Re: Automating and integrating GPG

2017-09-21 Thread Werner Koch 
On Thu, 21 Sep 2017 11:03, aheinl...@gmx.com said:

> Interesting. I haven't found anything smartcard related in the GPGME
> docs. I am really not good at C, but I took a look at the sources of

Yes, it is a generic interface to make a core libassuan function (which
is already used by gpgme) available as GPGME API.  The actual API to the
smartcard daemon is Assuan based and there is not much documentation than
the reference you get when running

  $ gpg-connect-agent
  > scd help

this lists all smartcard commands.  gpg-agent intercepts some of the
calls to provide a Pinentry but despite of this the "scd " prefix
forwards all command to scdaemon.

> I hadn't thought of that possibility. Python-GPG should support this,
> too - take a look at assuan.py in the examples folder. But I haven't yet

GPGME's Python interface supports this.  Here is code from the
distributed example:

--8<---cut here---start->8---
"""Demonstrate the use of the Assuan protocol engine"""

From __future__ import absolute_import, print_function, unicode_literals
del absolute_import, print_function, unicode_literals

import gpg

with gpg.Context(protocol=gpg.constants.protocol.ASSUAN) as c:
# Invoke the pinentry to get a confirmation.
err = c.assuan_transact(['GET_CONFIRMATION', 'Hello there'])
print("You chose {}.".format("cancel" if err else "ok"))
--8<---cut here---end--->8---


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp6viIPhWFSJ.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating and integrating GPG

2017-09-21 Thread Andreas Heinlein 
Am 20.09.2017 um 09:02 schrieb Werner Koch:
> On Mon, 18 Sep 2017 23:45, d...@fifthhorseman.net said:
>
>> I don't know how much smartcard interaction gpgme supports, though.
> Everything you need.  Have a look at GPA's smartcard features.  I assume
> it is the most advanced GUI to handle the OpenPGP card as well as
> several other cards.  For example it includes full support for the
> Telesec card with their NullPIN feature.
Interesting. I haven't found anything smartcard related in the GPGME
docs. I am really not good at C, but I took a look at the sources of
GPA, specifically the change_pin function in cm-openpgp.c, and it looks
like GPA is using assuan protocol through gpgme here:

char command[100];
snprintf (command, sizeof command, "SCD PASSWD%s %d",
 reset_mode? " --reset":"", pinno+1);
err = gpgme_op_assuan_transact_ext (gpgagent, command,
  
NULL, NULL, NULL, NULL, NULL, NULL,
   );

I hadn't thought of that possibility. Python-GPG should support this,
too - take a look at assuan.py in the examples folder. But I haven't yet
found any documentation of the assuan commands you need here.
This probably isn't as easy as a Python programmer might expect...

Andreas


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating and integrating GPG

2017-09-19 Thread Kristian Fiskerstrand 
On 09/19/2017 03:53 PM, Andreas Heinlein wrote:
> Handling of the passphrase is about one of the most sensitive
> tasks when dealing with encryption. I currently can think of no way you
> could handle passphrases on your own in python which I would call
> 'secure'.

In such a scenario I'd likely use a custom pinentry, that'd be the same
recommendation for a password manager etc, as for security info is
passed in the socket that is protected using regular unix user
permissions / ACLs and anyways same as regular pinentry uses.

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

"To live is the rarest thing in the world. Most people exist, that is all."
Oscar Wilde



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating and integrating GPG

2017-09-18 Thread Dan Kegel 
On Mon, Sep 18, 2017 at 11:45 AM, Grzegorz Kulewski  wrote:
> I am working on a project (in Python and bash) that requires me to use GPG in 
> "headless mode" to generate keys and edit OpenPGP smartcard (to set some 
> properties and transfer some of the generated keys). This includes 
> transfering any passwords and PINs from my program to GPG, instead of 
> requiring user to enter them using pinentry.
>
> I wonder what method of integration of GPG with such project is best, most 
> future-proof and recommended and are there any other advices you may give me?

Good question.

I wrote a bit about doing that in shell scripts, see
https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058158.html

It's challenging to make it both future- and past- proof, as gpg keeps changing.
What range of Linux distributions / versions of gpg do you need to support?

The new requirement for the agent is very challenging, and should not
be taken lightly.
You may need to expose the agent concept to your program; a transparent
wrapper may not be possible.

I keep running into problems with this.
https://github.com/Oblong/obs/ has my ugly code, and an automated test
that sometimes fails on slow systems like raspberry pi because of my
poor transparent wrapper around the gpg agent.
It is somewhat obscured by site-specific stuff (e.g. it uses gpg via apt).
I could try to do a clean demo without apt sometime if that would be helpful.
- Dan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating and integrating GPG

2017-09-18 Thread Dan Kegel 
On Mon, Sep 18, 2017 at 2:45 PM, Daniel Kahn Gillmor
 wrote:
> GnuPG upstream developers tend to recommend the use of GPGME for system
> integration projects that require a stable interface.

dpkg does that, but it doesn't help people trying to automate dpkg :-)

- Dan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating and integrating GPG

2017-09-18 Thread Daniel Kahn Gillmor 
On Mon 2017-09-18 20:45:52 +0200, Grzegorz Kulewski wrote:

> I am working on a project (in Python and bash) that requires me to use
> GPG in "headless mode" to generate keys and edit OpenPGP smartcard (to
> set some properties and transfer some of the generated keys). This
> includes transfering any passwords and PINs from my program to GPG,
> instead of requiring user to enter them using pinentry.
>
> I wonder what method of integration of GPG with such project is best,
> most future-proof and recommended and are there any other advices you
> may give me?

GnuPG upstream developers tend to recommend the use of GPGME for system
integration projects that require a stable interface.

If you're using python, the GnuPG team maintains gpgme bindings for
python, available in debian and debian-derived systems (e.g. ubuntu) as
"python-gpg".

I don't know how much smartcard interaction gpgme supports, though.

hth,

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users