https://gnupg.org/blog/20171005-gnupg-ccid-card-daemon-UbuntuPhone.html

HIH

matthias

@guru said in support for GnuPG smartcard:

I could put a detailed tutorial on my web site.

I think your project to set this up on the phone seem very nice and useful. I think the tutorial, if you put it up, will be very helpful.

Where did you buy the device from? Did you find any nice and slim solution for the connector to fit?

I will publish something in the blog of gnupg.org and/or in my gitbook about the UbuntuPhone.

Re/ your questions:

The card (USB token and SIM) is from:

https://www.floss-shop.de/en/hardware/

One needs the following items:

OpenPGP Smart Card V2.1 mit ID000 Ausfräsung (Art. Number 654020)
uTrust Token Standard black (Art. number 655010)

A photo of the BQ E4.5 with the token attached is here: is here:

http://www.unixarea.de/UbuntuPhone-GnuPG-card.jpg

For the connection between the USB token and the phone, I used some OTG
(USB On-The-Go) cable. I own as well a small connector receiving on one
end the token and to be plugged in into the phones port, but this
connection is very unstable, with the cable it's fine.

matthias

I could put a detailed tutorial on my web site.

I think your project to set this up on the phone seem very nice and useful. I think the tutorial, if you put it up, will be very helpful.

Where did you buy the device from? Did you find any nice and slim solution for the connector to fit?

We start in the phone the pcscd daemon as:

$ sudo /home/phablet/myRoot/usr/local/sbin/pcscd
$ ps ax | grep pcscd
31669 pts/53 Sl 0:00 /home/phablet/myRoot/usr/local/sbin/pcscd

insert the GnuPG-card into the USB port of the BQ E4.5 and do:

$ ./gpg.sh --card-status
gpg-agent[20254]: enabled debug flags: mpi crypto memory cache memstat hashing ipc
gpg-agent: a gpg-agent is already running - not starting a new one
gpg-agent: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
gpg-agent: secmem usage: 0/32768 bytes in 0 blocks
Reader ...........: Identiv uTrust 3512 SAM slot Token [CCID Interface] (55511514602745) 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 457
Signature key ....: 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11
created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3
created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D EA4B 6AA5 C5C4 51A1 CD1C
created ....: 2017-05-14 18:20:07
General key info..: [none]

Now I removed ~/.gnupg (saving the *.conf files) and copied over from my
real netbook the ~/.password-store and the key material in ~/.gnupg
for the GnuPG-card;

$ ./pass.sh askubuntu.com/guru@unixarea.de

                      ┌─────────────────────────────────────────────┐
                      │ Please insert the card with serial number:  │
                      │                                             │
                      │ 0005 0000532B                               │
                      │                                             │
                      │      <OK>                       <Cancel>    │
                      └─────────────────────────────────────────────┘

I inserted the card and it asks for the PIN:

                      ┌──────────────────────────────────────────────┐
                      │ Please unlock the card                       │
                      │                                              │
                      │ Number: 0005 0000532B                        │
                      │ Holder: Matthias Apitz                       │
                      │                                              │
                      │ PIN ________________________________________ │
                      │                                              │
                      │      <OK>                        <Cancel>    │
                      └──────────────────────────────────────────────┘

XXXXXXXX-XXXXXX
$

on the 2nd run it does not need anymore the PIN:

$ ./pass.sh askubuntu.com/guru@unixarea.de
XXXXXXXX-XXXXXX

I think, it is worth to bring the GnuPG-card and the needed software-stack running at least in such a chrooted environment. At least the installtion of the software worked out of the box:

phablet@ubuntu-phablet-bq:~$
phablet@ubuntu-phablet-bq:~$ sudo chroot myRoot/
...
root@ubuntu-phablet:/# apt-get install gnupg2
root@ubuntu-phablet:/# apt-get install opensc
...
Unpacking opensc (0.14.0-1ubuntu1) ...
Processing triggers for systemd (219-7ubuntu6) ...
Processing triggers for ureadahead (0.100.0-19) ...
Setting up opensc-pkcs11:armhf (0.14.0-1ubuntu1) ...
Setting up libccid (1.4.18-1) ...
Setting up pcscd (1.8.11-3ubuntu1) ...
Error, do this: mount -t proc proc /proc
invoke-rc.d: -----------------------------------------------------
invoke-rc.d: WARNING: 'invoke-rc.d pcscd start' called
invoke-rc.d: during shutdown sequence.
invoke-rc.d: enabling safe mode: initscript policy layer disabled
invoke-rc.d: -----------------------------------------------------
Setting up opensc (0.14.0-1ubuntu1) ...
Processing triggers for libc-bin (2.21-0ubuntu4) ...
Processing triggers for systemd (219-7ubuntu6) ...
Processing triggers for ureadahead (0.100.0-19) ...

root@ubuntu-phablet:/# su - phablet
phablet@ubuntu-phablet:~$ gpg2 --version
gpg (GnuPG) 2.0.26
libgcrypt 1.6.2
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
...

root@ubuntu-phablet:/# mount -t proc proc /proc
root@ubuntu-phablet:/# ps ax | grep pcscd
16467 ? Sl 0:00 /usr/sbin/pcscd

root@ubuntu-phablet:/# /usr/sbin/pcscd --debug --foreground
00000000 pcscdaemon.c:266:main() pcscd set to foreground with debug send to stdout
00001967 configfile.l:286:DBGetReaderListDir() Parsing conf directory: /etc/reader.conf.d
00000915 configfile.l:298:DBGetReaderListDir() Skipping non regular file: .
00001002 configfile.l:298:DBGetReaderListDir() Skipping non regular file: ..
00000977 configfile.l:339:DBGetReaderList() Parsing conf file: /etc/reader.conf.d/libccidtwin
00001459 pcscdaemon.c:571:main() pcsc-lite 1.8.11 daemon ready.

So far so good. Now I would have to attach the USB GnuPG-card to the USB-port of the BQ E4.5. This requires some kind of a gender changer to attach the USB stick (the GnuPG-card) to the USB charger cable of the phone or some other hardware to attach the USB stick directly to the BQ E4.5 device.

Any hints on this?