[pkg-gnupg-maint] missing feature in gnupg1 (1.4.21-3)

Micha Borrmann micha.borrmann at syss.de
Tue Mar 14 18:03:41 UTC 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Am 14.03.2017 um 18:12 schrieb Daniel Kahn Gillmor:
> On Tue 2017-03-14 03:19:05 -0400, Micha Borrmann wrote:
>> thank you for the email. I use GnuPG 2 mostly. However, I use storage
>> encryption with GnuPG and smartcard and until now I was not able to
>> use GnuPG with Smartcard in initramfs. The major problem is, that the
>> PIN cannot be piped to GnuPG 2 and it was not possible for me to use
>> pinentry-tty within initramfs.
> 
> I don't understand this problem.  Can you elaborate more on why the PIN
> cannot be piped to GnuPG 2 ?  Are you using --pinentry-mode=loopback
> and --passphrase-fd ?  what error messages are you getting?

I use the following code in /lib/cryptsetup/script/decrypt_gnupg_sc

With GnuPG1 everything is fine:
        if ! /lib/cryptsetup/askpass \
                "Enter smartcard PIN or passphrase for key $1: " | \
                /usr/bin/gpg1 --quiet --batch --homedir "$(dirname $1)" \
                --trustdb-name /dev/null --passphrase-fd 0 --decrypt $1; then
                return 1
        fi

If I use GnuPG2 instead of it

        if ! /lib/cryptsetup/askpass \
                "Enter smartcard PIN or passphrase for key $1: " | \
                /usr/bin/gpg2 --quiet --batch --homedir "$(dirname $1)" \
                --trustdb-name /dev/null --pinentry-mode=loopback --passphrase-fd 0 --decrypt $1; then
                return 1
        fi

the entered data are not sent to the card. I've copied scdaemon and gpg-agent and I can read the card (tried with gpg2 --card-status in initramfs). However, if I enter an invalid PIN, the PIN retry counter is not decreasing. Only the additional symmetric passphrase is able to decrypt the keyfile.
 
>> If this problem is solved, I do not need GnuPG 1 anymore. Do you have
>> any hints to run GnuPG 2 with smart card in initramfs?
> 
> You'll need to ensure that scdaemon and gpg-agent and gpg are all
> available in the initramfs at least.

the binaries exist. Do I have to start it manually?

Thanks for helpful hints!

Regards,

Micha Borrmann

- -- 
Micha Borrmann                   Tel: +49 7071 407856-16
Senior IT-Security Consultant    Fax: +49 7071 407856-19
SySS GmbH                      Handy: +49 173  51 288 67
Wohlboldstraße 8              E-Mail: micha.borrmann at syss.de
72072 Tübingen                 https://www.syss.de
Key fingerprint = F2E7 C6A5 9950 84ED 7AD6  0DD4 EDBE 26E7 14EA 5876

Geschäftsführer: Sebastian Schreiber
Registergericht: Amtsgericht Stuttgart / HRB 382420
Steuernummer:    86118 / 55809

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAljIMHYACgkQ7b4m5xTq
WHYtCw//UlTb69a/qlv4eomzAdrw6ZNs0H/wM6Mu33KFtkwng14R7yDV5hBHvtp6
437SmwXT+Dy2Ll2QN6VYW7AV8kmhrGAAJq/5GTyYCp7xfz79Z6JCtD2koxit7kyr
Ct0wZfpeT5SYGDpOiNMYJV+UIEUiTQD0QorwiODF4XhtjA/l1R1WpUg0XknkoEQH
+AKT693x2Iea8tqgeFmXEvRzKru+0w1VxFEqf9XQRDlU4KU+nblCbGCQrI3Zfna5
UvgNm6RPEq4BkfSaAzmTyL7XC4RyW3EmsAMOOTirkALGa4/JvnJDrZMTVglsvR2Y
JrFuJ0jScrYwD4M3Rq2gPqOKlTLhKRIX3KbBGRcuAeoT8tHJZF1jTaUL4D4ACg72
hdGz11U9qC/gKaKFD3QIJUx45pra1+JUOQaxadobtUM5IC3XgoMrehscw0mZ9ZfL
NAHwbIYaiJG2k2bEKKbHBCjGqSsSGNzNIQjyVni4l2NQ7iFiIe/mzj/y+kv3x7On
tVTT4v0CgVip7U93k4OmDOqx1JAEJDJLH1eJwD1qduq61mQ9SWxbS5HGtvKZxyJR
bQ25Pnj6UGGmUnyAeYOOIbHNoXt3/tzzFVD+3JKLb+omcht+XDG9bcYlxSc7GASO
JLiP+SuNdVUQt/Mt81h4aMQnlRvQsr3PTqh1sAfNco8FzhuPavY=
=3yaf
-----END PGP SIGNATURE-----

More information about the pkg-gnupg-maint mailing list