[pkg-gnupg-maint] missing feature in gnupg1 (1.4.21-3)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Mar 14 19:29:17 UTC 2017
On Tue 2017-03-14 14:03:41 -0400, Micha Borrmann wrote:
> With GnuPG1 everything is fine:
> if ! /lib/cryptsetup/askpass \
> "Enter smartcard PIN or passphrase for key $1: " | \
> /usr/bin/gpg1 --quiet --batch --homedir "$(dirname $1)" \
> --trustdb-name /dev/null --passphrase-fd 0 --decrypt $1; then
> return 1
> fi
>
> If I use GnuPG2 instead of it
>
> if ! /lib/cryptsetup/askpass \
> "Enter smartcard PIN or passphrase for key $1: " | \
> /usr/bin/gpg2 --quiet --batch --homedir "$(dirname $1)" \
> --trustdb-name /dev/null --pinentry-mode=loopback --passphrase-fd 0 --decrypt $1; then
> return 1
> fi
What version of gpg2 ? on debian stretch, gpg 2.1.x ships as
/usr/bin/gpg, you shouldn't need to specify "gpg2" explicitly.
> the entered data are not sent to the card. I've copied scdaemon and
> gpg-agent and I can read the card (tried with gpg2 --card-status in
> initramfs). However, if I enter an invalid PIN, the PIN retry counter
> is not decreasing. Only the additional symmetric passphrase is able to
> decrypt the keyfile.
can you inspect the state of scdaemon and gpg-agent from within the
initramfs? if you can include gpg-connect-agent, then you can inspect
these processes with:
gpg-connect-agent
from the given subshell you should be able to use "help" to see things
about gpg-agent, and the "scd" subcommand (e.g. "scd help") to inspect
the scdaemon itself.
Maybe gniibe (who i'm cc'ing here) has some experience using scdaemon
from the initramfs.
> the binaries exist. Do I have to start it manually?
with recent 2.1.x, all the needed processes should auto-start.
--dkg
More information about the pkg-gnupg-maint
mailing list