Using a GnuPG CCID card in another computer (follow-up)
Matthias Apitz
guru at unixarea.de
Tue May 16 11:56:59 CEST 2017
El día martes, mayo 16, 2017 a las 11:12:18a. m. +0200, Peter Lebbing escribió:
> On 16/05/17 07:55, Matthias Apitz wrote:
> > The question remains: Why I do have to move the files below .gnupg/ to
> > the other workstation?
>
> The card only holds the basic cryptographic material. But a certificate
> ("public key") holds much more information: your name, the relations
> between the cryptographic keys and how they are used, your preferences
> with regard to algorithms, how long the key is valid, and certifications
> by other users who have signed your key, to name some important ones.
>
> So before you can use the smartcard, you need to import your
> certificate/public key. You could publish this to the keyserver network,
> or put it on the web. If the latter, you /can/ enter the URL in a data
> field on the smartcard, enabling you to use the "fetch" command of
> --card-edit.
Thanks for the two tips re/ the pub key; I did so and now it works:
I exported the pub key with:
$ gpg2 --export --armor > ccid--export-key-guru.pub
placed it on my webserver and configured its URL with the card's url-command
as
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
On the 2nd workstation I moved away the GNUPGHOME:
$ env | grep GNU
GNUPGHOME=/home/guru/.gnupg-ccid
$ mv .gnupg-ccid .gnupg-ccid-saved
gpg2 is unwilling to start due to missing dir and I have had
to create it with mkdir:
$ gpg2 --card-status
gpg: keyblock resource '/home/guru/.gnupg-ccid/pubring.kbx': No such file or directory
gpg: failed to create temporary file '/home/guru/.gnupg-ccid/.#lk0x0000000802616210.r314251-amd64.65213': No such file or directory
gpg: can't connect to the agent: No such file or directory
gpg: OpenPGP card not available: No agent running
$ mkdir /home/guru/.gnupg-ccid
$ chmod 0700 /home/guru/.gnupg-ccid
As you can see the keys are completely missing in the card's status:
$ gpg2 --card-status
gpg: keybox '/home/guru/.gnupg-ccid/pubring.kbx' created
Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11
created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3
created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D EA4B 6AA5 C5C4 51A1 CD1C
created ....: 2017-05-14 18:20:07
General key info..: [none]
but after fetching the pub key, all is fine:
[guru at r314251-amd64 ~]$ gpg2 --card-edit
Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11
created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3
created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D EA4B 6AA5 C5C4 51A1 CD1C
created ....: 2017-05-14 18:20:07
General key info..: [none]
gpg/card> fetch
gpg: requesting key from 'http://www.unixarea.de/ccid--export-key-guru.pub'
gpg: /home/guru/.gnupg-ccid/trustdb.gpg: trustdb created
gpg: key 47CCF7E476FE9D11: public key "Matthias Apitz (GnuPG CCID) <guru at unixarea.de>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg/card> list
Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11
created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3
created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D EA4B 6AA5 C5C4 51A1 CD1C
created ....: 2017-05-14 18:20:07
General key info..: pub rsa4096/47CCF7E476FE9D11 2017-05-14 Matthias Apitz (GnuPG CCID) <guru at unixarea.de>
sec> rsa4096/47CCF7E476FE9D11 created: 2017-05-14 expires: never
card-no: 0005 0000532B
ssb> rsa4096/6AA5C5C451A1CD1C created: 2017-05-14 expires: never
card-no: 0005 0000532B
ssb> rsa4096/61F1ECB625C9A6C3 created: 2017-05-14 expires: never
card-no: 0005 0000532B
> > And, what are the files below .gnupg/private-keys-v1.d
> > are exactly?
>
> Either the real cryptograhic material for a private key, or simply a
> note telling GnuPG "that key is on card X". However, I'm surprised by
> the size of these files you show. All my "notes saying card X", stubs,
> on this laptop are around a mere 360 bytes. I know these files are
> S-Expressions, but I haven't checked the exact construction. I would
> expect OpenPGP smartcard stubs to generally come down to very comparable
> sizes.
I run strings for these files and it shows for example:
$ strings -n8 314DE72F03D41683E06A504769970A1643825B38.key
(20:shadowed-private-key(3:rsa(1:n513:
)(8:shadowed5:t1-v1(16:
9:OPENPGP.2))))
>
> You can ask GnuPG to list all the OpenPGP private keys it knows about
> along with the keygrip. The keygrip corresponds to the file name in
> private-keys-v1.d. It will also indicate when a key is on a card:
>
> > $ gpg2 --with-keygrip -K
> > /home/peter/.gnupg/pubring.kbx
I did so and it seems that the keys are on the card:
$ gpg2 --with-keygrip -K
/home/guru/.gnupg-ccid/pubring.kbx
----------------------------------
sec> rsa4096 2017-05-14 [SC]
5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
Keygrip = 937BA1F6A95F68222EC2C6F9573100E17EE9522E
Card serial no. = 0005 0000532B
uid [ultimate] Matthias Apitz (GnuPG CCID) <guru at unixarea.de>
ssb> rsa4096 2017-05-14 [A]
Keygrip = 7E22A904DB3BE5A98F98AFDEED61DF1364DD949B
ssb> rsa4096 2017-05-14 [E]
Keygrip = 314DE72F03D41683E06A504769970A1643825B38
Thanks for your explanations and help. Maybe the FAQ should be expanded
with this.
matthias
--
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045
More information about the Gnupg-users
mailing list