome3` is part of `pinentry`.
|
|
|
|
```
|
|
$ pacman -F /usr/bin/pinentry-gnome3
|
|
usr/bin/pinentry-gnome3 is owned by core/pinentry 1.1.1-1
|
|
```
|
|
|
|
## Graphical Login: /etc/profile.d/*.sh, bashrc, .zshrc.local
|
|
|
|
* Archwiki: [GnuPG#Configure_pinentry_to_use_the_correct_TTY](https://wiki.archlinux.org/index.php/GnuPG#Configure_pinentry_to_use_the_correct_TTY)
|
|
* These two shell lines are demanded by the gnupg documentation in the chapter `Invoking GPG-AGENT`
|
|
* man 1 gpg-agent -> EXAMPLES -> set env variable GPG_TTY in your login shell
|
|
|
|
One's login shell should run this:
|
|
|
|
```shell
|
|
GPG_TTY=$(tty)
|
|
export GPG_TTY
|
|
gpg-connect-agent updatestartuptty /bye >/dev/null
|
|
```
|
|
|
|
## SSH_AUTH_SOCK: /etc/profile.d/*.sh, bashrc, .zshrc.local
|
|
|
|
* Archwiki: [GnuPG#Set_SSH_AUTH_SOCK](https://wiki.archlinux.org/index.php/GnuPG#Set_SSH_AUTH_SOCK)
|
|
|
|
One's login shell should run this:
|
|
|
|
```shell
|
|
unset SSH_AGENT_PID
|
|
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
|
|
SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
|
|
export SSH_AUTH_SOCK
|
|
fi
|
|
```
|