GnuPG 1.4.1rc1 + Smart Card reader package for Knoppix/Kanotix

Dany Nativel dany_list at natzo.com
Sun Feb 6 15:01:14 CET 2005 

Hello,

In a previous post (Any LiveCD with GnuPG 1.4?) I was asking about a 
potential LiveCD that supports Gnupg 1.4 (at least).
Thanks everyone for the valuable comments you've provided.
I received a private email from David Lorch suggesting recompiling gpg 
and associated libraries under Knoppix by mounting some ramdisk.

I kind of tried but it didn't go very far. Finally I found a way to get 
gpg 1.4.1rc1 to run under Knoppix without much hassle (using a SCM 
SCR331 reader which has a driver built-in gnupg). In fact it was as easy 
as ./configure and make !
I then added additional drivers for various readers using the Klik 
technology. In the end I had a handy package that contained gpg1.4.1rc1 
as well as drivers that I could carry around and use with almost any 
Knoppix/Kanotix LiveCD. This is very convenient when it comes to key 
generation (on-card for example with off-card backup for example).

1)  Boot from Knoppix CD (3.7 12/08)  or even better from Kanotix BH X
IMPORTANT : for Knoppix I only used boot: knoppix26    .... I couldn't 
get most of my USB peripherals to work with regule knoppix (2.4).
Kanotix is 2.6 by default so no problems.

2) Download and extract gnupg-1.4.1-rc from 
ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2   for 
example in your home directory (/home/knoppix)

3) Compile GnuPG
cd ~/gnupg-1.4.1rc1
./configure
make

the executable is available in ~/gnupg-1.4.1rc1/g10

4) Smart Card Reader

a) CCID reader directly supported by gnupg (e.g. USB SCM SCR331)
Nothing to do ... just use it :   ~/gnupg-1.4.1rc1/g10/gpg --card-status

b) CCID reader supported by libccid    (see 
http://pcsclite.alioth.debian.org/ccid.html for a list of supported readers)
I've used it with the Gemplus GemTwin USB.

In order to use libccid you need the pcscd which can be downloaded as a 
"klik" application for Knoppix.

Knoppix  users you need an extra step to get the klik client up and 
running  (Kanotix users... go to the next step):
# Press Alt-F2 and paste:
# wget klik.atekon.de/client/install -O -|sh

Go to the following address 
http://klik.atekon.de/details.php?section=misc&package=pcscd   and 
"klik" to install  
or
even faster open a web browser and enter : klik://pcscd

Now killall pcscd session that may have been opened during the 
installation process. I noticed that the pcscd would only work if 
launched with debug options.
This pcscd packages includes the libccid drivers by default so it's 
ready to go.

Unfortunately gnupg is looking for libpcslite.so so a link has to be 
created :

ln /tmp/klik/pcscd/usr/lib/libpcsclite.so.1 
/tmp/klik/pcscd/usr/lib/libpcsclite.so

Now it's time to start the pcscd from the command line (not the icon on 
your desktop)
/tmp/klik/pcscd/wrapper pcscd -af

NB: this worked fine under Knoppix but not under Kanotix,   sudo 
/tmp/klik/pcscd/wrapper pcscd -af    solved the problem

Before starting gpg you need to set the path to libpcsclite.so :
export LD_LIBRARY_PATH=/tmp/klik/pcscd/usr/lib/:$LD_LIBRARY_PATH

You can now start gnupg but remember that if you're using a CCID reader 
not supported by GnuPG itself you must disable ccid when calling GnuPG 
so it won't try to talk to the reader directly. For example the GemTwin 
will fail if not started with the extra option.
~/gnupg-1.4.1rc1/g10/gpg --card-status --disable-ccid 

NB: SCR331 can also be used with libccid (it's supported by both gnupg 
and libccid)

c) Other Smart Card readers
If none of your reader is supported by the above solutions you need to 
install an additional driver.
Klik provides a convenient way to download precompiled drivers. Below is 
a list of available drivers:
- libasedrive-serial | PC/SC driver for the Athena ASEDrive IIIe serial 
smart card reader
- libasedrive-usb | PC/SC driver for the Athena ASEDrive IIIe USB smart 
card reader
- libcteco50000 | Orga Eco 5000 smartcard reader PCSC and CT-API driver
- libetoken | PC/SC Driver for Aladdin's eToken usb plug
- libgcr410 | PC/SC driver for GemPlus GCR410 serial SmartCard interface
- libgempc410 | PC/SC driver for the GemPC 410, 412, 413 and 415 smart 
card readers
- libgempc430 | PC/SC driver for the GemPC 430, 432, 435 smart card readers
- libslbreflex2 | Reflex 62/64 smartcard reader PCSC and CT-API driver
- libtowitoko2 | Towitoko smartcard reader PCSC and CT-API driver

Example  :  USB Towitoko Chipdrive Micro 130
After "kliking" on libtowitoko2 
(http://klik.atekon.de/details.php?section=libs&package=libtowitoko2)  
you'll find a new directory under /temp/klik called towitoko2
The drivers files need to be placed under the pcscd directory and 
according to a specific directory organization

mkdir /tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle
mkdir /tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle/Contents
mkdir 
/tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle/Contents/Linux
cp /tmp/klik/libtowitoko2/usr/lib/libtowitoko.so.2.0.0 
/tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle/Contents/Linux
cp /tmp/klik/libtowitoko2/usr/share/towitoko/Info.plist 
/tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle/Contents

and then start pcscd the same way :
/tmp/klik/pcscd/wrapper pcscd -af    (with sudo if using Kanotix)

Don't forget to set the path to libpcsclite.so before running gnupg :
export LD_LIBRARY_PATH=/tmp/klik/pcscd/usr/lib/:$LD_LIBRARY_PATH

~/gnupg-1.4.1rc1/g10/gpg --card-status

NB: Serial reader may also be used but they'll need a little bit more 
tweaking for properly configuring the serial port and so on. I tried to 
play a little bit with the GCR415 without success.

5) Conclusion
Now that you've got your reader up and running you probably don't want 
to go to this process next time you're booting from Knoppix/Kanotix.

The only thing you need to save (on a USB drive for example) is the 
/tmp/klik directory and gpg executable files
You can also use the convenient persistent home directory and just move 
the klik to it so it will be available all the time. Don't forget to 
adjust the export LD_LIBRARY_PATH accordingly !

I've packaged a pre-compiled gpg-1.4.1rc1, pcsd (including libccid) and 
towitoko driver so you can just extract it under /home/knoppix and 
follow the instructions found in the short readme file.

The file can be downloaded from http://natzo.com/klik-gpg1.4.1rc1.tar.gz

This should help users seeking to generate their keys on-card and save a 
backup copy off-card. For more security you should probably recompile 
gpg yourself (it doesn't take that long). One could also disable network 
connections (Knoppix sets them up automatically) and use encrypted swap 
file (especially if swap is mounted on a hdd).

Dany

More information about the Gnupg-users mailing list