Navigation

    UBports Robot Logo

    UBports Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search

    Using GnuPG in the UbuntuPhone BQ E4.5 (part1: GnuPG)

    Support
    1
    2
    296
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      guru last edited by guru

      Using GnuPG-card in the UbuntuPhone BQ E4.5:

      Create a complete Linux system into ~phablet/myRoot/ :

      phablet@ubuntu-phablet-bq:~$ mkdir myRoot 
      phablet@ubuntu-phablet-bq:~$ cd myRoot 
      phablet@ubuntu-phablet-bq:~$ sudo tar xzf ubports-touch.rootfs-xenial-armhf.tar.gz
      
      phablet@ubuntu-phablet-bq:~$ sudo chroot myRoot/
      

      Install additional packages into the Linux system:

      root@ubuntu-phablet:/# apt-get install pinentry-curses
      root@ubuntu-phablet:/# apt-get install pass
      root@ubuntu-phablet:/# apt-get install libudev-dev
      root@ubuntu-phablet:/# apt-get install gcc
      root@ubuntu-phablet:/# apt-get install libc-dev
      root@ubuntu-phablet:/# apt-get install make
      

      compile in myRoot the following pieces (in the given order):

      libgpg-error-1.33
      libassuan-2.5.1
      libksba-1.3.5
      npth-1.6
      libgcrypt-1.8.4
      gnupg-2.2.12
      

      always with ./configure && make && sudo make install; the software ends
      up below /usr/local (which is /home/phablet/myRoot/usr/local when one looks from outside the chroot'ed phone system);

      note: gpg2 is /usr/local/bin/gpg

      Now from the phone system configure:

      $ mkdir ~/.gnupg
      $ chmod 0700 ~/.gnupg
      
      $ cat .gnupg/gpg.conf
      #
      agent-program  /home/phablet/myRoot/usr/local/bin/gpg-agent
      
      $ cat .gnupg/gpg-agent.conf 
      pinentry-program /home/phablet/myRoot/usr/bin/pinentry-curses
      scdaemon-program /home/phablet/myRoot/usr/local/libexec/scdaemon
      log-file /home/phablet/gpg-agent.log
      log-file /dev/null
      debug-level guru
      max-cache-ttl 10
      

      Due to the nature of the installation in the chrooted system we
      need small wrapper scripts to set PATH, LD_LIBRARY_PATH, ... and
      other stuff;

      $ cat ~/gpg.sh
      #!/bin/sh
      LD_LIBRARY_PATH=/home/phablet/myRoot/usr/local/lib export LD_LIBRARY_PATH
      PATH=/home/phablet/myRoot/usr/local/bin:$PATH      export PATH
      GNUPGHOME=/home/phablet/.gnupg    export GNUPGHOME
      GPG_TTY=$(tty)                    export GPG_TTY
      /home/phablet/myRoot/usr/local/bin/gpg-agent    \
                  --homedir /home/phablet/.gnupg      \
                  --daemon                            \
                  --pinentry-program /home/phablet/myRoot/usr/bin/pinentry-curses
      /home/phablet/myRoot/usr/local/bin/gpg-connect-agent /bye
      /home/phablet/myRoot/usr/local/bin/gpg $*
      

      run and create for test a keypair (later we want to use the GnuPG-card
      for this)

      $ ~/gpg.sh --full-generate-key
      gpg-agent[2973]: enabled debug flags: mpi crypto memory cache memstat hashing ipc
      gpg (GnuPG) 2.2.1; Copyright (C) 2017 Free Software Foundation, Inc.
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
      
      Please select what kind of key you want:
         (1) RSA and RSA (default)
         (2) DSA and Elgamal
         (3) DSA (sign only)
         (4) RSA (sign only)
      Your selection? 
      ...
      

      This starts the gpg-agent as:

      $ ps ax | grep gpg-a
       2974 ?        Ss     0:00 /home/phablet/myRoot/usr/local/bin/gpg-agent --homedir /home/phablet/.gnupg --daemon --pinentry-program /home/phablet/myRoot/usr/bin/pinentry-curses
      

      Now we can use the the pass command we installed in the chroot'es system with

      $ cat pass.sh
      #!/bin/sh
      LD_LIBRARY_PATH=/home/phablet/myRoot/usr/local/lib export LD_LIBRARY_PATH
      PATH=/home/phablet/myRoot/usr/local/bin:$PATH      export PATH
      GNUPGHOME=/home/phablet/.gnupg    export GNUPGHOME
      GPG_TTY=$(tty)                    export GPG_TTY
      unset GPG_AGENT_INFO
      /home/phablet/myRoot/usr/bin/pass $*
      

      Init the pass storage as:

      $ ./pass.sh init Matthias
      Password store initialized for Matthias
      web/bla: reencrypting to A62DCD2809AC14F6
      
      
      $ find .password-store/
      .password-store/
      .password-store/.gpg-id
      

      Insert some password for test:

      $ ./pass.sh insert -m web/bla
      Enter contents of web/bla and press Ctrl+D when finished:
      
      password-bla
      Username: guru
      
      $ ./pass.sh web/bla
      
                       ┌────────────────────────────────────────────────────────────────┐
                       │ Please enter the passphrase to unlock the OpenPGP secret key:  │
                       │ "Matthias Apitz (test) <guru@sisis.de>"                        │
                       │ 2048-bit RSA key, ID 93A6FBF52FA76DB0,                         │
                       │ created 2017-09-22 (main key ID 3FECB79DDDA409E4).             │
                       │                                                                │
                       │                                                                │
                       │ Passphrase: ***_______________________________________________ │
                       │                                                                │
                       │         <OK>                                    <Cancel>       │
                       └────────────────────────────────────────────────────────────────┘
      password-bla
      Username: guru
      

      We now can use gpg2 and pass directly in the phone to have always our secrets, PIN's etc. with us.

      I have here two screen-shots, taken of the terminal-app: In the 1st I have typed in the command ./pass.sh web/foo asking for the (cleartext) values of web/foo (which could be your bank account, login credentials or whatever you can think of). The result visible in this screen (xxx yyy) is only shown after entering the passphrase to unlock your GnuPG secret key, see screen 2. The key is 4096 bits RSA. The key store remains 10 seconds (configurable) unlocked, after which you're asked again for the passphrase.

      1st screen

      2nd screen

      Matthias

      1 Reply Last reply Reply Quote 3
      • G
        guru last edited by

        The problem is: The GnuPG needs a good passphrase, esp. in our case where the device could be lost or teft. Mine is ~8 words long and typing it with the OSK is rather a PITA. Better is using for this an OpenGPG Card, a CCID security USB token. This requires only a 6 digit PIN to unlock the GnuPG keys. It's installation and configuration will be described in part2.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post