[pkg-gnupg-maint] missing feature in gnupg1 (1.4.21-3)

Micha Borrmann micha.borrmann at syss.de
Fri Mar 17 06:54:15 UTC 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Am 16.03.2017 um 18:23 schrieb Daniel Kahn Gillmor:
> On Thu 2017-03-16 12:56:35 -0400, Micha Borrmann wrote:
>> These lines are from /lib/cryptsetup/scripts/decrypt_gnupg_sc
>>
>>         echo "Performing GPG key decryption ..." >&2
>>         ls -l /dev/tty >&2
>>         ls -l /dev/console >&2
>>         /usr/bin/gpg2 --card-status >&2
>>         if ! /lib/cryptsetup/askpass \
>>                 "Enter smartcard PIN or passphrase for key $1: " | \
>>                 /usr/bin/gpg2 --quiet --batch --homedir "$(dirname $1)" \
>>                 --trustdb-name /dev/null --pinentry-mode=loopback --passphrase-fd 0 --decrypt $1; then
>>                 return 1
>>         fi
>>
>> Booting my machine, I've seen the following
>>
>> #####
>> Performing GPG key decryption ...
>> crw-rw-rw-	1 0	0		5,	0 Mar 16 16:47 /dev/tty
>> crw-------	1 0	0		5,	1 Mar 16 16:47 /dev/console
>> gpg: cannot open /dev/tty': No such device or address
>> Reader ...........: 058F:9540:X:0
>> Application ID ...: D2760001240102010005000045EC0000
>> Version ..........: 2.1
>> Manufacturer .....: ZeitControl
>> Serial number ....: 000045EC
>> Name of cardholder: Micha Borrmann
>> Language prefs ...: de
>> Sex ..............: unspecified
>> URL of public key : [not set]
>> Login data .......: [not set]
>> Signature PIN ....: not forced
>> Key attributes ...: rsa4096 rsa2048 rsa4096
>> Max. PIN lengths .: 32 32 32
>> PIN retry counter : 3 0 3
>> Signature counter : 481
>> Signature key ....: F2E7 C6A5 9950 84ED 7AD6  0DD4 EDBE 26E7 14EA 5876
>>       created ....: 2016-02-17 15:26:16
>> Encryption key....: ADB2 069E 7A1A 6558 2966  47A1 4E81 F234 C254 AF58
>>       created ....: 2016-02-17 15:26:16
>> Authentication key: EEE0 138F C87E 164B E6D8  3ED9 3768 D170 FA56 C0D6
>>       created ....: 2016-02-17 15:26:16
>> General key info..: Enter smartcard PIN or passphrase for key /etc/keys/cryptkey.gpg:
>> #####
>>
>> Why can gpg not open /dev/tty ? This may be the problem.
> 
> I agree that it seems like it ought to be able to open /dev/tty given
> the permissions shown above, but it doesn't look like that is the
> problem, since it is emitted before --card-status, and --card-status
> explicitly succeeds (though i don't know why "General key info..:"
> appears to have produced no data).

With GnuPG1 the "General key info" is displayed (see below)

> I still don't see the explicit problem, though.
> 
> it looks to me like /lib/cryptsetup/askpass is prompting as expected,
> but i see no error message from the gpg part of the pipeline.
> 
> have you tried this outside of the initramfs?  does it work?  this
> pipeline looks like it expects to produce the decrypted key material to
> stdout -- is that intended?

on my normal Linux system the command works fine. I've tested it just in this moment:

# /lib/cryptsetup/askpass "Enter smartcard PIN or passphrase for key /etc/keys/cryptkey.gpg: " | /usr/bin/gpg2 --quiet --batch --homedir "$(dirname /etc/keys/cryptkey.gpg)" --trustdb-name /dev/null --pinentry-mode=loopback --passphrase-fd 0 --decrypt /etc/keys/cryptkey.gpg
Enter smartcard PIN or passphrase for key /etc/keys/cryptkey.gpg:  ********

and the decrypted content will be displayed on the screen if the PIN was typed correctly. However, also in initramfs the decryption works but only with the symmetric passphrase of /etc/keys/cryptkey.gpg and not with smart card and PIN.

The following lines in /lib/cryptsetup/scripts/decrypt_gnupg_sc are running fine (but it's GnuPG1).

        /usr/bin/gpg1 --card-status >&2
        if ! /lib/cryptsetup/askpass \
                "Enter smartcard PIN or passphrase for key $1: " | \
                /usr/bin/gpg1 --quiet --batch --homedir "$(dirname $1)" \
                --trustdb-name /dev/null --passphrase-fd 0 --decrypt $1; then
                return 1
        fi

For me it was not possible to use it with GnuPG2 and that it the only one reason that I need GnuPG1 with smart card support.
It would be nice to find a way to use it with GnuPG2.

- --
Micha Borrmann
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAljLiBAACgkQ7b4m5xTq
WHYSAA//S3wHxIkbZoI9B7V2Gc8wm7RAhHdUtUmOayanm2Nr+KVvKGxzjrhBzEBK
1HQgV8Xx3P39F2DS8zz+Ht7nd8h5kvlXCGHp/CM/pcbM/W8pLexUcXAbRwuySkld
ROlp/Y3eDyMK2JWVvAPTO3gpUg5uz4L6RK/tPvXTXOKG9fArixOaLKp14bIVeYIs
EygE4L6xxmq2+6cl5lnCYoN700xXZTyFesuxOpi0a2KMUrSSSiysn6vImGJZryBR
DQzju/sBBaNZIHWjoNgEAleqpvaw9HOtUkOjDY/xfaWMvuBRXgJwyy//qpVH9y1P
czIB5tctOwdptaao439Xdizyg3XhLaFvmnlR16j7xcZP/8gwgwFyBBN8M0H2TEW5
UNnPITIAYBRitflfEe0Mm4rwRB6GBGnOskRsmbULZWjbl8dhkiayeZztwVISa3Bq
W7dTmtX+aRjlqAJTPpoyVBMZaMcr96H6MgFnMq8PtIGyVX60pfpLiRougZZmZbks
1cyWIzGkUtDpujvy+3yBN+lC2eJecQ/u2LZCBfaQYpK0zwrYVWA6GLKeEMkzqNZe
xtkQLzkIzC/klRbP+lSNu4h/7tQdbFEeO9mLdfWWoV9j8+xNQYIitnzgbHraiOoa
GOtSs7juDRAl4qAl7OGsrGfJXJgZEB2BljVVSFtqtyr6R+qiJlc=
=pe24
-----END PGP SIGNATURE-----

More information about the pkg-gnupg-maint mailing list