Re: Automating and integrating GPG
On Thu, 21 Sep 2017 11:03, aheinl...@gmx.com said: > Interesting. I haven't found anything smartcard related in the GPGME > docs. I am really not good at C, but I took a look at the sources of Yes, it is a generic interface to make a core libassuan function (which is already used by gpgme) available as GPGME API. The actual API to the smartcard daemon is Assuan based and there is not much documentation than the reference you get when running $ gpg-connect-agent > scd help this lists all smartcard commands. gpg-agent intercepts some of the calls to provide a Pinentry but despite of this the "scd " prefix forwards all command to scdaemon. > I hadn't thought of that possibility. Python-GPG should support this, > too - take a look at assuan.py in the examples folder. But I haven't yet GPGME's Python interface supports this. Here is code from the distributed example: --8<---cut here---start->8--- """Demonstrate the use of the Assuan protocol engine""" From __future__ import absolute_import, print_function, unicode_literals del absolute_import, print_function, unicode_literals import gpg with gpg.Context(protocol=gpg.constants.protocol.ASSUAN) as c: # Invoke the pinentry to get a confirmation. err = c.assuan_transact(['GET_CONFIRMATION', 'Hello there']) print("You chose {}.".format("cancel" if err else "ok")) --8<---cut here---end--->8--- Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgp6viIPhWFSJ.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Automating and integrating GPG
Am 20.09.2017 um 09:02 schrieb Werner Koch: > On Mon, 18 Sep 2017 23:45, d...@fifthhorseman.net said: > >> I don't know how much smartcard interaction gpgme supports, though. > Everything you need. Have a look at GPA's smartcard features. I assume > it is the most advanced GUI to handle the OpenPGP card as well as > several other cards. For example it includes full support for the > Telesec card with their NullPIN feature. Interesting. I haven't found anything smartcard related in the GPGME docs. I am really not good at C, but I took a look at the sources of GPA, specifically the change_pin function in cm-openpgp.c, and it looks like GPA is using assuan protocol through gpgme here: char command[100]; snprintf (command, sizeof command, "SCD PASSWD%s %d", reset_mode? " --reset":"", pinno+1); err = gpgme_op_assuan_transact_ext (gpgagent, command, NULL, NULL, NULL, NULL, NULL, NULL, ); I hadn't thought of that possibility. Python-GPG should support this, too - take a look at assuan.py in the examples folder. But I haven't yet found any documentation of the assuan commands you need here. This probably isn't as easy as a Python programmer might expect... Andreas signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Automating and integrating GPG
On 09/19/2017 03:53 PM, Andreas Heinlein wrote: > Handling of the passphrase is about one of the most sensitive > tasks when dealing with encryption. I currently can think of no way you > could handle passphrases on your own in python which I would call > 'secure'. In such a scenario I'd likely use a custom pinentry, that'd be the same recommendation for a password manager etc, as for security info is passed in the socket that is protected using regular unix user permissions / ACLs and anyways same as regular pinentry uses. -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 "To live is the rarest thing in the world. Most people exist, that is all." Oscar Wilde signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Automating and integrating GPG
On Mon, Sep 18, 2017 at 11:45 AM, Grzegorz Kulewskiwrote: > I am working on a project (in Python and bash) that requires me to use GPG in > "headless mode" to generate keys and edit OpenPGP smartcard (to set some > properties and transfer some of the generated keys). This includes > transfering any passwords and PINs from my program to GPG, instead of > requiring user to enter them using pinentry. > > I wonder what method of integration of GPG with such project is best, most > future-proof and recommended and are there any other advices you may give me? Good question. I wrote a bit about doing that in shell scripts, see https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058158.html It's challenging to make it both future- and past- proof, as gpg keeps changing. What range of Linux distributions / versions of gpg do you need to support? The new requirement for the agent is very challenging, and should not be taken lightly. You may need to expose the agent concept to your program; a transparent wrapper may not be possible. I keep running into problems with this. https://github.com/Oblong/obs/ has my ugly code, and an automated test that sometimes fails on slow systems like raspberry pi because of my poor transparent wrapper around the gpg agent. It is somewhat obscured by site-specific stuff (e.g. it uses gpg via apt). I could try to do a clean demo without apt sometime if that would be helpful. - Dan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Automating and integrating GPG
On Mon, Sep 18, 2017 at 2:45 PM, Daniel Kahn Gillmorwrote: > GnuPG upstream developers tend to recommend the use of GPGME for system > integration projects that require a stable interface. dpkg does that, but it doesn't help people trying to automate dpkg :-) - Dan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Automating and integrating GPG
On Mon 2017-09-18 20:45:52 +0200, Grzegorz Kulewski wrote: > I am working on a project (in Python and bash) that requires me to use > GPG in "headless mode" to generate keys and edit OpenPGP smartcard (to > set some properties and transfer some of the generated keys). This > includes transfering any passwords and PINs from my program to GPG, > instead of requiring user to enter them using pinentry. > > I wonder what method of integration of GPG with such project is best, > most future-proof and recommended and are there any other advices you > may give me? GnuPG upstream developers tend to recommend the use of GPGME for system integration projects that require a stable interface. If you're using python, the GnuPG team maintains gpgme bindings for python, available in debian and debian-derived systems (e.g. ubuntu) as "python-gpg". I don't know how much smartcard interaction gpgme supports, though. hth, --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users