[pkg-gnupg-maint] missing feature in gnupg1 (1.4.21-3)

Fri Mar 17 16:58:28 UTC 2017

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Am 17.03.2017 um 15:09 schrieb Daniel Kahn Gillmor:
> On Fri 2017-03-17 02:54:15 -0400, Micha Borrmann wrote:
>> With GnuPG1 the "General key info" is displayed (see below)
> 
> sorry, micha, i didn't see anything about this below.

ok, I was not put in from my initramfs. But with the GnuPG1 command listed below, the General key info is displayed in initramfs.

>> on my normal Linux system the command works fine. I've tested it just
>> in this moment:
>>
>> # /lib/cryptsetup/askpass "Enter smartcard PIN or passphrase for key /etc/keys/cryptkey.gpg: " | /usr/bin/gpg2 --quiet --batch --homedir "$(dirname /etc/keys/cryptkey.gpg)" --trustdb-name /dev/null --pinentry-mode=loopback --passphrase-fd 0 --decrypt /etc/keys/cryptkey.gpg
>> Enter smartcard PIN or passphrase for key /etc/keys/cryptkey.gpg:  ********
>>
>> and the decrypted content will be displayed on the screen if the PIN
>> was typed correctly. However, also in initramfs the decryption works
>> but only with the symmetric passphrase of /etc/keys/cryptkey.gpg and
>> not with smart card and PIN.
>>
>> The following lines in /lib/cryptsetup/scripts/decrypt_gnupg_sc are
>> running fine (but it's GnuPG1).
>>
>>         /usr/bin/gpg1 --card-status >&2
>>         if ! /lib/cryptsetup/askpass \
>>                 "Enter smartcard PIN or passphrase for key $1: " | \
>>                 /usr/bin/gpg1 --quiet --batch --homedir "$(dirname $1)" \
>>                 --trustdb-name /dev/null --passphrase-fd 0 --decrypt $1; then
>>                 return 1
>>         fi
>>
>> For me it was not possible to use it with GnuPG2 and that it the only
>> one reason that I need GnuPG1 with smart card support.
>>
>> It would be nice to find a way to use it with GnuPG2.
> 
> gniibe, maybe you can provide better debugging next-steps?  have you
> ever used scdaemon in the initramfs?

or has anybody a smart card with GnuPG2 and can provide the used scripts and hooks?

/Micha Borrmann
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAljMFa4ACgkQ7b4m5xTq
WHZLOhAAjoQrt9FPM0Bnym9fEz4CGUM8bMZo66oEuhwuJLaIshrU9/lCUNGNI+wI
mvm9/rz5SpG89veXxZIZxmNv64mpOQbngvsyZKktlSFf3eAaIJxD4iGlVV+D7LNa
3pTIciWNuSK8y49w2KGx75qvJuflvSJ1RWZoPiW2igaFwldBbUN/4VuUobaWpkHy
oDL3TTIl/e4n8h15cR2i3N3xffyEVC6p9yG59u9ok3k0zoTgYjn2TCIjmv3mtY0X
cLBl3c5zomTQFWwsm31l139G1WWlIivruzX9qKsa4JMpQ869izmrQlU7NLJcjRyy
//3hS2vnAP/oLV/gIf+jRlfu0sITu5+olY9kN25YkV5DK/JUN/6LNdY8uW2XnghR
zex0XCXoGJGGmfp0PiiJ2gAhj9m446Hn7imdAVCL/008al9SeY392wbZz/EzpGLL
tY8sDTny6FXHEGLpSwTiwotzQDYqX3HwakFpdQ4jJdWokCQ+L6dQ4+qNsn4J6PcQ
nEFnRSo9sjhFpDRmAhxCzdyo5rrZeGdaYDe8ObbdrxOpbJvDjw6q2G3igSLLuwNT
c2pizElcOxqfAcRmIzu/j8MOSPqD5lvGArnV1Jo1xEL0yv17seIWtsTzhormkxqf
0MqgXgfwdBhyq8Ago4Zto3LrLyKduiNVv0Hpd9FJvKMAZOTexbk=
=/ned
-----END PGP SIGNATURE-----