Now Reading
OpenPGP grasp key on Nitrokey Begin – Simon Josefsson’s weblog

OpenPGP grasp key on Nitrokey Begin – Simon Josefsson’s weblog

2023-03-28 01:11:11

I’ve used hardware-backed OpenPGP keys since 2006 once I imported newly generated rsa1024 subkeys to a FSFE Fellowship card. This labored nicely for a number of years, and I recall shopping for extra ZeitControl playing cards for multi-machine utilization and backup functions. As a aspect word, I recall being unhappy with the weak 1024-bit RSA subkeys on the time – my major key was a considerably stronger 1280-bit RSA key created again in 2002 — however OpenPGP playing cards on the time didn’t help greater than 1024 bit RSA, and had been (and nonetheless usually are) additionally restricted to power-of-two RSA key sizes which I dislike.

I had my grasp key on disk with a powerful password for some time, principally to refresh expiration time of the subkeys and to signal different’s OpenPGP keys. In some unspecified time in the future I finished carrying round encrypted copies of my grasp key. That was my fundamental setup once I migrated to a brand new stronger RSA 3744 bit key with rsa2048 subkeys on a YubiKey NEO back in 2014. At that time, signing different’s OpenPGP keys was a uncommon sufficient incidence that I settled with bringing out my offline machine to carry out this operation, transferring the general public key to signal on USB sticks. In 2019 I re-evaluated my OpenPGP setup and ended up making a offline Ed25519 key with subkeys on a FST-01G running Gnuk. My method for signing different’s OpenPGP keys had been nonetheless to carry out my offline machine and signal issues utilizing the grasp secret utilizing USB sticks for storage and transport. Which meant I nearly by no means did that, as a result of it took an excessive amount of effort. So my 2019-era Ed25519 key nonetheless solely has a handful of signatures on it, since I had basically stopped signing different’s keys which is the normal means of getting signatures in return.

None of this brought on any important downside for me as a result of I continued to make use of my outdated 2014-era RSA3744 key in parallel with my new 2019-era Ed25519 key, since too many methods didn’t deal with Ed25519. Nevertheless, throughout 2022 this modified, and the one remaining setting that I nonetheless used my RSA3744 key for was in Debian — and they require OpenPGP signatures on the brand new key to permit it to switch an older key. I used to be in denial about this sub-optimal resolution throughout 2022 and endured its sensible penalties, having to make use of the YubiKey NEO (which I had changed with a completely inserted YubiKey Nano sooner or later) for Debian-related functions alone.

In December 2022 I bought a new laptop and setup a FST-01SZ with my Ed25519 key, and whereas I’ve taken a trip from Debian, I proceed to increase the expiration interval on the outdated RSA3744-key in case I’ll ever have to make use of it once more, so the general OpenPGP setup was nonetheless sub-optimal. Having two legitimate OpenPGP keys on the similar time causes individuals to make use of each for e-mail encryption (main me to have to make use of each units), and the WKD Key Discovery protocol doesn’t like two legitimate keys both. At FOSDEM’23 I bumped into Andre Heinecke at GnuPG and I couldn’t assist complain about how complicated and unsatisfying all OpenPGP-related issues had been, and he mildly ignored my rant and requested why I didn’t put the grasp key on one other smartcard. The remark sunk in once I got here residence, and lately I linked all of the dots and this submit is a abstract of what I did to maneuver my offline OpenPGP grasp key to a Nitrokey Begin.

First a phrase about system alternative, I nonetheless favor to make use of {hardware} units which can be as appropriate with free software program as potential, however the FST-01G or FST-01SZ are not simply accessible for buy. I obtained a remark about Nitrokey start in my last post, and had two of them accessible to experiment with. There are issues to dislike with the Nitrokey Begin in comparison with the YubiKey (e.g., relative insecure bodily structure, the bulkier type issue and lack of FIDO/U2F/OATH help) however – so far as I do know – there is no such thing as a extra extensively accessible owner-controlled system that’s manufactured for an supposed goal of implementing an OpenPGP card. Thus it hits the candy spot for me.

Nitrokey Begin

Step one is to run newest firmware on the Nitrokey Begin – for bug-fixes and important OpenSSH 9.0 compatibility – and there are reproducible-built firmware printed that you just can install utilizing pynitrokey. I run Trisquel 11 aramo on my laptop computer, which doesn’t embody the Python Pip bundle (seemingly as a result of it promotes putting in non-free software program) in order that was a slight complication. Constructing the firmware domestically could have labored, and I want to try this ultimately to verify the printed firmware, nonetheless to save lots of time I settled with putting in the Ubuntu 22.04 packages on my machine:

$ sha256sum python3-pip*
ded6b3867a4a4cbaff0940cab366975d6aeecc76b9f2d2efa3deceb062668b1c  python3-pip_22.0.2+dfsg-1ubuntu0.2_all.deb
e1561575130c41dc3309023a345de337e84b4b04c21c74db57f599e267114325  python3-pip-whl_22.0.2+dfsg-1ubuntu0.2_all.deb
$ doas dpkg -i python3-pip*
...
$ doas apt set up -f
...
$

Set up pynitrokey downloaded a bunch of dependencies, and it will be good to audit the license and safety vulnerabilities for every of them.

jas@kaka:~$ pip3 set up --user pynitrokey
Accumulating pynitrokey
  Downloading pynitrokey-0.4.34-py3-none-any.whl (572 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 572.3/572.3 KB 5.8 MB/s eta 0:00:00
Accumulating frozendict~=2.3.4
  Downloading frozendict-2.3.5-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (113 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 113.4/113.4 KB 5.3 MB/s eta 0:00:00
Requirement already glad: click on<9,>=8.0.0 in /usr/lib/python3/dist-packages (from pynitrokey) (8.0.3)
Accumulating ecdsa
  Downloading ecdsa-0.18.0-py2.py3-none-any.whl (142 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 142.9/142.9 KB 6.0 MB/s eta 0:00:00
Accumulating python-dateutil~=2.7.0
  Downloading python_dateutil-2.7.5-py2.py3-none-any.whl (225 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 225.7/225.7 KB 7.4 MB/s eta 0:00:00
Accumulating fido2<2,>=1.1.0
  Downloading fido2-1.1.0-py3-none-any.whl (201 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 201.1/201.1 KB 5.5 MB/s eta 0:00:00
Accumulating tlv8
  Downloading tlv8-0.10.0.tar.gz (16 kB)
  Getting ready metadata (setup.py) ... finished
Requirement already glad: certifi>=14.5.14 in /usr/lib/python3/dist-packages (from pynitrokey) (2020.6.20)
Requirement already glad: pyusb in /usr/lib/python3/dist-packages (from pynitrokey) (1.2.1.post1)
Accumulating urllib3~=1.26.7
  Downloading urllib3-1.26.15-py2.py3-none-any.whl (140 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 140.9/140.9 KB 6.8 MB/s eta 0:00:00
Accumulating spsdk<1.8.0,>=1.7.0
  Downloading spsdk-1.7.1-py3-none-any.whl (684 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 684.7/684.7 KB 8.3 MB/s eta 0:00:00
Accumulating typing_extensions~=4.3.0
  Downloading typing_extensions-4.3.0-py3-none-any.whl (25 kB)
Requirement already glad: cryptography<37,>=3.4.4 in /usr/lib/python3/dist-packages (from pynitrokey) (3.4.8)
Accumulating intelhex
  Downloading intelhex-2.3.0-py2.py3-none-any.whl (50 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 50.9/50.9 KB 4.9 MB/s eta 0:00:00
Accumulating nkdfu
  Downloading nkdfu-0.2-py3-none-any.whl (16 kB)
Requirement already glad: requests in /usr/lib/python3/dist-packages (from pynitrokey) (2.25.1)
Accumulating tqdm
  Downloading tqdm-4.65.0-py3-none-any.whl (77 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 77.1/77.1 KB 5.4 MB/s eta 0:00:00
Accumulating nrfutil<7,>=6.1.4
  Downloading nrfutil-6.1.7.tar.gz (845 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 845.3/845.3 KB 7.1 MB/s eta 0:00:00
  Getting ready metadata (setup.py) ... finished
Requirement already glad: cffi in /usr/lib/python3/dist-packages (from pynitrokey) (1.15.0)
Accumulating crcmod
  Downloading crcmod-1.7.tar.gz (89 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 89.7/89.7 KB 3.9 MB/s eta 0:00:00
  Getting ready metadata (setup.py) ... finished
Accumulating libusb1==1.9.3
  Downloading libusb1-1.9.3-py3-none-any.whl (60 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 60.5/60.5 KB 3.7 MB/s eta 0:00:00
Accumulating pc_ble_driver_py>=0.16.4
  Downloading pc_ble_driver_py-0.17.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.9 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.9/2.9 MB 8.2 MB/s eta 0:00:00
Accumulating piccata
  Downloading piccata-2.0.3-py3-none-any.whl (21 kB)
Accumulating protobuf<4.0.0,>=3.17.3
  Downloading protobuf-3.20.3-cp310-cp310-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (1.1 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.1/1.1 MB 8.0 MB/s eta 0:00:00
Accumulating pyserial
  Downloading pyserial-3.5-py2.py3-none-any.whl (90 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 90.6/90.6 KB 4.7 MB/s eta 0:00:00
Accumulating pyspinel>=1.0.0a3
  Downloading pyspinel-1.0.3.tar.gz (58 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 58.7/58.7 KB 3.7 MB/s eta 0:00:00
  Getting ready metadata (setup.py) ... finished
Requirement already glad: pyyaml in /usr/lib/python3/dist-packages (from nrfutil<7,>=6.1.4->pynitrokey) (5.4.1)
Requirement already glad: six>=1.5 in /usr/lib/python3/dist-packages (from python-dateutil~=2.7.0->pynitrokey) (1.16.0)
Accumulating pylink-square<0.11.9,>=0.8.2
  Downloading pylink_square-0.11.1-py2.py3-none-any.whl (78 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 78.4/78.4 KB 5.0 MB/s eta 0:00:00
Accumulating jinja2<3.1,>=2.11
  Downloading Jinja2-3.0.3-py3-none-any.whl (133 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 133.6/133.6 KB 6.7 MB/s eta 0:00:00
Accumulating bincopy<17.11,>=17.10.2
  Downloading bincopy-17.10.3-py3-none-any.whl (17 kB)
Accumulating fastjsonschema>=2.15.1
  Downloading fastjsonschema-2.16.3-py3-none-any.whl (23 kB)
Accumulating astunparse<2,>=1.6
  Downloading astunparse-1.6.3-py2.py3-none-any.whl (12 kB)
Accumulating oscrypto~=1.2
  Downloading oscrypto-1.3.0-py2.py3-none-any.whl (194 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 194.6/194.6 KB 7.3 MB/s eta 0:00:00
Accumulating deepmerge==0.3.0
  Downloading deepmerge-0.3.0-py2.py3-none-any.whl (7.6 kB)
Accumulating pyocd<=0.31.0,>=0.28.3
  Downloading pyocd-0.31.0-py3-none-any.whl (12.5 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 12.5/12.5 MB 3.9 MB/s eta 0:00:00
Accumulating click-option-group<0.6,>=0.3.0
  Downloading click_option_group-0.5.5-py3-none-any.whl (12 kB)
Accumulating pycryptodome<4,>=3.9.3
  Downloading pycryptodome-3.17-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.1 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 7.9 MB/s eta 0:00:00
Accumulating pyocd-pemicro<1.2.0,>=1.1.1
  Downloading pyocd_pemicro-1.1.5-py3-none-any.whl (9.0 kB)
Requirement already glad: colorama<1,>=0.4.4 in /usr/lib/python3/dist-packages (from spsdk<1.8.0,>=1.7.0->pynitrokey) (0.4.4)
Accumulating commentjson<1,>=0.9
  Downloading commentjson-0.9.0.tar.gz (8.7 kB)
  Getting ready metadata (setup.py) ... finished
Requirement already glad: asn1crypto<2,>=1.2 in /usr/lib/python3/dist-packages (from spsdk<1.8.0,>=1.7.0->pynitrokey) (1.4.0)
Accumulating pypemicro<0.2.0,>=0.1.9
  Downloading pypemicro-0.1.11-py3-none-any.whl (5.7 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 5.7/5.7 MB 8.8 MB/s eta 0:00:00
Accumulating libusbsio>=2.1.11
  Downloading libusbsio-2.1.11-py3-none-any.whl (247 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 247.1/247.1 KB 7.9 MB/s eta 0:00:00
Accumulating sly==0.4
  Downloading sly-0.4.tar.gz (60 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 60.6/60.6 KB 5.1 MB/s eta 0:00:00
  Getting ready metadata (setup.py) ... finished
Accumulating ruamel.yaml<0.18.0,>=0.17
  Downloading ruamel.yaml-0.17.21-py3-none-any.whl (109 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 109.5/109.5 KB 4.2 MB/s eta 0:00:00
Accumulating cmsis-pack-manager<0.3.0
  Downloading cmsis_pack_manager-0.2.10-py2.py3-none-manylinux1_x86_64.whl (25.1 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 25.1/25.1 MB 8.5 MB/s eta 0:00:00
Accumulating click-command-tree==1.1.0
  Downloading click_command_tree-1.1.0-py3-none-any.whl (3.6 kB)
Requirement already glad: bitstring<3.2,>=3.1 in /usr/lib/python3/dist-packages (from spsdk<1.8.0,>=1.7.0->pynitrokey) (3.1.7)
Accumulating hexdump~=3.3
  Downloading hexdump-3.3.zip (12 kB)
  Getting ready metadata (setup.py) ... finished
Accumulating fireplace
  Downloading fire-0.5.0.tar.gz (88 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 88.3/88.3 KB 4.7 MB/s eta 0:00:00
  Getting ready metadata (setup.py) ... finished
Requirement already glad: wheel<1.0,>=0.23.0 in /usr/lib/python3/dist-packages (from astunparse<2,>=1.6->spsdk<1.8.0,>=1.7.0->pynitrokey) (0.37.1)
Accumulating humanfriendly
  Downloading humanfriendly-10.0-py2.py3-none-any.whl (86 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 86.8/86.8 KB 4.6 MB/s eta 0:00:00
Accumulating argparse-addons>=0.4.0
  Downloading argparse_addons-0.12.0-py3-none-any.whl (3.3 kB)
Accumulating pyelftools
  Downloading pyelftools-0.29-py2.py3-none-any.whl (174 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 174.3/174.3 KB 4.1 MB/s eta 0:00:00
Accumulating milksnake>=0.1.2
  Downloading milksnake-0.1.5-py2.py3-none-any.whl (9.6 kB)
Requirement already glad: appdirs>=1.4 in /usr/lib/python3/dist-packages (from cmsis-pack-manager<0.3.0->spsdk<1.8.0,>=1.7.0->pynitrokey) (1.4.4)
Accumulating lark-parser<0.8.0,>=0.7.1
  Downloading lark-parser-0.7.8.tar.gz (276 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 276.2/276.2 KB 6.6 MB/s eta 0:00:00
  Getting ready metadata (setup.py) ... finished
Requirement already glad: MarkupSafe>=2.0 in /usr/lib/python3/dist-packages (from jinja2<3.1,>=2.11->spsdk<1.8.0,>=1.7.0->pynitrokey) (2.0.1)
Accumulating asn1crypto<2,>=1.2
  Downloading asn1crypto-1.5.1-py2.py3-none-any.whl (105 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 105.0/105.0 KB 6.8 MB/s eta 0:00:00
Accumulating wrapt
  Downloading wrapt-1.15.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (78 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 78.4/78.4 KB 4.6 MB/s eta 0:00:00
Accumulating future
  Downloading future-0.18.3.tar.gz (840 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 840.9/840.9 KB 7.1 MB/s eta 0:00:00
  Getting ready metadata (setup.py) ... finished
Accumulating psutil>=5.2.2
  Downloading psutil-5.9.4-cp36-abi3-manylinux_2_12_x86_64.manylinux2010_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (280 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 280.2/280.2 KB 6.1 MB/s eta 0:00:00
Accumulating capstone<5.0,>=4.0
  Downloading capstone-4.0.2-py2.py3-none-manylinux1_x86_64.whl (2.1 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 7.0 MB/s eta 0:00:00
Accumulating naturalsort<2.0,>=1.5
  Downloading naturalsort-1.5.1.tar.gz (7.4 kB)
  Getting ready metadata (setup.py) ... finished
Accumulating prettytable<3.0,>=2.0
  Downloading prettytable-2.5.0-py3-none-any.whl (24 kB)
Accumulating intervaltree<4.0,>=3.0.2
  Downloading intervaltree-3.1.0.tar.gz (32 kB)
  Getting ready metadata (setup.py) ... finished
Accumulating ruamel.yaml.clib>=0.2.6
  Downloading ruamel.yaml.clib-0.2.7-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.manylinux_2_24_x86_64.whl (485 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 485.6/485.6 KB 7.4 MB/s eta 0:00:00
Accumulating termcolor
  Downloading termcolor-2.2.0-py3-none-any.whl (6.6 kB)
Accumulating sortedcontainers<3.0,>=2.0
  Downloading sortedcontainers-2.4.0-py2.py3-none-any.whl (29 kB)
Requirement already glad: wcwidth in /usr/lib/python3/dist-packages (from prettytable<3.0,>=2.0->pyocd<=0.31.0,>=0.28.3->spsdk<1.8.0,>=1.7.0->pynitrokey) (0.2.5)
Constructing wheels for collected packages: nrfutil, crcmod, sly, tlv8, commentjson, hexdump, pyspinel, fireplace, intervaltree, lark-parser, naturalsort, future
  Constructing wheel for nrfutil (setup.py) ... finished
  Created wheel for nrfutil: filename=nrfutil-6.1.7-py3-none-any.whl dimension=898520 sha256=de6f8803f51d6c26d24dc7df6292064a468ff3f389d73370433fde5582b84a10
  Saved in listing: /residence/jas/.cache/pip/wheels/39/2b/9b/98ab2dd716da746290e6728bdb557b14c1c9a54cb9ed86e13b
  Constructing wheel for crcmod (setup.py) ... finished
  Created wheel for crcmod: filename=crcmod-1.7-cp310-cp310-linux_x86_64.whl dimension=31422 sha256=5149ac56fcbfa0606760eef5220fcedc66be560adf68cf38c604af3ad0e4a8b0
  Saved in listing: /residence/jas/.cache/pip/wheels/85/4c/07/72215c529bd59d67e3dac29711d7aba1b692f543c808ba9e86
  Constructing wheel for sly (setup.py) ... finished
  Created wheel for sly: filename=sly-0.4-py3-none-any.whl dimension=27352 sha256=f614e413918de45c73d1e9a8dca61ca07dc760d9740553400efc234c891f7fde
  Saved in listing: /residence/jas/.cache/pip/wheels/a2/23/4a/6a84282a0d2c29f003012dc565b3126e427972e8b8157ea51f
  Constructing wheel for tlv8 (setup.py) ... finished
  Created wheel for tlv8: filename=tlv8-0.10.0-py3-none-any.whl dimension=11266 sha256=3ec8b3c45977a3addbc66b7b99e1d81b146607c3a269502b9b5651900a0e2d08
  Saved in listing: /residence/jas/.cache/pip/wheels/e9/35/86/66a473cc2abb0c7f21ed39c30a3b2219b16bd2cdb4b33cfc2c
  Constructing wheel for commentjson (setup.py) ... finished
  Created wheel for commentjson: filename=commentjson-0.9.0-py3-none-any.whl dimension=12092 sha256=28b6413132d6d7798a18cf8c76885dc69f676ea763ffcb08775a3c2c43444f4a
  Saved in listing: /residence/jas/.cache/pip/wheels/7d/90/23/6358a234ca5b4ec0866d447079b97fedf9883387d1d7d074e5
  Constructing wheel for hexdump (setup.py) ... finished
  Created wheel for hexdump: filename=hexdump-3.3-py3-none-any.whl dimension=8913 sha256=79dfadd42edbc9acaeac1987464f2df4053784fff18b96408c1309b74fd09f50
  Saved in listing: /residence/jas/.cache/pip/wheels/26/28/f7/f47d7ecd9ae44c4457e72c8bb617ef18ab332ee2b2a1047e87
  Constructing wheel for pyspinel (setup.py) ... finished
  Created wheel for pyspinel: filename=pyspinel-1.0.3-py3-none-any.whl dimension=65033 sha256=01dc27f81f28b4830a0cf2336dc737ef309a1287fcf33f57a8a4c5bed3b5f0a6
  Saved in listing: /residence/jas/.cache/pip/wheels/95/ec/4b/6e3e2ee18e7292d26a65659f75d07411a6e69158bb05507590
  Constructing wheel for fireplace (setup.py) ... finished
  Created wheel for fireplace: filename=fire-0.5.0-py2.py3-none-any.whl dimension=116951 sha256=3d288585478c91a6914629eb739ea789828eb2d0267febc7c5390cb24ba153e8
  Saved in listing: /residence/jas/.cache/pip/wheels/90/d4/f7/9404e5db0116bd4d43e5666eaa3e70ab53723e1e3ea40c9a95
  Constructing wheel for intervaltree (setup.py) ... finished
  Created wheel for intervaltree: filename=intervaltree-3.1.0-py2.py3-none-any.whl dimension=26119 sha256=5ff1def22ba883af25c90d90ef7c6518496fcd47dd2cbc53a57ec04cd60dc21d
  Saved in listing: /residence/jas/.cache/pip/wheels/fa/80/8c/43488a924a046b733b64de3fac99252674c892a4c3801c0a61
  Constructing wheel for lark-parser (setup.py) ... finished
  Created wheel for lark-parser: filename=lark_parser-0.7.8-py2.py3-none-any.whl dimension=62527 sha256=3d2ec1d0f926fc2688d40777f7ef93c9986f874169132b1af590b6afc038f4be
  Saved in listing: /residence/jas/.cache/pip/wheels/29/30/94/33e8b58318aa05cb1842b365843036e0280af5983abb966b83
  Constructing wheel for naturalsort (setup.py) ... finished
  Created wheel for naturalsort: filename=naturalsort-1.5.1-py3-none-any.whl dimension=7526 sha256=bdecac4a49f2416924548cae6c124c85d5333e9e61c563232678ed182969d453
  Saved in listing: /residence/jas/.cache/pip/wheels/a6/8e/c9/98cfa614fff2979b457fa2d9ad45ec85fa417e7e3e2e43be51
  Constructing wheel for future (setup.py) ... finished
  Created wheel for future: filename=future-0.18.3-py3-none-any.whl dimension=492037 sha256=57a01e68feca2b5563f5f624141267f399082d2f05f55886f71b5d6e6cf2b02c
  Saved in listing: /residence/jas/.cache/pip/wheels/5e/a9/47/f118e66afd12240e4662752cc22cefae5d97275623aa8ef57d
Efficiently constructed nrfutil crcmod sly tlv8 commentjson hexdump pyspinel fireplace intervaltree lark-parser naturalsort future
Putting in collected packages: tlv8, sortedcontainers, sly, pyserial, pyelftools, piccata, naturalsort, libusb1, lark-parser, intelhex, hexdump, fastjsonschema, crcmod, asn1crypto, wrapt, urllib3, typing_extensions, tqdm, termcolor, ruamel.yaml.clib, python-dateutil, pyspinel, pypemicro, pycryptodome, psutil, protobuf, prettytable, oscrypto, milksnake, libusbsio, jinja2, intervaltree, humanfriendly, future, frozendict, fido2, ecdsa, deepmerge, commentjson, click-option-group, click-command-tree, capstone, astunparse, argparse-addons, ruamel.yaml, pyocd-pemicro, pylink-square, pc_ble_driver_py, fireplace, cmsis-pack-manager, bincopy, pyocd, nrfutil, nkdfu, spsdk, pynitrokey
  WARNING: The scripts pyserial-miniterm and pyserial-ports are put in in '/residence/jas/.native/bin' which isn't on PATH.
  Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location.
  WARNING: The script tqdm is put in in '/residence/jas/.native/bin' which isn't on PATH.
  Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location.
  WARNING: The script humanfriendly is put in in '/residence/jas/.native/bin' which isn't on PATH.
  Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location.
  WARNING: The scripts futurize and pasteurize are put in in '/residence/jas/.native/bin' which isn't on PATH.
  Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location.
  WARNING: The script pylink is put in in '/residence/jas/.native/bin' which isn't on PATH.
  Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location.
  WARNING: The script pack-manager is put in in '/residence/jas/.native/bin' which isn't on PATH.
  Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location.
  WARNING: The script bincopy is put in in '/residence/jas/.native/bin' which isn't on PATH.
  Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location.
  WARNING: The scripts pyocd and pyocd-gdbserver are put in in '/residence/jas/.native/bin' which isn't on PATH.
  Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location.
  WARNING: The script nrfutil is put in in '/residence/jas/.native/bin' which isn't on PATH.
  Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location.
  WARNING: The script nkdfu is put in in '/residence/jas/.native/bin' which isn't on PATH.
  Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location.
  WARNING: The scripts blhost, elftosb, nxpcertgen, nxpcrypto, nxpdebugmbox, nxpdevhsm, nxpdevscan, nxpimage, nxpkeygen, pfr, pfrc, sdphost, sdpshost, shadowregs, spsdk, tpconfig and tphost are put in in '/residence/jas/.native/bin' which isn't on PATH.
  Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location.
  WARNING: The script nitropy is put in in '/residence/jas/.native/bin' which isn't on PATH.
  Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location.
Efficiently put in argparse-addons-0.12.0 asn1crypto-1.5.1 astunparse-1.6.3 bincopy-17.10.3 capstone-4.0.2 click-command-tree-1.1.0 click-option-group-0.5.5 cmsis-pack-manager-0.2.10 commentjson-0.9.0 crcmod-1.7 deepmerge-0.3.0 ecdsa-0.18.0 fastjsonschema-2.16.3 fido2-1.1.0 fire-0.5.0 frozendict-2.3.5 future-0.18.3 hexdump-3.3 humanfriendly-10.0 intelhex-2.3.0 intervaltree-3.1.0 jinja2-3.0.3 lark-parser-0.7.8 libusb1-1.9.3 libusbsio-2.1.11 milksnake-0.1.5 naturalsort-1.5.1 nkdfu-0.2 nrfutil-6.1.7 oscrypto-1.3.0 pc_ble_driver_py-0.17.0 piccata-2.0.3 prettytable-2.5.0 protobuf-3.20.3 psutil-5.9.4 pycryptodome-3.17 pyelftools-0.29 pylink-square-0.11.1 pynitrokey-0.4.34 pyocd-0.31.0 pyocd-pemicro-1.1.5 pypemicro-0.1.11 pyserial-3.5 pyspinel-1.0.3 python-dateutil-2.7.5 ruamel.yaml-0.17.21 ruamel.yaml.clib-0.2.7 sly-0.4 sortedcontainers-2.4.0 spsdk-1.7.1 termcolor-2.2.0 tlv8-0.10.0 tqdm-4.65.0 typing_extensions-4.3.0 urllib3-1.26.15 wrapt-1.15.0
jas@kaka:~$

Then upgrading the system labored outstanding nicely, though I want that the software would have printed URLs and checksums for the firmware recordsdata to permit simple affirmation.

jas@kaka:~$ PATH=$PATH:/residence/jas/.native/bin
jas@kaka:~$ nitropy begin checklist
Command line software to work together with Nitrokey units 0.4.34
:: 'Nitrokey Begin' keys:
FSIJ-1.2.15-5D271572: Nitrokey Nitrokey Begin (RTM.12.1-RC2-modified)
jas@kaka:~$ nitropy begin replace
Command line software to work together with Nitrokey units 0.4.34
Nitrokey Begin firmware replace software
Platform: Linux-5.15.0-67-generic-x86_64-with-glibc2.35
System: Linux, is_linux: True
Python: 3.10.6
Saving run log to: /tmp/nitropy.log.gc5753a8
Admin PIN: 
Firmware knowledge for use:
- FirmwareType.REGNUAL: 4408, hash: ...b'72a30389' legitimate (from ...constructed/RTM.13/regnual.bin)
- FirmwareType.GNUK: 129024, hash: ...b'25a4289b' legitimate (from ...prebuilt/RTM.13/gnuk.bin)
At present linked system strings:
Gadget: 
    Vendor: Nitrokey
   Product: Nitrokey Begin
    Serial: FSIJ-1.2.15-5D271572
  Revision: RTM.12.1-RC2-modified
    Config: *:*:8e82
       Sys: 3.0
     Board: NITROKEY-START-G
preliminary system strings: [{'name': '', 'Vendor': 'Nitrokey', 'Product': 'Nitrokey Start', 'Serial': 'FSIJ-1.2.15-5D271572', 'Revision': 'RTM.12.1-RC2-modified', 'Config': '*:*:8e82', 'Sys': '3.0', 'Board': 'NITROKEY-START-G'}]
Please word:
- Newest firmware accessible is: 
  RTM.13 (printed: 2022-12-08T10:59:11Z)
- offered firmware: None
- all knowledge will likely be faraway from the system!
- don't interrupt replace course of - the system could not run correctly!
- the method shouldn't take greater than 1 minute
Do you need to proceed? [yes/no]: sure
...
Beginning bootloader add process
Gadget: Nitrokey Begin FSIJ-1.2.15-5D271572
Linked to the system
Working replace!
Do NOT take away the system from the USB slot, till additional discover
Downloading flash improve program...
Executing flash improve...
Ready for system to look:
  Wait 20 seconds.....

Downloading this system
Defending system
End flashing
Resetting system
Replace process completed. Gadget may very well be faraway from USB slot.

At present linked system strings (after improve):
Gadget: 
    Vendor: Nitrokey
   Product: Nitrokey Begin
    Serial: FSIJ-1.2.19-5D271572
  Revision: RTM.13
    Config: *:*:8e82
       Sys: 3.0
     Board: NITROKEY-START-G
system can now be safely faraway from the USB slot
last system strings: [{'name': '', 'Vendor': 'Nitrokey', 'Product': 'Nitrokey Start', 'Serial': 'FSIJ-1.2.19-5D271572', 'Revision': 'RTM.13', 'Config': '*:*:8e82', 'Sys': '3.0', 'Board': 'NITROKEY-START-G'}]
ending session 2023-03-16 21:49:07.371291
Log saved to: /tmp/nitropy.log.gc5753a8
jas@kaka:~$ 

jas@kaka:~$ nitropy begin checklist
Command line software to work together with Nitrokey units 0.4.34
:: 'Nitrokey Begin' keys:
FSIJ-1.2.19-5D271572: Nitrokey Nitrokey Begin (RTM.13)
jas@kaka:~$ 

Earlier than importing the grasp key to this system, it ought to be configured. Notice the instructions to start with to verify scdaemon/pcscd just isn’t working as a result of they might have cached state from earlier playing cards. Change PIN code as you want after this, my expertise with Gnuk was that the Admin PIN needed to be modified first, then you definately import the important thing, and then you definately change the PIN.

jas@kaka:~$ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
OK
ERR 67125247 Slut på fil <GPG Agent>
jas@kaka:~$ ps auxww|grep -e pcsc -e scd
jas        11651  0.0  0.0   3468  1672 pts/0    R+   21:54   0:00 grep --color=auto -e pcsc -e scd
jas@kaka:~$ gpg --card-edit

Reader ...........: 20A0:4211:FSIJ-1.2.19-5D271572:0
Utility ID ...: D276000124010200FFFE5D2715720000
Utility kind .: OpenPGP
Model ..........: 2.0
Producer .....: unmanaged S/N vary
Serial quantity ....: 5D271572
Identify of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login knowledge .......: [not set]
Signature PIN ....: compelled
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
Basic key information..: [none]

gpg/card> admin
Admin instructions are allowed

gpg/card> kdf-setup

gpg/card> passwd
gpg: OpenPGP card no. D276000124010200FFFE5D2715720000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - give up

Your choice? 3
PIN modified.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - give up

Your choice? q

gpg/card> title
Cardholder's surname: Josefsson
Cardholder's given title: Simon

gpg/card> lang
Language preferences: sv

gpg/card> intercourse
Salutation (M = Mr., F = Ms., or house): m

gpg/card> login
Login knowledge (account title): jas

gpg/card> url
URL to retrieve public key: https://josefsson.org/key-20190320.txt

gpg/card> forcesig

gpg/card> key-attr
Altering card key attribute for: Signature key
Please choose what sort of key you need:
   (1) RSA
   (2) ECC
Your choice? 2
Please choose which elliptic curve you need:
   (1) Curve 25519
   (4) NIST P-384
Your choice? 1
The cardboard will now be re-configured to generate a key of kind: ed25519
Notice: There isn't a assure that the cardboard helps the requested dimension.
      If the important thing technology doesn't succeed, please examine the
      documentation of your card to see what sizes are allowed.
Altering card key attribute for: Encryption key
Please choose what sort of key you need:
   (1) RSA
   (2) ECC
Your choice? 2
Please choose which elliptic curve you need:
   (1) Curve 25519
   (4) NIST P-384
Your choice? 1
The cardboard will now be re-configured to generate a key of kind: cv25519
Altering card key attribute for: Authentication key
Please choose what sort of key you need:
   (1) RSA
   (2) ECC
Your choice? 2
Please choose which elliptic curve you need:
   (1) Curve 25519
   (4) NIST P-384
Your choice? 1
The cardboard will now be re-configured to generate a key of kind: ed25519

gpg/card> 
jas@kaka:~$ gpg --card-edit

Reader ...........: 20A0:4211:FSIJ-1.2.19-5D271572:0
Utility ID ...: D276000124010200FFFE5D2715720000
Utility kind .: OpenPGP
Model ..........: 2.0
Producer .....: unmanaged S/N vary
Serial quantity ....: 5D271572
Identify of cardholder: Simon Josefsson
Language prefs ...: sv
Salutation .......: Mr.
URL of public key : https://josefsson.org/key-20190320.txt
Login knowledge .......: jas
Signature PIN ....: not compelled
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: on
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
Basic key information..: [none]

jas@kaka:~$ 

As soon as setup, carry out your offline machine and boot it and mount your USB stick to the offline key. The paths beneath will likely be totally different, and that is utilizing a considerably unorthodox method of working with contemporary GnuPG configuration paths that I chose for the USB stick.

See Also

jas@kaka:/media/jas/2c699cbd-b77e-4434-a0d6-0c4965864296$ cp -a gnupghome-backup-masterkey gnupghome-import-nitrokey-5D271572
jas@kaka:/media/jas/2c699cbd-b77e-4434-a0d6-0c4965864296$ gpg --homedir $PWD/gnupghome-import-nitrokey-5D271572 --edit-key B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software program Basis, Inc.
That is free software program: you might be free to alter and redistribute it.
There's NO WARRANTY, to the extent permitted by legislation.

Secret secret is accessible.

sec  ed25519/D73CF638C53C06BE
     created: 2019-03-20  expired: 2019-10-22  utilization: SC  
     belief: final      validity: expired
[ expired] (1). Simon Josefsson <simon@josefsson.org>

gpg> keytocard
Actually transfer the first key? (y/N) y
Please choose the place to retailer the important thing:
   (1) Signature key
   (3) Authentication key
Your choice? 1

sec  ed25519/D73CF638C53C06BE
     created: 2019-03-20  expired: 2019-10-22  utilization: SC  
     belief: final      validity: expired
[ expired] (1). Simon Josefsson <simon@josefsson.org>

gpg> 
Save adjustments? (y/N) y
jas@kaka:/media/jas/2c699cbd-b77e-4434-a0d6-0c4965864296$ 

At this level it’s helpful to verify that the Nitrokey has the grasp key accessible and that’s potential to signal statements with it, again in your common machine:

jas@kaka:~$ gpg --card-status
Reader ...........: 20A0:4211:FSIJ-1.2.19-5D271572:0
Utility ID ...: D276000124010200FFFE5D2715720000
Utility kind .: OpenPGP
Model ..........: 2.0
Producer .....: unmanaged S/N vary
Serial quantity ....: 5D271572
Identify of cardholder: Simon Josefsson
Language prefs ...: sv
Salutation .......: Mr.
URL of public key : https://josefsson.org/key-20190320.txt
Login knowledge .......: jas
Signature PIN ....: not compelled
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 1
KDF setting ......: on
Signature key ....: B1D2 BD13 75BE CB78 4CF4  F8C4 D73C F638 C53C 06BE
      created ....: 2019-03-20 23:37:24
Encryption key....: [none]
Authentication key: [none]
Basic key information..: pub  ed25519/D73CF638C53C06BE 2019-03-20 Simon Josefsson <simon@josefsson.org>
sec>  ed25519/D73CF638C53C06BE  created: 2019-03-20  expires: 2023-09-19
                                card-no: FFFE 5D271572
ssb>  ed25519/80260EE8A9B92B2B  created: 2019-03-20  expires: 2023-09-19
                                card-no: FFFE 42315277
ssb>  ed25519/51722B08FE4745A2  created: 2019-03-20  expires: 2023-09-19
                                card-no: FFFE 42315277
ssb>  cv25519/02923D7EE76EBD60  created: 2019-03-20  expires: 2023-09-19
                                card-no: FFFE 42315277
jas@kaka:~$ echo foo|gpg -a --sign|gpg --verify
gpg: Signature made Thu Mar 16 22:11:02 2023 CET
gpg:                utilizing EDDSA key B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE
gpg: Good signature from "Simon Josefsson <simon@josefsson.org>" [ultimate]
jas@kaka:~$ 

Lastly to retrieve and signal a key, for instance Andre Heinecke’s that I may affirm the OpenPGP key identifier from his enterprise card.

jas@kaka:~$ gpg --locate-external-keys aheinecke@gnupg.com
gpg: key 1FDF723CF462B6B1: public key "Andre Heinecke <aheinecke@gnupg.com>" imported
gpg: Whole quantity processed: 1
gpg:               imported: 1
gpg: marginals wanted: 3  completes wanted: 1  belief mannequin: pgp
gpg: depth: 0  legitimate:   2  signed:   7  belief: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  legitimate:   7  signed:  64  belief: 7-, 0q, 0n, 0m, 0f, 0u
gpg: subsequent trustdb examine due at 2023-05-26
pub   rsa3072 2015-12-08 [SC] [expires: 2025-12-05]
      94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1
uid           [ unknown] Andre Heinecke <aheinecke@gnupg.com>
sub   ed25519 2017-02-13 [S]
sub   ed25519 2017-02-13 [A]
sub   rsa3072 2015-12-08 [E] [expires: 2025-12-05]
sub   rsa3072 2015-12-08 [A] [expires: 2025-12-05]

jas@kaka:~$ gpg --edit-key "94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1"
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software program Basis, Inc.
That is free software program: you might be free to alter and redistribute it.
There's NO WARRANTY, to the extent permitted by legislation.


pub  rsa3072/1FDF723CF462B6B1
     created: 2015-12-08  expires: 2025-12-05  utilization: SC  
     belief: unknown       validity: unknown
sub  ed25519/2978E9D40CBABA5C
     created: 2017-02-13  expires: by no means       utilization: S   
sub  ed25519/DC74D901C8E2DD47
     created: 2017-02-13  expires: by no means       utilization: A   
The next key was revoked on 2017-02-23 by RSA key 1FDF723CF462B6B1 Andre Heinecke <aheinecke@gnupg.com>
sub  cv25519/1FFE3151683260AB
     created: 2017-02-13  revoked: 2017-02-23  utilization: E   
sub  rsa3072/8CC999BDAA45C71F
     created: 2015-12-08  expires: 2025-12-05  utilization: E   
sub  rsa3072/6304A4B539CE444A
     created: 2015-12-08  expires: 2025-12-05  utilization: A   
[ unknown] (1). Andre Heinecke <aheinecke@gnupg.com>

gpg> signal

pub  rsa3072/1FDF723CF462B6B1
     created: 2015-12-08  expires: 2025-12-05  utilization: SC  
     belief: unknown       validity: unknown
 Major key fingerprint: 94A5 C9A0 3C2F E5CA 3B09  5D8E 1FDF 723C F462 B6B1

     Andre Heinecke <aheinecke@gnupg.com>

This key is because of expire on 2025-12-05.
Are you certain that you just need to signal this key together with your
key "Simon Josefsson <simon@josefsson.org>" (D73CF638C53C06BE)

Actually signal? (y/N) y

gpg> give up
Save adjustments? (y/N) y
jas@kaka:~$ 

That is on my day-to-day machine, utilizing the NitroKey Begin with the offline key. No have to boot the outdated offline machine simply to signal keys or prolong expiry anymore! At FOSDEM’23 I managed to get at the very least one DD signature on my new key, and the Debian keyring maintainers accepted my Ed25519 key. Hopefully I can now lastly let my 2014-era RSA3744 key expire in 2023-09-19 and never prolong it any additional. This could end my transition to a less complicated OpenPGP key setup, yay!

Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top