Add support for GnuPG2 #454
Conversation
|
With those library changes and enabling UNIX Domain Sockets with I'm trying |
|
Building pinentry-1.1.0 in tty mode works, although I'm not sure if it is currently hung waiting for entropy (on qemu) or if there is something else wrong. |
|
@osresearch : pinentry complains about curses.h missing. Edit: fixed below with |
|
For the record, you don't need pinentry to be built with ncurses support. It can run in the tty on its own. |
| --host x86_64-linux-musl \ | ||
| --prefix "/" \ | ||
| --enable-pinentry-tty \ | ||
| --disable-pinentry-curses \ |
There was a problem hiding this comment.
--disable-pinentry-qt5 \
--disable-pinentry-fltk \
--disable-pinentry-emacs \
+ --disable-fallback-curses \
--with-libgpg-error-prefix="$(INSTALL)" \
--with-libassuan-prefix="$(INSTALL)" \
@duncanguthrie It was supposed to. It was just not respected :) @duncanguthrie : have insight on this? |
|
You might need to start gpg-agent with option
|
|
gpg-agent looks in /libexec (${libexecdir}) for scdaemon, but Heads packages scdaemon into /bin. A workaround is to pass --libexecdir=/bin to gpg2_configure. The other option is to extend the Heads Makefile to put files into /libexec, but that is more involved. I haven't gotten to actually testing this with my Nitrokey yet... |
…lly work, tools and libs updated to latest versions
|
@jandryuk : I've used gpg2 ang gpg1 only with Trying to figure out what is wrong with pseudo-random generators. I'm testing on x230, not qemu, but can see that neither works with It seems that there is not enough action on the host (recovery is doing nothing. May explain it) to generate enough entropy. Haven't had any feedback yet from u-root channel for gpg1: |
|
I confirm, by running Since Heads relies on smartcards to sign configs, is A couple of solutions could be taken into consideration if entropy generation in Heads is really a need ( I don't think so ). |
|
The only need I see would be to generate keys from Heads to keep an offline backup of master key, and insert subkeys in the smartcard for daily operations, like proposed, for example, in this guide. So if this is required, rng-tools could be integrated inside of Heads with HW RANDOM support and a config option added. Look here for other options, out of which rng-tools is recommended. @kyle @flammit, @osresearch: False need? |
|
@tlaurion Thanks for tracking down the problem! I am okay with leaving it as-is since it's due to the lack of entropy. I was more concerned there was still something broken with the gpg2 installation causing the hang. |
initrd/init
Outdated
| @@ -5,6 +5,9 @@ echo "hello world" > /dev/ttyprintk | |||
| # Setup our path | |||
| export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin | |||
|
|
|||
| #export GPG_TTY STATICALLY (NEED TO FIX) | |||
| export GPG_TTY=/dev/console | |||
There was a problem hiding this comment.
| export GPG_TTY=/dev/console | |
| export GPG_TTY=$(tty) |
tty is installed, so it could be used here. tty returns /dev/console, so that doesn't change.
There was a problem hiding this comment.
EDIT: Will redo tests.
There was a problem hiding this comment.
@jandryuk : I've took that approach initially. Exiting to recovery shell consequently gives:
echo $GPG_TTY
not a tty
tty
/dev/console
init script doesn't have an access to a TTY.
This is why gpg command verifying signatures is gpg --no-tty, because from a whiptail perspective, it doesn't have access to a shell until ash is spawned. The reason why gpg signing works is because pinentry-tty is called for which requires the tty to be set, else it also fails.
I haven't found a more elegant solution then to hardcode the tty, force the paths to binaries in config and force gpg-agent usage. If you have a better solution, please advise. :)
There was a problem hiding this comment.
I'm pretty sure I used $(tty) for qemu's recovery shell and it worked. But that wasn't the whiptail stuff. Can you run the whiptail stuff under qemu?
Anyway, I don't have a better suggestion.
There was a problem hiding this comment.
Oh, your call to tty was before /dev/ was mounted. Setting GPG_TTY later works for me in QEMU. Check out this commit: jandryuk@ab8046b
There was a problem hiding this comment.
@jandryuk if you want to test fbwhiptail/gui-init, see this branch: https://github.com/flammit/heads/tree/qemu-gui-init. Feel free to drop by u-root.slack.com / #heads channel if you wanna chat live (invite available from slack.u-root.com)
There was a problem hiding this comment.
@flammit Oh, I forgot to thank you for the gui branch. Thanks!
gpg2 needs GPG_TTY set to function properly. We set it in /init so it is inherited by all children. The call to $(tty) must be after /dev and (preferably) /dev/pts are mounted. Signed-off-by: Jason Andryuk <[email protected]>
|
@osresearch : please merge #491 here. |
|
@osresearch once #491 is in, this LGTM. Tested on x230 and qemu and tested repro on Ubuntu 16.04, Fedora Server 29, Fedora Workstation 29. Note: you'll need to update your key files to only include the public key of the yubikeys, so the easiest way is to |
|
Is this PR stable at the moment? I'd like to try it on the Librem 13 v3. |
|
@itay-grudev : yes. You have to merge #491 on top of this one and you're good to go. |
|
I have the following problem when I attempt to update my gpg: gpg-agent is not available in this session
gpg: Sorry, no terminal at all requested - can't get input
/boot: Unable to sign kexec hashes
Failed to sign default configIt ends with a kernel panic. |
|
I also had a problem adding my GPG key. I ended up flashing to a non |
Fixed in #505. |
|
After I switched to this branch and compiled this I noticed that gpg is still using version Please advise. |
|
The GPG2 flag wasn't set for the Librem platforms so GPG2 wasn't built. I added that in #505. Now I have another issue. Looks like libsecret is missing as a dependency. Making all in pinentry
make[3]: Entering directory '/home/user/Projects/heads/build/pinentry-1.1.0/pinentry'
/home/user/Projects/heads/install/bin/musl-gcc -fdebug-prefix-map=/home/user/Projects/heads=heads -gno-record-gcc-switches -D__MUSL__ -DHAVE_CONFIG_H -I. -I.. -pthread -I/home/user/Projects/heads/install/usr/include/libsecret-1 -I/home/user/Projects/heads/install/usr/include/glib-2.0 -I/home/user/Projects/heads/install/usr/lib/x86_64-linux-gnu/glib-2.0/include -I//include -I//include -I../secmem -Wall -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -MT password-cache.o -MD -MP -MF .deps/password-cache.Tpo -c -o password-cache.o password-cache.c
password-cache.c:30:31: fatal error: libsecret/secret.h: No such file or directory
compilation terminated.
make[3]: *** [Makefile:417: password-cache.o] Error 1
make[3]: Leaving directory '/home/user/Projects/heads/build/pinentry-1.1.0/pinentry'
make[2]: *** [Makefile:465: all-recursive] Error 1
make[2]: Leaving directory '/home/user/Projects/heads/build/pinentry-1.1.0'
make[1]: *** [Makefile:405: all] Error 2
make[1]: Leaving directory '/home/user/Projects/heads/build/pinentry-1.1.0'
make: *** [Makefile:356: /home/user/Projects/heads/build/pinentry-1.1.0/.build] Error 1 |
|
Fixed in #505 |
|
With #505: Compiled successfully. GPG2 works fine. Signing works fine. Verification works fine. Tested on a Librem 13 v3 with a 4096 bit RSA key. |
|
@tlaurion |
@itay-grudev Exact. CONFIG_GPG->CONFIG_GPG2 in board configs. |
Set GPG_TTY before calling gpg in key-init
GPG2 Fixes
|
Please merge #510 instead. |
This is based on the patches by @duncanguthrie and @tlaurion to fix #435 and #296.
gpg2 and its various libraries adds 430KB to the initrd compared to gnupg1.4.21. This might be a concern for some of the smaller flash systems.