OpenPGP card and gpg-agent TTL

Fri Nov 5 09:01:21 CET 2021

El día viernes, noviembre 05, 2021 a las 08:32:17a. m. +0100, Werner Koch via Gnupg-users escribió:

> it is good that things work for you.  And thanks for the hint with the
> smartcard.  I was probably blind that I didn't noticed it.  I put an
> older card into the slot (cut down with a sharp wire cutter) but I have
> not seen the device.

Hello Werner,

To get the OpenPGP card working, please follow the steps in my
attachment OpenPGP-L5.txt. You must flash some firmware into the device.

> Even after an OS update there is still no Bluetooth device (regardless
> of the kill switch position) and the WLAN sometimes needs a reboot.  I
> also wonder why there are no easy accessible teardown images - the long
> Youtube video is not very helpful because it shows obvious things,

To solve the Bluetooth / WLAN problems, follow the steps here how to
load again some other firmware. Esp. change also after this in the file
/etc/modprobe.d/librem5-devkit.conf the value dev_oper_mode from 5 to 13

https://forums.puri.sm/t/bluetooth-support-for-librem-5/14965/45

Hope it helps

	matthias

-- 
Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...
-------------- next part --------------

How to setup the OpenPGP card in the Purism L5 phone
              guru at unixarea.de, October 2021

https://puri.sm/posts/openpgp-in-your-pocket/
(includes video about inserting the card)

https://source.puri.sm/angus.ainslie/ttxs-firmware/-/blob/purism/PURISM.md

install and get the software:

$ cd ~/guru
$ sudo apt install stm32flash git
$ git clone https://source.puri.sm/angus.ainslie/ttxs-firmware

$ cd ttxs-firmware

Upgrade the smart card reader firmware:

$ ./scripts/stm_reflash.sh

...
stm32flash 0.5

http://stm32flash.sourceforge.net/

Using Parser : Raw BINARY
Interface serial_posix: 57600 8E1
Version      : 0x31
Option 1     : 0x00
Option 2     : 0x00
Device ID    : 0x0435 (STM32L43xxx/44xxx)
- RAM        : Up to 48KiB  (12544b reserved by bootloader)
- Flash      : Up to 256KiB (size first sector: 1x2048)

- Option RAM : 16b
- System RAM : 28KiB
Write to memory
Erasing memory
Wrote address 0x08002388 (100.00%) Done.

And set up the smart card:

$ ./scripts/smartcard_setup.sh

There have been issues, see also:

https://forums.puri.sm/t/openpgp-card-waiting-for-the-first-reader/15189
https://source.puri.sm/Librem5/OS-issues/-/issues/119

What helped was:

# stty -F /dev/ttymxc2 raw cstopb -parenb cs8 115200 
# pcscd -f --debug

The startup of pcscd is to be configured here and start is via systemctl:

# vim /lib/systemd/system/pcscd.service
# systemctl status pcscd
# systemctl stop pcscd
# systemctl start pcscd

Setting up the card

$ gpg --card-status
Reader ...........: TTXS serial 00 00
Application ID ...: D27600012401030400050000A6FE0000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: ZeitControl
Serial number ....: 0000A6FE
Name of cardholder: [not set]
Language prefs ...: de
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

$ gpg --change-pin  # changed the PIN and Admin PIN

$ gpg --card-edit   # generated the keys

$ export GNUPGHOME=/home/guru/.gnupg

$ pass init 'CCID L5'
Password store initialized for guru at unixarea.de
$ pass insert -m test
...

$ gpg --with-keygrip -K
/home/purism/.gnupg/pubring.kbx
-------------------------------
sec>  rsa2048 2021-10-30 [SC]
      336EB96892FE9FE7F6AD01D6529B7423F3608141
      Keygrip = FCBA9E53DF1AF8D6E8D82B0418A01FA33264F704
      Card serial no. = 0005 0000A6FE
uid           [ultimate] Matthias Apitz (GnuPG CCID L5) <guru at unixarea.de>
ssb>  rsa2048 2021-10-30 [A]
      Keygrip = EE34E2B1F932D1567A6E21023F4D65B71CF953FF
ssb>  rsa2048 2021-10-30 [E]
      Keygrip = C544F16750F7F55DCEF781CF57C232015DDF1F90

the '>' means that these keys are on the card;

export the pub key with:

$ gpg --export --armor > ccid-L5-export-key-guru.pub

lock the card again:

$ gpgconf --reload scdaemon

I added this to the pass cmd:

$ tail -8 /usr/bin/pass

# power down the OpenPGP card
# guru at unixarea.de
#
gpgconf --reload scdaemon
sleep 2

exit 0

so the card gets loecked again after each operation with the pass cmd.