Mailing List Archive

On Sat, 30 Oct 2021 15:50, Matthias Apitz said:

> I just withdraw the USB dongle after the operation. I was thinking that
> the gpg-agent.conf entry 'max-cache-ttl' will also expire the unlocked
> state of the OpenPGP card, which it does not. How could I do this?

No, it does not because it is the decision of the card how long the
VERIFY command send to the card allows the use of the key. For most
cards and keys the keys are unlocked by VERIFY until the card is powered
down. The OpenPGP cards allow to limit the VERIFY command for the first
key to one signing operation ("forcesig" toggles this).

As a workaround use "gpgconf --reload scdaemon" to power down the card.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

El día martes, noviembre 02, 2021 a las 06:34:16p. m. +0100, Werner Koch via Gnupg-users escribió:

> On Sat, 30 Oct 2021 15:50, Matthias Apitz said:
>
> > I just withdraw the USB dongle after the operation. I was thinking that
> > the gpg-agent.conf entry 'max-cache-ttl' will also expire the unlocked
> > state of the OpenPGP card, which it does not. How could I do this?
>
> No, it does not because it is the decision of the card how long the
> VERIFY command send to the card allows the use of the key. For most
> cards and keys the keys are unlocked by VERIFY until the card is powered
> down. The OpenPGP cards allow to limit the VERIFY command for the first
> key to one signing operation ("forcesig" toggles this).
>
> As a workaround use "gpgconf --reload scdaemon" to power down the card.
>


Thanks. As I will use the card in the phone mostly (only) with the pass
command, i've added this to the script to get the card locked after any
usage with pass:

purism@pureos:~$ tail -8 /usr/bin/pass

# power down the OpenPGP card
# guru@unixarea.de
#
gpgconf --reload scdaemon
sleep 2

exit 0

I have now my ~330 passwords always with me, encrypted with an OpenPGP
card, and available without any laptop or USB dongel, just in my phone -- a
big progress. Thanks to Purism to bring this with the L5 to the Linux world!

matthias

--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Wed, 3 Nov 2021 18:55, Matthias Apitz said:

> card, and available without any laptop or USB dongel, just in my phone -- a
> big progress. Thanks to Purism to bring this with the L5 to the Linux world!

You mean the Librem5 has indeed a second slot for a smartcard? I
recently received mine but it is more or less unusable to me. It even
comes w/o a bluetooth device - at least according to the warning notice
I see - for things I can see because the network setting are not fully
accessible. It is more or less a brick; the OpenMoko used to be better.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

El día jueves, noviembre 04, 2021 a las 08:31:08a. m. +0100, Werner Koch via Gnupg-users escribió:

> On Wed, 3 Nov 2021 18:55, Matthias Apitz said:
>
> > card, and available without any laptop or USB dongel, just in my phone -- a
> > big progress. Thanks to Purism to bring this with the L5 to the Linux world!
>
> You mean the Librem5 has indeed a second slot for a smartcard? I
> recently received mine but it is more or less unusable to me. It even
> comes w/o a bluetooth device - at least according to the warning notice
> I see - for things I can see because the network setting are not fully
> accessible. It is more or less a brick; the OpenMoko used to be better.

Hello Werner,

I got mine in early October after exactly 4 years waiting. I do not
share your opinions about the L5. I moved my 100++ contacts from the
Ubuntu phone E4.5 to the L5 (which was a matter of seconds, export to
VCF, SCP over and load; both use the same evolution database for storing
them). I bought a SIM, have Internet via G4 on the road, or Wifi. Both
do fine, Wifi with any access point until now. I can attach a Bluetooth
keyboard with an integrated touchpad. Both work fine, see this foto:
http://www.unixarea.de/l5-with-bt-keyboard.jpg

The slot for the mini OpenPGP card in behind the battery, just
pull the battery out and you will see. I bought the OpenPGP card from
Purism for USD 15, I don't know if the small format exist here in
Germany. Here you have a small video showing the card insert etc.:
https://puri.sm/posts/openpgp-in-your-pocket/

And, I hacked together a Spanish OSK for the terminal app, because I
write a lot in Spanish with a command line telegram client.

I have and have had some Linux mobiles, also the OpenMoko. The
Purism L5 is the most usefull until now for me. You see, I really don't
share your opinion. The biggest problem until now is the duration of the
battery of 8-10 hours, because the phone until now dows not suspend to
RAM. They're working on it...

matthias

--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

El día jueves, noviembre 04, 2021 a las 09:40:40a. m. +0100, Matthias Apitz escribió:

> ...
>
> I have and have had some Linux mobiles, also the OpenMoko. The
> Purism L5 is the most usefull until now for me. You see, I really don't
> share your opinion. The biggest problem until now is the duration of the
> battery of 8-10 hours, because the phone until now dows not suspend to
> RAM. They're working on it...
>

I forgot to add a joke. The L5 has 3 hardware kill switches, real kill
switches, i.e. the power down is not done by software but by cutting the
electrical power line of the respective chips: 1) the modem or
2) Wifi+Bluetooth or 3) cam+micro.

When I did the first test voice calls to my family at home, nobody could
hear me. Guess why :-)

matthias


--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 04/11/2021 08:40, Matthias Apitz wrote:
> I bought the OpenPGP card from
> Purism for USD 15, I don't know if the small format exist here in
> Germany.

Not Germany, but Cryptoshop in Vienna sells them:

https://en.cryptoshop.com/products/smartcards/open-pgp-smartcard-v2-id-000.html

--
Andrew Gallagher

El día jueves, noviembre 04, 2021 a las 09:45:57a. m. +0000, Andrew Gallagher via Gnupg-users escribió:

> On 04/11/2021 08:40, Matthias Apitz wrote:
> > I bought the OpenPGP card from
> > Purism for USD 15, I don't know if the small format exist here in
> > Germany.
>
> Not Germany, but Cryptoshop in Vienna sells them:
>
> https://en.cryptoshop.com/products/smartcards/open-pgp-smartcard-v2-id-000.html
>

I have the above card for some years in an USB dongle. But the one which
fits in the L5 is smaller:

https://shop.puri.sm/shop/purism-openpgp-card/

matthias

--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi Matthias,

On Thu, 4 Nov 2021 09:40, Matthias Apitz said:

> I got mine in early October after exactly 4 years waiting. I do not

Same here. I actually met with Todd back then and my colleague Gniibe
write the driver for their planned card reader. Then we had that long
delay.

it is good that things work for you. And thanks for the hint with the
smartcard. I was probably blind that I didn't noticed it. I put an
older card into the slot (cut down with a sharp wire cutter) but I have
not seen the device.

Even after an OS update there is still no Bluetooth device (regardless
of the kill switch position) and the WLAN sometimes needs a reboot. I
also wonder why there are no easy accessible teardown images - the long
Youtube video is not very helpful because it shows obvious things,

> I have and have had some Linux mobiles, also the OpenMoko. The
> Purism L5 is the most usefull until now for me. You see, I really don't

As long as you do not count the Jollas in. Purism's decision to write
yet another software stack is highly questionable. IMHO they should
have used the free stuff from SFOS and replace the proprietary UI using
Qt instead of GTK+. That would have solved the battery problems
instantly,


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

El día viernes, noviembre 05, 2021 a las 08:32:17a. m. +0100, Werner Koch via Gnupg-users escribió:

> it is good that things work for you. And thanks for the hint with the
> smartcard. I was probably blind that I didn't noticed it. I put an
> older card into the slot (cut down with a sharp wire cutter) but I have
> not seen the device.

Hello Werner,

To get the OpenPGP card working, please follow the steps in my
attachment OpenPGP-L5.txt. You must flash some firmware into the device.

> Even after an OS update there is still no Bluetooth device (regardless
> of the kill switch position) and the WLAN sometimes needs a reboot. I
> also wonder why there are no easy accessible teardown images - the long
> Youtube video is not very helpful because it shows obvious things,

To solve the Bluetooth / WLAN problems, follow the steps here how to
load again some other firmware. Esp. change also after this in the file
/etc/modprobe.d/librem5-devkit.conf the value dev_oper_mode from 5 to 13

https://forums.puri.sm/t/bluetooth-support-for-librem-5/14965/45

Hope it helps

matthias

--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...

Werner,

I have an issue with the 'pinentry' in the L5:

/usr/bin/pinentry is as default a symlink to /etc/alternatives/pinentry
and pops up on the L5 as somekind graphical application, also when I use
the OpenPGP card in the L5 when connected via SSH to the L5, which is
not what I wanted have to key in the PIN in the L5 when im using it via
SSH (and the L5 sits in some other room).

That's why I changed the symlink to point to /usr/bin/pinentry-curses
which works fine via SSH, i.e. the PIN is asked in the terminal where I
run the SSH session.

But, it does not work locally on the L5 in its "terminal app", the
"pass" command in the terminal raises an error about no secret provided.
The "pass" command is just a shell script and uses "gpg" to decrypt the
file containing the requested password for some web access, running
so,ething like:

$GPG -d "${GPG_OPTS[@]}" "$passfile"

What could be the reason for this?

I tried /usr/bin/pinentry-curses in the "terminal app" which does work.

matthias
--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Fri, 5 Nov 2021 17:30, Matthias Apitz said:

> But, it does not work locally on the L5 in its "terminal app", the
> "pass" command in the terminal raises an error about no secret provided.

You did the

gpg-connect-agent updatestartuptty /bye

thing to tell gpg-agent where it shall pop up the pinentry? Further
you can debug thing with adding "-v" to the gpg invocation or by letting
gpg-agent create a debug file:

--8<---------------cut here---------------start------------->8---
log-file /foo/bar/gpg-agent.log
verbose
debug ipc
debug-pinentry
--8<---------------cut here---------------end--------------->8---

Or use

log-file tcp://1.2.3.4:40711

and run "watchgnupg --tcp 40711" on the host with IP 1.2.3.4. Not TLS,
so take care. But it is convenient to see what's going on.

Thanks for your other mail on thenneed to flush the firmware for the BT
device. I have not yet found the time to do that, though.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

El día domingo, noviembre 07, 2021 a las 02:14:59p. m. +0100, Werner Koch via Gnupg-users escribió:

> On Fri, 5 Nov 2021 17:30, Matthias Apitz said:
>
> > But, it does not work locally on the L5 in its "terminal app", the
> > "pass" command in the terminal raises an error about no secret provided.
>
> You did the
>
> gpg-connect-agent updatestartuptty /bye
>
> thing to tell gpg-agent where it shall pop up the pinentry? Further
> ...

Thanks for the hints. Magically it works now by its own after adding
this to the ~purism/.bashrc (the terminal app does not source .profile).

In a SSH session a 'pass test' asks now inline for the PIN and in the
terminal app some Gnome window pops up.

See also:

https://forums.puri.sm/t/terminal-app-purism-profile/15325

Maybe you want subscribe to this forum (if not already done). It's a
pity that Purism uses a "forum" and not a standard mailing-list :-(

matthias


--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

El día lunes, noviembre 08, 2021 a las 11:18:37a. m. +0100, Matthias Apitz escribió:

> > You did the
> >
> > gpg-connect-agent updatestartuptty /bye
> >
> > thing to tell gpg-agent where it shall pop up the pinentry? Further
> > ...
>
> Thanks for the hints. Magically it works now by its own after adding
> this to the ~purism/.bashrc (the terminal app does not source .profile).
>
> In a SSH session a 'pass test' asks now inline for the PIN and in the
> terminal app some Gnome window pops up.

Re/ pinentry there is even more inteligent "magic": The available
pinentry pgms are:

purism@pureos:~$ which pinentry
/usr/bin/pinentry
purism@pureos:~$ ls -l /usr/bin/pinentry
lrwxrwxrwx 1 root root 26 Nov 5 18:05 /usr/bin/pinentry -> /etc/alternatives/pinentry
purism@pureos:~$ ls -l /etc/alternatives/pinentry
lrwxrwxrwx 1 root root 24 Sep 11 08:25 /etc/alternatives/pinentry -> /usr/bin/pinentry-gnome3
purism@pureos:~$ ls -l /usr/bin/pinentr*
lrwxrwxrwx 1 root root 26 Nov 5 18:05 /usr/bin/pinentry -> /etc/alternatives/pinentry
-rwxr-xr-x 1 root root 59848 May 8 2020 /usr/bin/pinentry-curses
-rwxr-xr-x 1 root root 72136 May 8 2020 /usr/bin/pinentry-gnome3
lrwxrwxrwx 1 root root 30 Sep 11 08:25 /usr/bin/pinentry-x11 -> /etc/alternatives/pinentry-x11

And when the PIN is needed in a SSH session, then the PIN is asked in
the SSH session with:

????????????????????????????????????????????????
? Please unlock the card ?
? ?
? Number: 0005 0000A6FE ?
? Holder: Matthias Apitz ?
? ?
? PIN ________________________________________ ?
? ?
? <OK> <Cancel> ?
????????????????????????????????????????????????

*when* the L5 is locked, when the L5 is not locked the PIN is asked on
its screen with the /usr/bin/pinentry-gnome3. Nice!

matthias

--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users