gnupg
TODO:
- Currently using graphical pinentry ... this would mean dependend on X11/wayland
- could this be done with holo?
- default to terminal-pinentry
de-p1st-gnupg-x11
then changes the /etc/skel files to use graphical-pinentry
GnuPG german mini HowTo:
makepkg
and pacman
use different PGP keyrings:
One can use /etc/gnupg/gpgconf.conf
to configure gpg and gpg-agent. However, not all options are available ...
gpgconf --list-options gpg
gpgconf --list-options gpg-agent
Using a smartcard:
gpg.conf
Location: ~/.gnupg/gpg.conf
gpg-agent.conf
Location: ~/.gnupg/gpg-agent.conf
# List pinentries: pacman -Ql pinentry | grep /usr/bin/
# If a graphical application shall use ones smartcard one needs to specify a graphical pinentry program.
pinentry-program /usr/bin/pinentry-gnome3
# Enable ssh to use a smartcard for authentication.
enable-ssh-support
Debug options:
debug-pinentry
debug ipc
verbose
log-file /home/__USER__/.gnupg/logfile.log
gnupg
depends on pinentry
and pinentry-gnome3
is part of pinentry
.
$ pacman -F /usr/bin/pinentry-gnome3
usr/bin/pinentry-gnome3 is owned by core/pinentry 1.1.1-1
Graphical Login: /etc/profile.d/*.sh, bashrc, .zshrc.local
- Archwiki: GnuPG#Configure_pinentry_to_use_the_correct_TTY
- These two shell lines are demanded by the gnupg documentation in the chapter
Invoking GPG-AGENT
- man 1 gpg-agent -> EXAMPLES -> set env variable GPG_TTY in your login shell
One's interactive, non-login shell, should run this:
GPG_TTY=$(tty)
export GPG_TTY
gpg-connect-agent updatestartuptty /bye >/dev/null
SSH_AUTH_SOCK: /etc/profile.d/*.sh, bashrc, .zshrc.local
- Archwiki: GnuPG#Set_SSH_AUTH_SOCK
One's interactive, non-login shell, should run this:
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
export SSH_AUTH_SOCK
fi
Note about "interactive, non-login, shell"
The gnupg manual is talking about "login shell" but mentions "~/.bashrc", so I assume they mean an "interactive, non-login, shell". See https://wiki.archlinux.org/title/bash#Configuration_files
Correct files to set SSH_AGENT_PID
and GPG_TTY
:
/etc/bash.bashrc
/etc/zsh/zshrc
These do not work:
/etc/profile.d/99_gnupg.sh
/etc/profile
This file should be sourced by all POSIX sh-compatible shells upon login: it sets up $PATH and other environment variables and application-specific (/etc/profile.d/*.sh) settings upon login./etc/X11/xinit/xinitrc.d/
Use smartcard on new computer
To be able to use a smartcard, one has to import and then trust the public key first!
gpg --import 94F3D3DDAC22802258FC044B6C47C753F0823002.pub
And then trust the key:
gpg --edit-key 0x94F3D3DDAC22802258FC044B6C47C753F0823002
trust
5
y
quit
or
printf "5\ny\nquit\n" | gpg --command-fd 0 --expert --edit-key 0x94F3D3DDAC22802258FC044B6C47C753F0823002 trust
or
echo "94F3D3DDAC22802258FC044B6C47C753F0823002:6:" | gpg --import-ownertrust
See also:
This could be done with a script 99_import_pubkey.sh
placed inside /etc/profile.d/
. When using sddm
as login manager, then
the output of this script can be found in ~/.local/share/sddm/xorg-session.log
.