Re: "gpg --card-edit" with multiple card readers (Yubikey)
Werner Koch via Gnupg-users wrote:
> On Fri, 7 Jul 2023 14:22, Juanjo said:
>> This works fine with a single Yubikey, but we wanted to have more than
>> one connected at the same time in order to batch-configure them and
>> even to try to use multiple SSH key authentication in specific target
> Most of the time I am using several Yubikeys and other smardcards.
> Some even remotely. For example I use an SSH connection with socket
> forwarding to out build server. Over that connection I provide access
> to an Authenticode token, my release key and ssh keys on tokens.
> I should eventually describe the environment.
Yes please.
Could it go into a wiki page or something that people can comment on and/or
amend?
The need for more secure, and more reproduceable code-signing environments is
becoming critical. Today, tcpdump.org, for instance, has a rather old
code-signing key, and we want to replace it with some hardware token, but we
really don't know what exactly to use,and don't want to be on the bleeding
edge here.
> As a starter:
> "no-autostart" in common.conf on the build box, gpg-card with "verify"
> to unlock keys on the desktop for remote use by the build process
> (Authenticode), and some keywords in the private key files
> (Use-for-p11, Use-for-ssh).
> To create keys, use gpg-card which can easily be scripted. Examples:
>$ gpg-card list D27600012401000615493283 \ -- yubikey
> disable nfc all \ -- yubikey disable usb otp u2f piv oath fido2 \ --
> yubikey list OTP no no U2F no no OPGP yes no PIV no no OATH no no FIDO2
> no no
>$ gpg-card [...] gpg/card> help generate GENERATE [--force]
> [--algo=ALGO{+ALGO2}] KEYREF
>Create a new key on a card. Use --force to overwrite an existing
> key. Use "help" for ALGO to get a list of known algorithms. For
> OpenPGP cards several algos may be given. Note that the OpenPGP key
> generation is done interactively unless a single ALGO or KEYREF are
> given. [Supported by: OpenPGP, PIV]
Thank you.
Which model of Yubikey are you using?
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "gpg --card-edit" with multiple card readers (Yubikey)
On Fri, 7 Jul 2023 14:22, Juanjo said:
> This works fine with a single Yubikey, but we wanted to have more than
> one connected at the same time in order to batch-configure them and
> even to try to use multiple SSH key authentication in specific target
Most of the time I am using several Yubikeys and other smardcards. Some
even remotely. For example I use an SSH connection with socket
forwarding to out build server. Over that connection I provide access
to an Authenticode token, my release key and ssh keys on tokens.
I should eventually describe the environment. As a starter:
"no-autostart" in common.conf on the build box, gpg-card with "verify"
to unlock keys on the desktop for remote use by the build process
(Authenticode), and some keywords in the private key files (Use-for-p11,
Use-for-ssh).
To create keys, use gpg-card which can easily be scripted. Examples:
$ gpg-card list D27600012401000615493283 \
-- yubikey disable nfc all \
-- yubikey disable usb otp u2f piv oath fido2 \
-- yubikey list
OTP no no
U2F no no
OPGP yesno
PIV no no
OATH no no
FIDO2no no
$ gpg-card
[...]
gpg/card> help generate
GENERATE [--force] [--algo=ALGO{+ALGO2}] KEYREF
Create a new key on a card.
Use --force to overwrite an existing key.
Use "help" for ALGO to get a list of known algorithms.
For OpenPGP cards several algos may be given.
Note that the OpenPGP key generation is done interactively
unless a single ALGO or KEYREF are given.
[Supported by: OpenPGP, PIV]
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "gpg --card-edit" with multiple card readers (Yubikey)
On Fri, Jul 7, 2023 at 1:12 PM Werner Koch wrote: > > On Fri, 7 Jul 2023 11:19, Juanjo said: > > > I'm using "gpg (GnuPG) 2.3.3" on AlmaLinux 9 and it works fine with a > > single "YubiKey 5 USB (5.4.3) [CCID]". > > You should get a recent version. Even Fedora comes with 2.4.0 OK, I will try to recompile gnupg RPM from Fedora sources. > > So, is there a way to select a specific Yubikey for the "gpg --card-edit" > > command? > > GnuPG 2.3 and later supports several readers and thus the reader-port > option of scdaemon is not really useful anymore. Please have a look at > gpg-card [1], this new tool will eventually replace gpg --card-edit but > it is different because it supports all kind of cards. There is even a > yubikey control command. It depends on what you actually want to do. I will take a look at gpg-card. Our setup is very simple, we disabled all NFC Applications on the Yubikey and also disabled all USB applications except OPENPGP. Then we generate a PGP certificate on Yubikey and use it to access our servers via SSH (by using the ability of gpg-agent to act as ssh-agent). This works fine with a single Yubikey, but we wanted to have more than one connected at the same time in order to batch-configure them and even to try to use multiple SSH key authentication in specific target servers. > Shalom-Salam, > >Werner Thanks for your fast response, Werner. Regards, Juanjo > [1] https://gnupg.org/documentation/manuals/gnupg24/gpg-card.1.html > > -- > The pioneers of a warless world are the youth that > refuse military service. - A. Einstein ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Looking for keyserver software without any validation or fancy features
Hi, Bernd. hagrid and huckeypuck are total overkill,(Disclaimer: I’m one of the hockeypuck contributors)If you have docker-compose installed, it’s *very* easy to spin up a test instance of hockeypuck, see the README at https://github.com/hockeypuck/hockeypuckYou will need a non-empty keydump to start with, but you can export a single key to a file with the suffix “.gpg” and it should suffice. and at least hagrid is noteven /intended/ to be "self hosted".I’m pretty sure you can self-host hagrid, although I haven’t tested it.I have seen https://github.com/SKS-Keyserver/sks-keyserver but stillhave to check it out if it really suites my needs.SKS-keyserver is very similar to hockeypuck (hockeypuck was first developed as an SKS-keyserver replacement). It does have the ability for a quick-build that serves static files directly without ingesting them into a database in advance, however you will still probably have to build the ptree (at least in its default configuration). It also has an unofficial docker image at https://registry.hub.docker.com/r/zhusj/sksAre there any other options?https://github.com/PennockTech/openpgpkey-control comes to mind.A___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "gpg --card-edit" with multiple card readers (Yubikey)
On Fri, 7 Jul 2023 11:19, Juanjo said: > I'm using "gpg (GnuPG) 2.3.3" on AlmaLinux 9 and it works fine with a > single "YubiKey 5 USB (5.4.3) [CCID]". You should get a recent version. Even Fedora comes with 2.4.0 > So, is there a way to select a specific Yubikey for the "gpg --card-edit" > command? GnuPG 2.3 and later supports several readers and thus the reader-port option of scdaemon is not really useful anymore. Please have a look at gpg-card [1], this new tool will eventually replace gpg --card-edit but it is different because it supports all kind of cards. There is even a yubikey control command. It depends on what you actually want to do. Shalom-Salam, Werner [1] https://gnupg.org/documentation/manuals/gnupg24/gpg-card.1.html -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Looking for keyserver software without any validation or fancy features
On 07.07.23 12:21, Werner Koch wrote: > https://www.gnupg.org/blog/20201018-gnupg-and-ldap.html Thanks, I will have a look into it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "gpg --card-edit" with multiple card readers (Yubikey)
On Fri, Jul 7, 2023 at 12:07 PM Ingo Klöcker wrote: > > On Freitag, 7. Juli 2023 11:19:47 CEST Juanjo via Gnupg-users wrote: > > I'm using "gpg (GnuPG) 2.3.3" on AlmaLinux 9 and it works fine with a > > single "YubiKey 5 USB (5.4.3) [CCID]". > > > > The issue comes when I plug more than one Yubikey. > > > > I can use "gpg --card-status all" to retrieve the information of all > > connected Yubikeys or "gpg --card-status ID" (where ID is the value from > > field "Application ID") to retrieve the information of a pacific Yubikey. > > > > I have tried to do the same with "gpg --card-edit" but this command does > > not support passing the ID of a specific Yubikey and it always selects the > > last plugged Yubikey. > > > > So, is there a way to select a specific Yubikey for the "gpg --card-edit" > > command? > > You may have luck with setting a specific reader-port (see `man scdaemon`). I have already tried this with no success. > But, unless you need to use the command line, it's probably much easier to use > Kleopatra which supports multiple card readers and multiple card apps > (OpenPGP, PIV) per reader out of the box. Kleopatra doesn't support everything > `gpg --card-edit` or the new gpg-card tool support. I will take a look at this. > Regards, > Ingo Thanks for your fast response Ingo. Regards, Juanjo > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Looking for keyserver software without any validation or fancy features
On Fri, 7 Jul 2023 10:59, Bernd Naumann said: > For a test setup / proof of concent / lab, I'm looking for a pretty > simple keyserver implementation. Use an LDAP server; this is the most flexible and best supported way to store keys. https://www.gnupg.org/blog/20201018-gnupg-and-ldap.html > `gpg-wks-server` has to send and receive verification mails, right? > I would like to avoid having to configure a mail-server and mail-clients. gpg-wks-server is about key enrollment via mail and web. A simpler setup is by using gpg-wks-client to create Web Key Directory locally and then upload it. gpg --list-options show-only-fpr-mbox | gpg-wks-client --install-key or if you already got an LDAP: https://gnupg.com/kb/mirror-ldap-to-wkd.html Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "gpg --card-edit" with multiple card readers (Yubikey)
On Freitag, 7. Juli 2023 11:19:47 CEST Juanjo via Gnupg-users wrote: > I'm using "gpg (GnuPG) 2.3.3" on AlmaLinux 9 and it works fine with a > single "YubiKey 5 USB (5.4.3) [CCID]". > > The issue comes when I plug more than one Yubikey. > > I can use "gpg --card-status all" to retrieve the information of all > connected Yubikeys or "gpg --card-status ID" (where ID is the value from > field "Application ID") to retrieve the information of a pacific Yubikey. > > I have tried to do the same with "gpg --card-edit" but this command does > not support passing the ID of a specific Yubikey and it always selects the > last plugged Yubikey. > > So, is there a way to select a specific Yubikey for the "gpg --card-edit" > command? You may have luck with setting a specific reader-port (see `man scdaemon`). But, unless you need to use the command line, it's probably much easier to use Kleopatra which supports multiple card readers and multiple card apps (OpenPGP, PIV) per reader out of the box. Kleopatra doesn't support everything `gpg --card-edit` or the new gpg-card tool support. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Looking for keyserver software without any validation or fancy features
Hi *, For a test setup / proof of concent / lab, I'm looking for a pretty simple keyserver implementation. I don't need any form of validation, web ui, etc. At least I want to be able to disable send mail validation, federation, web server, and what not. I just want to be able to send and receive keys to/from a server. All machines in this setup are running Debian 11 or 12. hagrid and huckeypuck are total overkill, and at least hagrid is not even /intended/ to be "self hosted". I have seen https://github.com/SKS-Keyserver/sks-keyserver but still have to check it out if it really suites my needs. `gpg-wks-server` has to send and receive verification mails, right? I would like to avoid having to configure a mail-server and mail-clients. Are there any other options? I would like to not take `cp` and `scp` as an option, I'm doing this already... Thanks. Bernd ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
"gpg --card-edit" with multiple card readers (Yubikey)
Hi, I'm using "gpg (GnuPG) 2.3.3" on AlmaLinux 9 and it works fine with a single "YubiKey 5 USB (5.4.3) [CCID]". The issue comes when I plug more than one Yubikey. I can use "gpg --card-status all" to retrieve the information of all connected Yubikeys or "gpg --card-status ID" (where ID is the value from field "Application ID") to retrieve the information of a pacific Yubikey. I have tried to do the same with "gpg --card-edit" but this command does not support passing the ID of a specific Yubikey and it always selects the last plugged Yubikey. So, is there a way to select a specific Yubikey for the "gpg --card-edit" command? Thanks in advance, Juanjo ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
