Tuesday, August 25, 2009

Setting up a GPG smartcard ...

So after having my trusty Sony VAIO do a bunk on me, its replacement, a Lenovo Thinkpad T400 has just arrived, and I'm now working through the process of getting it setup and ready to work as my main x86/amd64 machine, (for those wondering, my desktop machine, titan is an SMP ia64 that was donated to me to help improve the Ubuntu/ia64 port). I'm still getting things settled on it, but one of the nicest things about is it has a built in smartcard slot for me to use my GPG smartcard with, and figured now is a good time to write up howto get started with it.

If your using a smartcard that can handle larger than 1024-bit keys, make sure you use gpg2 in place of gpg, as gpg can't handle moving large keys to the card. The primary key in all cases can and should be as large as possible, since only the subkeys will be moved to the GPG smartcard. gpg-agent MUST be running to access the smartcard.

The first step is to install the correct packages for your smartcard; for me gpg2 and gpgsm did the trick. pcscd and gnupg-agent are also needed. If successful, you should be able to query your card:

mcasadevall@daybreak:~$ gpg --card-status

gpg: detected reader `Lenovo Integrated Smart Card Reader 00 00'
Application ID ...: D27600012401020000050000005D0000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 0000005D
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]



If you got this far, so far so good. The next step is to set your personal information on the card itself, and to generate new GPG keys for it. The first step can be done by typing the following commands:

Couple of important safety notes: The card will accept up to three wrong PINs and then block, making it impossible to unblock without the admin PIN. Three wrong admin PINs and your card fries itself (like a SIM card with too many wrong PUK codes entered) so be VERY VERY careful!


mcasadevall@daybreak:~$ gpg --card-edit

gpg: detected reader `Lenovo Integrated Smart Card Reader 00 00'
Application ID ...: D27600012401020000050000005D0000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 0000005D
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Command> admin
Admin commands are allowed

Command> name
Cardholder's surname: Casadevall
Cardholder's given name: Michael
gpg: 3 Admin PIN attempts remaining before card is permanently locked

Admin PIN
gpg: gpg-agent is not available in this session

Command> lang
Language preferences: en

Command> sex
Sex ((M)ale, (F)emale or space): m

Command> quit
mcasadevall@daybreak:~$


Now there are a few choices to make here. You can generate a key on the card itself (the generate command) and then use it by itself, move your private key to the card, and use it as above, or add a subkey, and then use that. I'm going to choose the later.

For those of you who are not familiar, GPG subkeys as essentially private keys to be used while the primary key remains safe and sound. Subkeys can sign files, and encrypt/decrypt email as normal, but they can't be signed, nor can they sign other keys. They are trusted through signatures on the primary key.

As an additional step, since my GPG key is in the somewhat old and dated DSA 1024 format, I feel the time has come to replace it with a newer 4096 bit RSA key (for my rationale, take a look at: http://74.125.93.132/search?q=cache:wA6b7rbT0p0J:www.debian-administration.org/users/dkg/weblog/48+http://www.debian-administration.org/users/dkg/weblog/48&hl=en&client=firefox-a&gl=us&strip=1 (the link is a google cache link as of writing debian-administration.org is down)

So lets do that first. I'm generating my keyring onto an external device which will contain the primary key, and the subkeys on file. The primary key is the only one which can be used to sign other keys:

mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --gen-key
gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keyring `/media/disk/gpg_keys/secring.gpg' created
gpg: keyring `/media/disk/gpg_keys/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed 25 Aug 2010 07:57:17 PM EDT
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Michael Casadevall
Email address: mcasadevall@ubuntu.com
Comment:
You selected this USER-ID:
"Michael Casadevall <mcasadevall@ubuntu.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /media/disk/gpg_keys/trustdb.gpg: trustdb created
gpg: key 7B8E6A47 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2010-08-25
pub 4096R/7B8E6A47 2009-08-25 [expires: 2010-08-25]
Key fingerprint = C7A5 543F 2D33 3791 4EF0 C915 7B4D 847C 7B8E 6A47
uid Michael Casadevall <mcasadevall@ubuntu.com>

Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a subkey for this purpose.



I *really* need a hardware entropy generator for when I generate keys. I recommend setting the preferences for generating signatures and the like with: setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed


mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --edit-key mcasadevall@ubuntu.com
gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). Michael Casadevall <mcasadevall@ubuntu.com>

Command> uid 1

pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1)* Michael Casadevall <mcasadevall@ubuntu.com>

Command> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Set preference list to:
Cipher: AES256, AES192, AES, CAST5, 3DES
Digest: SHA512, SHA384, SHA256, SHA224, SHA1
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
Really update the preferences for the selected user IDs? (y/N) y

You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@ubuntu.com>"
4096-bit RSA key, ID 7B8E6A47, created 2009-08-25


pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1)* Michael Casadevall <mcasadevall@ubuntu.com>

Command> save
mcasadevall@daybreak:~$


Add any uids you need to your key. This can be done with the adduid command after issuing the edit-keys command

mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --edit-key mcasadevall@ubuntu.com
gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). Michael Casadevall <mcasadevall@ubuntu.com>

Command> adduid
Real name: Michael Casadevall
Email address: michael.casadevall@canonical.com
Comment:
You selected this USER-ID:
"Michael Casadevall <michael.casadevall@canonical.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@ubuntu.com>"
4096-bit RSA key, ID 7B8E6A47, created 2009-08-25


pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1) Michael Casadevall <mcasadevall@ubuntu.com>
[ unknown] (2). Michael Casadevall <michael.casadevall@canonical.com>

Command> adduid
Real name: Michael Casadevall
Email address: mcasadevall@debian.org
Comment:
You selected this USER-ID:
"Michael Casadevall <mcasadevall@debian.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@ubuntu.com>"
4096-bit RSA key, ID 7B8E6A47, created 2009-08-25


pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1) Michael Casadevall <mcasadevall@ubuntu.com>
[ unknown] (2) Michael Casadevall <michael.casadevall@canonical.com>
[ unknown] (3). Michael Casadevall <mcasadevall@debian.org>

Command> adduid
Real name: Michael Casadevall
Email address: mcasadevall@kubuntu.org
Comment:
You selected this USER-ID:
"Michael Casadevall <mcasadevall@kubuntu.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@ubuntu.com>"
4096-bit RSA key, ID 7B8E6A47, created 2009-08-25


pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1) Michael Casadevall <mcasadevall@ubuntu.com>
[ unknown] (2) Michael Casadevall <michael.casadevall@canonical.com>
[ unknown] (3) Michael Casadevall <mcasadevall@debian.org>
[ unknown] (4). Michael Casadevall <mcasadevall@kubuntu.org>

Command> save
mcasadevall@daybreak:~$


Now lets add an encryption and signing subkey for this keyring so you can send and receive encrypted emails. Make sure the size is small enough to fit on your card (my card can take 3072 per key*, your millage may vary); this step and the next use gpg2 due to incompatbilities with my card (see below for full story). In addition, I'm going to set these subkeys to expire after a year, partially because I intend to replace the subkey with a 3072-bit or 4092-bit subkey later (depending on smartcard support), and partially incase my smartcard is ever lost, the keys will expire themselves should I loose the private subkey (which is possible by accident due to gnupg moving keys to smartcards).

* - for those of us with g10code 2.0 smartcards, there seems to be an issue with using 3072-bit encryption keys. I'm not sure if the problem with the card, the cardreader, or gnupg, but for now, I'll use 2048 subkeys, and replace them with 3072-bit keys later on.


mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --edit-key mcasadevall@ubuntu.com
gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2010-08-25
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ultimate] (4) Michael Casadevall <mcasadevall@debian.org>

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@kubuntu.org>"
4096-bit RSA key, ID 7B8E6A47, created 2009-08-25

Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed 25 Aug 2010 08:12:37 PM EDT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ultimate] (4) Michael Casadevall <mcasadevall@debian.org>

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@kubuntu.org>"
4096-bit RSA key, ID 7B8E6A47, created 2009-08-25

Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed 25 Aug 2010 08:12:51 PM EDT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ultimate] (4) Michael Casadevall <mcasadevall@debian.org>

Command> save


*phew*
This step is optional, but if you want an authetication key, this is how you create one. A signing key can be used as an authetication key, but the reverse is not true. You need to use expert mode to create an authenication key.


mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --expert --edit-key mcasadevall@ubuntu.com
gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ultimate] (4) Michael Casadevall <mcasadevall@debian.org>

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@kubuntu.org>"
4096-bit RSA key, ID 7B8E6A47, created 2009-08-25

Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? a

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed 25 Aug 2010 08:15:34 PM EDT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A
[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ultimate] (4) Michael Casadevall <mcasadevall@debian.org>

Command> save



Ok. Now is a good time to export your keys, make backups of your .gnupg folder, generate revocation certificates and such. Once your done doing that, lets copy those keys to the card. What will happen specifically is the key will be moved to the card, and a stub key will be left in its place, which will require the card in place to be used. The backup you make here will be the full key, ready incase something ever happens to your card.

As a second note this is just a guideline on how I generated keys, some people might want to make their keys expire as an additional method of protection just in-case normal revocation becomes impossible. Finally, I know people will question why I generated an authentication key, but my goal with this key is to use it to make smartcard SSH possible, allowing me to replace my .ssh folder with the smartcard.

Anyway, take a drink, breath, and get ready to copy things to the card. We're going to take the secret subkeys, export them, then import them into the normal keyring, then move them to the card:

Couple of important safety notes:
1. A signing key CAN be used as an authetication key. If you generated a separate authentication key, make sure you put that in the right spot, and the signing key in the signing key spot, or else you will have to back up and do it again
2. Once you toggle, you can't see the purpose of the keys, so make sure you refer to it before doing anything
3. The admin pin is needed to move the keys
4. You need to deslect each key after you move it and select the new one
5. You can't delete a key off the card once its there (as far as I can tell), but you can replace it.
6. NEVER use your primary copy of your keyring to move keys!


mcasadevall@daybreak:/media/disk$ chmod a-w gpg_keys/*
mcasadevall@daybreak:~$ gpg --homedir /media/disk/gpg_keys/ --export-secret-subkeys > ~/tmp.key


Unmount your pendrive or secure media with your private keys, and have it go be guarded by orcs. Now its time to import the subkeys into GPG, and then move them to the card. Since your not moving the trustdb, you'll also have to manually reset the trust of your private key once its imported.


mcasadevall@daybreak:~$ gpg --import tmp.key
gpg: key 7B8E6A47: secret key imported
gpg: /home/mcasadevall/.gnupg/trustdb.gpg: trustdb created
gpg: key 7B8E6A47: public key "Michael Casadevall <mcasadevall@kubuntu.org>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: secret keys read: 1
gpg: secret keys imported: 1
mcasadevall@daybreak:~$ shred tmp.key
mcasadevall@daybreak:~$ rm tmp.key
mcasadevall@daybreak:~$ gpg --edit-key mcasadevall@ubuntu.com
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: unknown validity: unknown
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A
[ unknown] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ unknown] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ unknown] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ unknown] (4) Michael Casadevall <mcasadevall@debian.org>

Command> trust
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: unknown validity: unknown
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A
[ unknown] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ unknown] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ unknown] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ unknown] (4) Michael Casadevall <mcasadevall@debian.org>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: unknown
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A
[ unknown] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ unknown] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ unknown] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ unknown] (4) Michael Casadevall <mcasadevall@debian.org>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
Command> quit
mcasadevall@daybreak:~$ gpg2 --edit-key mcasadevall@ubuntu.com
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2010-08-25
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A
[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ultimate] (4) Michael Casadevall <mcasadevall@debian.org>

Command> toggle

sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb 2048R/1E2110C3 created: 2009-08-26 expires: never
ssb 2048R/C511F667 created: 2009-08-26 expires: never
ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>

Command> key 1

sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb* 2048R/1E2110C3 created: 2009-08-26 expires: never
ssb 2048R/C511F667 created: 2009-08-26 expires: never
ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>

Command> keytocard
Signature key ....: 3396 1F69 327C 1645 B0CF 057E 89D1 1A4A 4E4D 5498
Encryption key....: 114E 692C D22F 89C1 F0EA 4AE8 83AA F05E A383 3408
Authentication key: FFFC 04A6 3FE8 AF4C F9A6 F660 A3C2 A7CD 1A8B DA08

Please select where to store the key:
(2) Encryption key
Your selection? 2

gpg: WARNING: such a key has already been stored on the card!

Replace existing key? (y/N) y

You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@kubuntu.org>"
2048-bit RSA key, ID 1E2110C3, created 2009-08-26


sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb* 2048R/1E2110C3 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb 2048R/C511F667 created: 2009-08-26 expires: never
ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>

Command> key 1

sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb 2048R/1E2110C3 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb 2048R/C511F667 created: 2009-08-26 expires: never
ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>

Command> key 2

sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb 2048R/1E2110C3 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb* 2048R/C511F667 created: 2009-08-26 expires: never
ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>

Command> keytocard
Signature key ....: 3396 1F69 327C 1645 B0CF 057E 89D1 1A4A 4E4D 5498
Encryption key....: 90FE 16DC C170 7550 780A 94B4 A1EE 54A9 1E21 10C3
Authentication key: FFFC 04A6 3FE8 AF4C F9A6 F660 A3C2 A7CD 1A8B DA08

Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1

gpg: WARNING: such a key has already been stored on the card!

Replace existing key? (y/N) y

You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@kubuntu.org>"
2048-bit RSA key, ID C511F667, created 2009-08-26


sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb 2048R/1E2110C3 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb* 2048R/C511F667 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>

Command> key 2

sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb 2048R/1E2110C3 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb 2048R/C511F667 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>

Command> key 4
No subkey with index 4

Command> key 3

sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb 2048R/1E2110C3 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb 2048R/C511F667 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb* 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>

Command> keytocard
Signature key ....: 60C1 8447 B8B5 619A AD0B DE9E 9DDA 9A07 C511 F667
Encryption key....: 90FE 16DC C170 7550 780A 94B4 A1EE 54A9 1E21 10C3
Authentication key: FFFC 04A6 3FE8 AF4C F9A6 F660 A3C2 A7CD 1A8B DA08

Please select where to store the key:
(3) Authentication key
Your selection? 3

gpg: WARNING: such a key has already been stored on the card!

Replace existing key? (y/N) y

You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@kubuntu.org>"
2048-bit RSA key, ID AF3D8E0C, created 2009-08-26


sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb 2048R/1E2110C3 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb 2048R/C511F667 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb* 2048R/AF3D8E0C created: 2009-08-26 expires: never
card-no: 0005 0000005D
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>

Command> toggle

pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A
[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ultimate] (4) Michael Casadevall <mcasadevall@debian.org>

Command> save




At this point, all the secret subkeys have been removed, and only exist on your pendrive (along with the primary key), or on your smartcard. The secret keys on this machine have been replaced with stubs that tell gnupg to look at the smartcard for the secert key. If you export the secret keys now, you'll only export the stub, and not the secret key.

If done correctly, any operations requiring your private key will now require you to put in the smartcard as that's the only copy of the subkeys available. You'll want to make sure both signing and encryption/decrption works:

Decryption:

mcasadevall@daybreak:~$ gpg2 -d examples.desktop.gpg
gpg: encrypted with 2048-bit RSA key, ID 1E2110C3, created 2009-08-26
"Michael Casadevall <mcasadevall@kubuntu.org>"
gpg: public key decryption failed: Card not present
gpg: decryption failed: No secret key

*card is inserted*
mcasadevall@daybreak:~$ gpg2 -d examples.desktop.gpg
gpg: encrypted with 2048-bit RSA key, ID 1E2110C3, created 2009-08-26
"Michael Casadevall <mcasadevall@kubuntu.org>"
[Desktop Entry]
Version=1.0
Type=Link
Name=Examples
Name[es]=Ejemplos
Name[fi]=Esimerkkejä
Name[fr]=Exemples
Comment=Example content for Ubuntu
Comment[es]=Contenido del ejemplo para Ubuntu
Comment[fi]=Esimerkkisisältöjä Ubuntulle
Comment[fr]=Contenu d'exemple pour Ubuntu
URL=file:///usr/share/example-content/
X-Ubuntu-Gettext-Domain=example-content

mcasadevall@daybreak:~$


Signing with smartcard:

mcasadevall@daybreak:~/src$ debsign hello_2.4-1_source.changes
signfile hello_2.4-1.dsc 7B8E6A47
gpg: selecting openpgp failed: ec=6.112
gpg: signing failed: general error
gpg: /tmp/debsign.voIxh9WX/hello_2.4-1.dsc: clearsign failed: general error
debsign: gpg error occurred! Aborting....
mcasadevall@daybreak:~/src$

*insert the card*
mcasadevall@daybreak:~/src$ debsign hello_2.4-1_source.changes
signfile hello_2.4-1.dsc 7B8E6A47

signfile hello_2.4-1_source.changes 7B8E6A47



Your done! I hope you've found this guide helpful. I currently haven't released this GPG key into the wild JUST yet, but I likely will within this week once I make sure I've done everything correctly. Please leave comments if you see any mistakes or want to make any recommendations. Thanks for reading!

Saturday, August 1, 2009

On the topic of being prepared ...

Disaster can strike at any time. Such as 00:00, in Ireland, thousands of miles away from home. I'm pleased to report my /usr/lib folder did a bunk, and simply vanished, leaving my system in an unusable state. I managed to check dmesg before my system crashed, seems my laptop's HDD reported a load of error messages before my system went and did a bunk. I'm not sure if this is failed hardware, a kernel issue, or something else.

Fortunately, I'm prepared for such a disaster. I have a Kubuntu livecd which has been living in my bag since UDS, a spare netbook (with an SATA drive I can poach if I can confirm this one has actually failed or I can use it as a full blown replacement if need-be, although its slow), a USB HDD which I'm now backing up what remains of my data (the irreplaceables, that is, my GPG, SSH keys, and most of my writing are already safely backed up at home on my file server), and so forth.

SMART status on the internal HDD is as follows:
ubuntu@ubuntu:/$ sudo smartctl -H /dev/sda
smartctl version 5.38 [i686-pc-linux-gnu] Copyright (C) 2002-8 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
Please note the following marginal Attributes:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
190 Airflow_Temperature_Cel 0x0022 054 031 045 Old_age Always In_the_past 46 (0 48 46 39)

Looks like the drive probably overheated in the distant past, but SMART did pass so I dunno ... Anyway, given the state of things, I'll run badblocks on the drive once I finish backing up, and hope for the best. Its got to make it to the end of this week ...

Wednesday, May 27, 2009

UDS Day 3 & KDE involvement

Hola all,
So this is my first blog post since UDS started (although I have been doing some work microblogging this session around (I find that if I treat it like multicast IRC using gwibber, it suddenly makes more sense to me). We're now three days into UDS, and working hard on defining what Ubuntu karmic will be, and I must say I am excited with the way things are shaping up to UNR discussions, to the Android Execution Environment (and if anyone has any questions on it, please direct those emails to Michael Frey and Debbie Beliveau as they are the people behind it, despite Slashdot's reports on the subject).

There are loads going on, including Moblin (which you'll see this afternoon), Android (same), ports kernel handling, and loads of other cool things come up. I'll comment on some of the more interesting things as time goes on.

In other news, as of late last night, I'm officially an upstream KDE developer with SVN commit writes. I've written an email detailing my plans for working on KDE to kde-core-deveonl, where is it is happily stuck in a moderation queue, so hopefully those involved in upstream KDE development will soon learn of my intentions :-).

I'll write more later,
Michael

Friday, April 24, 2009

Jaunty Retrospect

Guess its my time to post something about my feelings on Jaunty.

The Good:
* armel successfully birthed
* powerpc well on the way to be well maintained
- Kernel and installer work mostly done by TheMuso (thanks :-))
- Image testing by the people of #ubuntu-ps3, myself, and TheMuso
- powerpc, and powerpc+ps3 both in the release annoucements for Kubuntu and Xubuntu :-)
* Kubuntu upgraded to KDE 4.2
* Xubuntu upgraded to Xfce 4.6
* PowerPC FTBFS rate in main very low. ia64, and sparc looking more improved.

The Bad:
* SPARC, ia64, and HPPA remain fairly foobar w.r.t. to the installer and kernel

The Ugly:
* The drama over notifications and update-manager

All and all though, I think its been a fairly good cycle. Looking forward to karmic.

Thursday, January 15, 2009

Re-enginneering my network ...

As I move to having more and more machines on my internal LAN, I felt the time had finally come that I sit down, and rebuild my network to take advantage of things such as gigabyte networking, LDAP, single-user sign on, and so forth. I'm doing partially for fun, and partially because its an interesting experiment to see how Linux from an IS environment compares to a Windows 200x IS environment (one of my former jobs was a 2000/XP/2003/Vista sysadmin position).

So, here's my current network setup
blacksteel <- *wireless* ---------------------------------------------- cerberus <-> Internet
/
dawn <------ *wired*-----------------------------------------------------
/
360 <---- *wired* -----------------------------------------------------

Online machines:
cerberus - WRT51GS
backsteel - My laptop
dawn - Development machine
360 - Xbox 360, used to play media from blacksteel

Offline machines (aka, machines I have, but haven't fired up since moving:
helios (PowerMac G4)
apollo (old Dell P3)
junker (RS/6000 rescued from the dumpster, might be dead)
alexandria (NSLU2; gave up its plug for dawn)
coldfusion (Coldfire Board, might be dead; ethernet controller is faulty, but might be able to use a USB based one to breath some life into it; can't autoreboot due to built in bootloader not supporting it; and no JTAG to sanely change the default bootloader).
siren (old MacBook Pro, has a dead internal HDD, but runs fine from an external hard drive. Was my Debian test box until its HDD went to dawn)
exodius - second WRT54GS used to be part of a WDS bridge.
unnamed dev box (not here yet, but likely soon).

Of all these machines, only apollo has a wireless card which ATM is non-functional. In addition, the wired bits of my network are 100Mbps, with a g based wireless hotspot (WPA secured). Futhermore, blacksteel, helios, and siren have gigabyte ethernet. apollo has 100MBps ethernet card. alexandria and dawn have 10MBps, which is painful, especially for NFS root.

I'll drop another 1Gbps NIC into apollo, replacing its wireless card, and give dawn, alexandria, and maybe coldfusion USB based NICs once I get around to resurrecting systems (alexandria and coldfusion don't have hard drives at the moment)

What I would like to do is use an Linux-based router and replace Cerberus. Helios has two gigabyte NICs, so it will take up this duty, as well as provide DHCPv4, and radvd (for IPv6) for the internal network. It's an old computer, and has an onboard model, and its position in my apartment will be close to a phone jack; maybe I'll set it up so I can dial in from outside the LAN in case something goes down (although my phones here are VoIP based so I dunno how useful that's going to be :-)).

Another box (I might task this to apollo, or helios) will run LDAP and NFS services, providing both a netboot based installation with preseed for fast re-installation, and NFS home folders for all machines except blacksteel (unless someone knows a great solution for having a laptop sync NFS and local home folders. helios will run mail, news, and any other untrusted net facing services, with everything else shielded behind it. All machines will run IPv4 and 6.

Anyway, this is the start of my plan in a nutshell, and I intend to continue discussion as I slowly build and implement this updated setup. Wish me luck :-).

Friday, January 2, 2009

Notes from Underground, Part 1

For those following d-devel, you may notice that I've recently been working on improving one of the cornerstones of Debian infrastructure; the Debian Archive Kit, or dak for short. Most DDs and DMs don't notice dak exists expect when trying to determine why their latest upload was rejected, and then yelling at the powers that be. I'm here to shead some light on this mythicial beast.

First off, a quick history lesson:

dak (also known as projectb) is a replacement for Debian's original archive software, known simply as dinstall. dinstall itself was a fairly large perl script that does what dak process-unchecked/process-accepted does today. James Troup did a fairly decent summary of dinstall, and its issues

James Troup's README.new-incoming (from dak's git repo):

The old system:
---------------
o incoming was a world writable directory

o incoming was available to everyone through http://incoming.debian.org/

o incoming was processed once a day by dinstall

o uploads in incoming had to have been there > 24 hours before they
were REJECTed. If they were processed before that and had
problems they were SKIPped (with no notification to the maintainer
and/or uploader).

dak's first commits were in 2000, and rolled out onto ftp-master.d.o sometime in 2001 or 2002 (I can't find an exact date for this). Since then, dak is also used on security.d.o, and on backports.org (fun fact for bpo people; the dak installation there is now up to date, and tracking git's tip).

So now that you know the history lesson, what specificially does dak do is the next question. Simply put, dak is the glue that binds the rest of the Debian's backends together; both britney and wanna-build/buildd depend on it. It handles management of uploads to the archive, handles stable release updates, as so forth. It is also the only Debian archive software that uses an actual database backend, and scales fairly well handling over 10,000 packages, and 12 architectures. Unfortunately, there are also a lot of issues with dak as it stands.

Sections of the code base have bitrotted over the years; legacy and legacy-mixed support have died, the import-archive function is shot (more so now than ever, see below), the test suite is non-functional (never a good sign), the docs are out of date, and in many places non-existant, doing a release (both point and full) requires editing the database and so forth.

In addition, dak, while written in python, is written in a fairly procedural style, and and some very ugly code in some places. For instance, the original Debian Maintainer code was handled by having the uid's in the database prefixed by dm: vs having a flag somewhere, and had some hardcoded variables like checking for "unstable", as well as quite a few bugs which caused interesting behavior when uploading to a non-unstable suite such as experimental or one of the proposed queues. (for those of curious, I recommend checking the dak git tree to see what the old DM code looked like, and then aside from the design, find the two major bugs which caused a lot of the weirdness with DMs). It should be stated that the last merge from redid the DM code and design sanely using the new update framework.

These issues have lead to the genesis of the dak v2 project, which is an attempt to replace dak with a module, rewritten from the ground up to be more secure and modular, although its not gotten very far as of writing. I personally don't believe that the current iteration of dak is so bad as scrapping and rewritting is necessary. Instead, I've been working to implement v2 features in dak by aggressive refactoring and cleanup, with the hope of negating the need for a rewrite.

So now thats out of the way, I bet you probably are interested in my .plan for dak. Well, lets go over I've implemented so far.

* An update database framework for dak, which will allow for easy database upgrade and migration, vs the "does it work yet?" approach to applying schema updates. Simply type dak update-db, and your done!

* 822 formatted output for queues (http://ftp-master.debian.org/new.822); this information is now used on DDPO pages

* Rewriting DM management code to have more of a brain than the previous implementation.

What's next on the TODO list

* Content file generation from the database (part of removal of apt-ftparchive, but thats another blog post ;-)).

Oh, as a side note to my current readers, my blog has changed names to "Notes from Underground", after one of my favorite novels, and futher in reference to exploring the mysterious underground that is Debian's backend code. We're also now on Planet Debian :-).