OpenPGP grasp key on Nitrokey Begin – Simon Josefsson’s weblog
I’ve used hardware-backed OpenPGP keys since 2006 once I imported newly generated rsa1024 subkeys to a FSFE Fellowship card. This labored nicely for a number of years, and I recall shopping for extra ZeitControl playing cards for multi-machine utilization and backup functions. As a aspect word, I recall being unhappy with the weak 1024-bit RSA subkeys on the time – my major key was a considerably stronger 1280-bit RSA key created again in 2002 — however OpenPGP playing cards on the time didn’t help greater than 1024 bit RSA, and had been (and nonetheless usually are) additionally restricted to power-of-two RSA key sizes which I dislike.
I had my grasp key on disk with a powerful password for some time, principally to refresh expiration time of the subkeys and to signal different’s OpenPGP keys. In some unspecified time in the future I finished carrying round encrypted copies of my grasp key. That was my fundamental setup once I migrated to a brand new stronger RSA 3744 bit key with rsa2048 subkeys on a YubiKey NEO back in 2014. At that time, signing different’s OpenPGP keys was a uncommon sufficient incidence that I settled with bringing out my offline machine to carry out this operation, transferring the general public key to signal on USB sticks. In 2019 I re-evaluated my OpenPGP setup and ended up making a offline Ed25519 key with subkeys on a FST-01G running Gnuk. My method for signing different’s OpenPGP keys had been nonetheless to carry out my offline machine and signal issues utilizing the grasp secret utilizing USB sticks for storage and transport. Which meant I nearly by no means did that, as a result of it took an excessive amount of effort. So my 2019-era Ed25519 key nonetheless solely has a handful of signatures on it, since I had basically stopped signing different’s keys which is the normal means of getting signatures in return.
None of this brought on any important downside for me as a result of I continued to make use of my outdated 2014-era RSA3744 key in parallel with my new 2019-era Ed25519 key, since too many methods didn’t deal with Ed25519. Nevertheless, throughout 2022 this modified, and the one remaining setting that I nonetheless used my RSA3744 key for was in Debian — and they require OpenPGP signatures on the brand new key to permit it to switch an older key. I used to be in denial about this sub-optimal resolution throughout 2022 and endured its sensible penalties, having to make use of the YubiKey NEO (which I had changed with a completely inserted YubiKey Nano sooner or later) for Debian-related functions alone.
In December 2022 I bought a new laptop and setup a FST-01SZ with my Ed25519 key, and whereas I’ve taken a trip from Debian, I proceed to increase the expiration interval on the outdated RSA3744-key in case I’ll ever have to make use of it once more, so the general OpenPGP setup was nonetheless sub-optimal. Having two legitimate OpenPGP keys on the similar time causes individuals to make use of each for e-mail encryption (main me to have to make use of each units), and the WKD Key Discovery protocol doesn’t like two legitimate keys both. At FOSDEM’23 I bumped into Andre Heinecke at GnuPG and I couldn’t assist complain about how complicated and unsatisfying all OpenPGP-related issues had been, and he mildly ignored my rant and requested why I didn’t put the grasp key on one other smartcard. The remark sunk in once I got here residence, and lately I linked all of the dots and this submit is a abstract of what I did to maneuver my offline OpenPGP grasp key to a Nitrokey Begin.
First a phrase about system alternative, I nonetheless favor to make use of {hardware} units which can be as appropriate with free software program as potential, however the FST-01G or FST-01SZ are not simply accessible for buy. I obtained a remark about Nitrokey start in my last post, and had two of them accessible to experiment with. There are issues to dislike with the Nitrokey Begin in comparison with the YubiKey (e.g., relative insecure bodily structure, the bulkier type issue and lack of FIDO/U2F/OATH help) however – so far as I do know – there is no such thing as a extra extensively accessible owner-controlled system that’s manufactured for an supposed goal of implementing an OpenPGP card. Thus it hits the candy spot for me.
Step one is to run newest firmware on the Nitrokey Begin – for bug-fixes and important OpenSSH 9.0 compatibility – and there are reproducible-built firmware printed that you just can install utilizing pynitrokey. I run Trisquel 11 aramo on my laptop computer, which doesn’t embody the Python Pip bundle (seemingly as a result of it promotes putting in non-free software program) in order that was a slight complication. Constructing the firmware domestically could have labored, and I want to try this ultimately to verify the printed firmware, nonetheless to save lots of time I settled with putting in the Ubuntu 22.04 packages on my machine:
$ sha256sum python3-pip*
ded6b3867a4a4cbaff0940cab366975d6aeecc76b9f2d2efa3deceb062668b1c python3-pip_22.0.2+dfsg-1ubuntu0.2_all.deb
e1561575130c41dc3309023a345de337e84b4b04c21c74db57f599e267114325 python3-pip-whl_22.0.2+dfsg-1ubuntu0.2_all.deb
$ doas dpkg -i python3-pip*
...
$ doas apt set up -f
...
$
Set up pynitrokey downloaded a bunch of dependencies, and it will be good to audit the license and safety vulnerabilities for every of them.
jas@kaka:~$ pip3 set up --user pynitrokey Accumulating pynitrokey Downloading pynitrokey-0.4.34-py3-none-any.whl (572 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 572.3/572.3 KB 5.8 MB/s eta 0:00:00 Accumulating frozendict~=2.3.4 Downloading frozendict-2.3.5-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (113 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 113.4/113.4 KB 5.3 MB/s eta 0:00:00 Requirement already glad: click on<9,>=8.0.0 in /usr/lib/python3/dist-packages (from pynitrokey) (8.0.3) Accumulating ecdsa Downloading ecdsa-0.18.0-py2.py3-none-any.whl (142 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 142.9/142.9 KB 6.0 MB/s eta 0:00:00 Accumulating python-dateutil~=2.7.0 Downloading python_dateutil-2.7.5-py2.py3-none-any.whl (225 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 225.7/225.7 KB 7.4 MB/s eta 0:00:00 Accumulating fido2<2,>=1.1.0 Downloading fido2-1.1.0-py3-none-any.whl (201 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 201.1/201.1 KB 5.5 MB/s eta 0:00:00 Accumulating tlv8 Downloading tlv8-0.10.0.tar.gz (16 kB) Getting ready metadata (setup.py) ... finished Requirement already glad: certifi>=14.5.14 in /usr/lib/python3/dist-packages (from pynitrokey) (2020.6.20) Requirement already glad: pyusb in /usr/lib/python3/dist-packages (from pynitrokey) (1.2.1.post1) Accumulating urllib3~=1.26.7 Downloading urllib3-1.26.15-py2.py3-none-any.whl (140 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 140.9/140.9 KB 6.8 MB/s eta 0:00:00 Accumulating spsdk<1.8.0,>=1.7.0 Downloading spsdk-1.7.1-py3-none-any.whl (684 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 684.7/684.7 KB 8.3 MB/s eta 0:00:00 Accumulating typing_extensions~=4.3.0 Downloading typing_extensions-4.3.0-py3-none-any.whl (25 kB) Requirement already glad: cryptography<37,>=3.4.4 in /usr/lib/python3/dist-packages (from pynitrokey) (3.4.8) Accumulating intelhex Downloading intelhex-2.3.0-py2.py3-none-any.whl (50 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 50.9/50.9 KB 4.9 MB/s eta 0:00:00 Accumulating nkdfu Downloading nkdfu-0.2-py3-none-any.whl (16 kB) Requirement already glad: requests in /usr/lib/python3/dist-packages (from pynitrokey) (2.25.1) Accumulating tqdm Downloading tqdm-4.65.0-py3-none-any.whl (77 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 77.1/77.1 KB 5.4 MB/s eta 0:00:00 Accumulating nrfutil<7,>=6.1.4 Downloading nrfutil-6.1.7.tar.gz (845 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 845.3/845.3 KB 7.1 MB/s eta 0:00:00 Getting ready metadata (setup.py) ... finished Requirement already glad: cffi in /usr/lib/python3/dist-packages (from pynitrokey) (1.15.0) Accumulating crcmod Downloading crcmod-1.7.tar.gz (89 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 89.7/89.7 KB 3.9 MB/s eta 0:00:00 Getting ready metadata (setup.py) ... finished Accumulating libusb1==1.9.3 Downloading libusb1-1.9.3-py3-none-any.whl (60 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 60.5/60.5 KB 3.7 MB/s eta 0:00:00 Accumulating pc_ble_driver_py>=0.16.4 Downloading pc_ble_driver_py-0.17.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.9 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.9/2.9 MB 8.2 MB/s eta 0:00:00 Accumulating piccata Downloading piccata-2.0.3-py3-none-any.whl (21 kB) Accumulating protobuf<4.0.0,>=3.17.3 Downloading protobuf-3.20.3-cp310-cp310-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (1.1 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.1/1.1 MB 8.0 MB/s eta 0:00:00 Accumulating pyserial Downloading pyserial-3.5-py2.py3-none-any.whl (90 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 90.6/90.6 KB 4.7 MB/s eta 0:00:00 Accumulating pyspinel>=1.0.0a3 Downloading pyspinel-1.0.3.tar.gz (58 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 58.7/58.7 KB 3.7 MB/s eta 0:00:00 Getting ready metadata (setup.py) ... finished Requirement already glad: pyyaml in /usr/lib/python3/dist-packages (from nrfutil<7,>=6.1.4->pynitrokey) (5.4.1) Requirement already glad: six>=1.5 in /usr/lib/python3/dist-packages (from python-dateutil~=2.7.0->pynitrokey) (1.16.0) Accumulating pylink-square<0.11.9,>=0.8.2 Downloading pylink_square-0.11.1-py2.py3-none-any.whl (78 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 78.4/78.4 KB 5.0 MB/s eta 0:00:00 Accumulating jinja2<3.1,>=2.11 Downloading Jinja2-3.0.3-py3-none-any.whl (133 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 133.6/133.6 KB 6.7 MB/s eta 0:00:00 Accumulating bincopy<17.11,>=17.10.2 Downloading bincopy-17.10.3-py3-none-any.whl (17 kB) Accumulating fastjsonschema>=2.15.1 Downloading fastjsonschema-2.16.3-py3-none-any.whl (23 kB) Accumulating astunparse<2,>=1.6 Downloading astunparse-1.6.3-py2.py3-none-any.whl (12 kB) Accumulating oscrypto~=1.2 Downloading oscrypto-1.3.0-py2.py3-none-any.whl (194 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 194.6/194.6 KB 7.3 MB/s eta 0:00:00 Accumulating deepmerge==0.3.0 Downloading deepmerge-0.3.0-py2.py3-none-any.whl (7.6 kB) Accumulating pyocd<=0.31.0,>=0.28.3 Downloading pyocd-0.31.0-py3-none-any.whl (12.5 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 12.5/12.5 MB 3.9 MB/s eta 0:00:00 Accumulating click-option-group<0.6,>=0.3.0 Downloading click_option_group-0.5.5-py3-none-any.whl (12 kB) Accumulating pycryptodome<4,>=3.9.3 Downloading pycryptodome-3.17-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.1 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 7.9 MB/s eta 0:00:00 Accumulating pyocd-pemicro<1.2.0,>=1.1.1 Downloading pyocd_pemicro-1.1.5-py3-none-any.whl (9.0 kB) Requirement already glad: colorama<1,>=0.4.4 in /usr/lib/python3/dist-packages (from spsdk<1.8.0,>=1.7.0->pynitrokey) (0.4.4) Accumulating commentjson<1,>=0.9 Downloading commentjson-0.9.0.tar.gz (8.7 kB) Getting ready metadata (setup.py) ... finished Requirement already glad: asn1crypto<2,>=1.2 in /usr/lib/python3/dist-packages (from spsdk<1.8.0,>=1.7.0->pynitrokey) (1.4.0) Accumulating pypemicro<0.2.0,>=0.1.9 Downloading pypemicro-0.1.11-py3-none-any.whl (5.7 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 5.7/5.7 MB 8.8 MB/s eta 0:00:00 Accumulating libusbsio>=2.1.11 Downloading libusbsio-2.1.11-py3-none-any.whl (247 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 247.1/247.1 KB 7.9 MB/s eta 0:00:00 Accumulating sly==0.4 Downloading sly-0.4.tar.gz (60 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 60.6/60.6 KB 5.1 MB/s eta 0:00:00 Getting ready metadata (setup.py) ... finished Accumulating ruamel.yaml<0.18.0,>=0.17 Downloading ruamel.yaml-0.17.21-py3-none-any.whl (109 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 109.5/109.5 KB 4.2 MB/s eta 0:00:00 Accumulating cmsis-pack-manager<0.3.0 Downloading cmsis_pack_manager-0.2.10-py2.py3-none-manylinux1_x86_64.whl (25.1 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 25.1/25.1 MB 8.5 MB/s eta 0:00:00 Accumulating click-command-tree==1.1.0 Downloading click_command_tree-1.1.0-py3-none-any.whl (3.6 kB) Requirement already glad: bitstring<3.2,>=3.1 in /usr/lib/python3/dist-packages (from spsdk<1.8.0,>=1.7.0->pynitrokey) (3.1.7) Accumulating hexdump~=3.3 Downloading hexdump-3.3.zip (12 kB) Getting ready metadata (setup.py) ... finished Accumulating fireplace Downloading fire-0.5.0.tar.gz (88 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 88.3/88.3 KB 4.7 MB/s eta 0:00:00 Getting ready metadata (setup.py) ... finished Requirement already glad: wheel<1.0,>=0.23.0 in /usr/lib/python3/dist-packages (from astunparse<2,>=1.6->spsdk<1.8.0,>=1.7.0->pynitrokey) (0.37.1) Accumulating humanfriendly Downloading humanfriendly-10.0-py2.py3-none-any.whl (86 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 86.8/86.8 KB 4.6 MB/s eta 0:00:00 Accumulating argparse-addons>=0.4.0 Downloading argparse_addons-0.12.0-py3-none-any.whl (3.3 kB) Accumulating pyelftools Downloading pyelftools-0.29-py2.py3-none-any.whl (174 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 174.3/174.3 KB 4.1 MB/s eta 0:00:00 Accumulating milksnake>=0.1.2 Downloading milksnake-0.1.5-py2.py3-none-any.whl (9.6 kB) Requirement already glad: appdirs>=1.4 in /usr/lib/python3/dist-packages (from cmsis-pack-manager<0.3.0->spsdk<1.8.0,>=1.7.0->pynitrokey) (1.4.4) Accumulating lark-parser<0.8.0,>=0.7.1 Downloading lark-parser-0.7.8.tar.gz (276 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 276.2/276.2 KB 6.6 MB/s eta 0:00:00 Getting ready metadata (setup.py) ... finished Requirement already glad: MarkupSafe>=2.0 in /usr/lib/python3/dist-packages (from jinja2<3.1,>=2.11->spsdk<1.8.0,>=1.7.0->pynitrokey) (2.0.1) Accumulating asn1crypto<2,>=1.2 Downloading asn1crypto-1.5.1-py2.py3-none-any.whl (105 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 105.0/105.0 KB 6.8 MB/s eta 0:00:00 Accumulating wrapt Downloading wrapt-1.15.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (78 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 78.4/78.4 KB 4.6 MB/s eta 0:00:00 Accumulating future Downloading future-0.18.3.tar.gz (840 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 840.9/840.9 KB 7.1 MB/s eta 0:00:00 Getting ready metadata (setup.py) ... finished Accumulating psutil>=5.2.2 Downloading psutil-5.9.4-cp36-abi3-manylinux_2_12_x86_64.manylinux2010_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (280 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 280.2/280.2 KB 6.1 MB/s eta 0:00:00 Accumulating capstone<5.0,>=4.0 Downloading capstone-4.0.2-py2.py3-none-manylinux1_x86_64.whl (2.1 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 7.0 MB/s eta 0:00:00 Accumulating naturalsort<2.0,>=1.5 Downloading naturalsort-1.5.1.tar.gz (7.4 kB) Getting ready metadata (setup.py) ... finished Accumulating prettytable<3.0,>=2.0 Downloading prettytable-2.5.0-py3-none-any.whl (24 kB) Accumulating intervaltree<4.0,>=3.0.2 Downloading intervaltree-3.1.0.tar.gz (32 kB) Getting ready metadata (setup.py) ... finished Accumulating ruamel.yaml.clib>=0.2.6 Downloading ruamel.yaml.clib-0.2.7-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.manylinux_2_24_x86_64.whl (485 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 485.6/485.6 KB 7.4 MB/s eta 0:00:00 Accumulating termcolor Downloading termcolor-2.2.0-py3-none-any.whl (6.6 kB) Accumulating sortedcontainers<3.0,>=2.0 Downloading sortedcontainers-2.4.0-py2.py3-none-any.whl (29 kB) Requirement already glad: wcwidth in /usr/lib/python3/dist-packages (from prettytable<3.0,>=2.0->pyocd<=0.31.0,>=0.28.3->spsdk<1.8.0,>=1.7.0->pynitrokey) (0.2.5) Constructing wheels for collected packages: nrfutil, crcmod, sly, tlv8, commentjson, hexdump, pyspinel, fireplace, intervaltree, lark-parser, naturalsort, future Constructing wheel for nrfutil (setup.py) ... finished Created wheel for nrfutil: filename=nrfutil-6.1.7-py3-none-any.whl dimension=898520 sha256=de6f8803f51d6c26d24dc7df6292064a468ff3f389d73370433fde5582b84a10 Saved in listing: /residence/jas/.cache/pip/wheels/39/2b/9b/98ab2dd716da746290e6728bdb557b14c1c9a54cb9ed86e13b Constructing wheel for crcmod (setup.py) ... finished Created wheel for crcmod: filename=crcmod-1.7-cp310-cp310-linux_x86_64.whl dimension=31422 sha256=5149ac56fcbfa0606760eef5220fcedc66be560adf68cf38c604af3ad0e4a8b0 Saved in listing: /residence/jas/.cache/pip/wheels/85/4c/07/72215c529bd59d67e3dac29711d7aba1b692f543c808ba9e86 Constructing wheel for sly (setup.py) ... finished Created wheel for sly: filename=sly-0.4-py3-none-any.whl dimension=27352 sha256=f614e413918de45c73d1e9a8dca61ca07dc760d9740553400efc234c891f7fde Saved in listing: /residence/jas/.cache/pip/wheels/a2/23/4a/6a84282a0d2c29f003012dc565b3126e427972e8b8157ea51f Constructing wheel for tlv8 (setup.py) ... finished Created wheel for tlv8: filename=tlv8-0.10.0-py3-none-any.whl dimension=11266 sha256=3ec8b3c45977a3addbc66b7b99e1d81b146607c3a269502b9b5651900a0e2d08 Saved in listing: /residence/jas/.cache/pip/wheels/e9/35/86/66a473cc2abb0c7f21ed39c30a3b2219b16bd2cdb4b33cfc2c Constructing wheel for commentjson (setup.py) ... finished Created wheel for commentjson: filename=commentjson-0.9.0-py3-none-any.whl dimension=12092 sha256=28b6413132d6d7798a18cf8c76885dc69f676ea763ffcb08775a3c2c43444f4a Saved in listing: /residence/jas/.cache/pip/wheels/7d/90/23/6358a234ca5b4ec0866d447079b97fedf9883387d1d7d074e5 Constructing wheel for hexdump (setup.py) ... finished Created wheel for hexdump: filename=hexdump-3.3-py3-none-any.whl dimension=8913 sha256=79dfadd42edbc9acaeac1987464f2df4053784fff18b96408c1309b74fd09f50 Saved in listing: /residence/jas/.cache/pip/wheels/26/28/f7/f47d7ecd9ae44c4457e72c8bb617ef18ab332ee2b2a1047e87 Constructing wheel for pyspinel (setup.py) ... finished Created wheel for pyspinel: filename=pyspinel-1.0.3-py3-none-any.whl dimension=65033 sha256=01dc27f81f28b4830a0cf2336dc737ef309a1287fcf33f57a8a4c5bed3b5f0a6 Saved in listing: /residence/jas/.cache/pip/wheels/95/ec/4b/6e3e2ee18e7292d26a65659f75d07411a6e69158bb05507590 Constructing wheel for fireplace (setup.py) ... finished Created wheel for fireplace: filename=fire-0.5.0-py2.py3-none-any.whl dimension=116951 sha256=3d288585478c91a6914629eb739ea789828eb2d0267febc7c5390cb24ba153e8 Saved in listing: /residence/jas/.cache/pip/wheels/90/d4/f7/9404e5db0116bd4d43e5666eaa3e70ab53723e1e3ea40c9a95 Constructing wheel for intervaltree (setup.py) ... finished Created wheel for intervaltree: filename=intervaltree-3.1.0-py2.py3-none-any.whl dimension=26119 sha256=5ff1def22ba883af25c90d90ef7c6518496fcd47dd2cbc53a57ec04cd60dc21d Saved in listing: /residence/jas/.cache/pip/wheels/fa/80/8c/43488a924a046b733b64de3fac99252674c892a4c3801c0a61 Constructing wheel for lark-parser (setup.py) ... finished Created wheel for lark-parser: filename=lark_parser-0.7.8-py2.py3-none-any.whl dimension=62527 sha256=3d2ec1d0f926fc2688d40777f7ef93c9986f874169132b1af590b6afc038f4be Saved in listing: /residence/jas/.cache/pip/wheels/29/30/94/33e8b58318aa05cb1842b365843036e0280af5983abb966b83 Constructing wheel for naturalsort (setup.py) ... finished Created wheel for naturalsort: filename=naturalsort-1.5.1-py3-none-any.whl dimension=7526 sha256=bdecac4a49f2416924548cae6c124c85d5333e9e61c563232678ed182969d453 Saved in listing: /residence/jas/.cache/pip/wheels/a6/8e/c9/98cfa614fff2979b457fa2d9ad45ec85fa417e7e3e2e43be51 Constructing wheel for future (setup.py) ... finished Created wheel for future: filename=future-0.18.3-py3-none-any.whl dimension=492037 sha256=57a01e68feca2b5563f5f624141267f399082d2f05f55886f71b5d6e6cf2b02c Saved in listing: /residence/jas/.cache/pip/wheels/5e/a9/47/f118e66afd12240e4662752cc22cefae5d97275623aa8ef57d Efficiently constructed nrfutil crcmod sly tlv8 commentjson hexdump pyspinel fireplace intervaltree lark-parser naturalsort future Putting in collected packages: tlv8, sortedcontainers, sly, pyserial, pyelftools, piccata, naturalsort, libusb1, lark-parser, intelhex, hexdump, fastjsonschema, crcmod, asn1crypto, wrapt, urllib3, typing_extensions, tqdm, termcolor, ruamel.yaml.clib, python-dateutil, pyspinel, pypemicro, pycryptodome, psutil, protobuf, prettytable, oscrypto, milksnake, libusbsio, jinja2, intervaltree, humanfriendly, future, frozendict, fido2, ecdsa, deepmerge, commentjson, click-option-group, click-command-tree, capstone, astunparse, argparse-addons, ruamel.yaml, pyocd-pemicro, pylink-square, pc_ble_driver_py, fireplace, cmsis-pack-manager, bincopy, pyocd, nrfutil, nkdfu, spsdk, pynitrokey WARNING: The scripts pyserial-miniterm and pyserial-ports are put in in '/residence/jas/.native/bin' which isn't on PATH. Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location. WARNING: The script tqdm is put in in '/residence/jas/.native/bin' which isn't on PATH. Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location. WARNING: The script humanfriendly is put in in '/residence/jas/.native/bin' which isn't on PATH. Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location. WARNING: The scripts futurize and pasteurize are put in in '/residence/jas/.native/bin' which isn't on PATH. Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location. WARNING: The script pylink is put in in '/residence/jas/.native/bin' which isn't on PATH. Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location. WARNING: The script pack-manager is put in in '/residence/jas/.native/bin' which isn't on PATH. Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location. WARNING: The script bincopy is put in in '/residence/jas/.native/bin' which isn't on PATH. Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location. WARNING: The scripts pyocd and pyocd-gdbserver are put in in '/residence/jas/.native/bin' which isn't on PATH. Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location. WARNING: The script nrfutil is put in in '/residence/jas/.native/bin' which isn't on PATH. Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location. WARNING: The script nkdfu is put in in '/residence/jas/.native/bin' which isn't on PATH. Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location. WARNING: The scripts blhost, elftosb, nxpcertgen, nxpcrypto, nxpdebugmbox, nxpdevhsm, nxpdevscan, nxpimage, nxpkeygen, pfr, pfrc, sdphost, sdpshost, shadowregs, spsdk, tpconfig and tphost are put in in '/residence/jas/.native/bin' which isn't on PATH. Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location. WARNING: The script nitropy is put in in '/residence/jas/.native/bin' which isn't on PATH. Contemplate including this listing to PATH or, should you favor to suppress this warning, use --no-warn-script-location. Efficiently put in argparse-addons-0.12.0 asn1crypto-1.5.1 astunparse-1.6.3 bincopy-17.10.3 capstone-4.0.2 click-command-tree-1.1.0 click-option-group-0.5.5 cmsis-pack-manager-0.2.10 commentjson-0.9.0 crcmod-1.7 deepmerge-0.3.0 ecdsa-0.18.0 fastjsonschema-2.16.3 fido2-1.1.0 fire-0.5.0 frozendict-2.3.5 future-0.18.3 hexdump-3.3 humanfriendly-10.0 intelhex-2.3.0 intervaltree-3.1.0 jinja2-3.0.3 lark-parser-0.7.8 libusb1-1.9.3 libusbsio-2.1.11 milksnake-0.1.5 naturalsort-1.5.1 nkdfu-0.2 nrfutil-6.1.7 oscrypto-1.3.0 pc_ble_driver_py-0.17.0 piccata-2.0.3 prettytable-2.5.0 protobuf-3.20.3 psutil-5.9.4 pycryptodome-3.17 pyelftools-0.29 pylink-square-0.11.1 pynitrokey-0.4.34 pyocd-0.31.0 pyocd-pemicro-1.1.5 pypemicro-0.1.11 pyserial-3.5 pyspinel-1.0.3 python-dateutil-2.7.5 ruamel.yaml-0.17.21 ruamel.yaml.clib-0.2.7 sly-0.4 sortedcontainers-2.4.0 spsdk-1.7.1 termcolor-2.2.0 tlv8-0.10.0 tqdm-4.65.0 typing_extensions-4.3.0 urllib3-1.26.15 wrapt-1.15.0 jas@kaka:~$
Then upgrading the system labored outstanding nicely, though I want that the software would have printed URLs and checksums for the firmware recordsdata to permit simple affirmation.
jas@kaka:~$ PATH=$PATH:/residence/jas/.native/bin jas@kaka:~$ nitropy begin checklist Command line software to work together with Nitrokey units 0.4.34 :: 'Nitrokey Begin' keys: FSIJ-1.2.15-5D271572: Nitrokey Nitrokey Begin (RTM.12.1-RC2-modified) jas@kaka:~$ nitropy begin replace Command line software to work together with Nitrokey units 0.4.34 Nitrokey Begin firmware replace software Platform: Linux-5.15.0-67-generic-x86_64-with-glibc2.35 System: Linux, is_linux: True Python: 3.10.6 Saving run log to: /tmp/nitropy.log.gc5753a8 Admin PIN: Firmware knowledge for use: - FirmwareType.REGNUAL: 4408, hash: ...b'72a30389' legitimate (from ...constructed/RTM.13/regnual.bin) - FirmwareType.GNUK: 129024, hash: ...b'25a4289b' legitimate (from ...prebuilt/RTM.13/gnuk.bin) At present linked system strings: Gadget: Vendor: Nitrokey Product: Nitrokey Begin Serial: FSIJ-1.2.15-5D271572 Revision: RTM.12.1-RC2-modified Config: *:*:8e82 Sys: 3.0 Board: NITROKEY-START-G preliminary system strings: [{'name': '', 'Vendor': 'Nitrokey', 'Product': 'Nitrokey Start', 'Serial': 'FSIJ-1.2.15-5D271572', 'Revision': 'RTM.12.1-RC2-modified', 'Config': '*:*:8e82', 'Sys': '3.0', 'Board': 'NITROKEY-START-G'}] Please word: - Newest firmware accessible is: RTM.13 (printed: 2022-12-08T10:59:11Z) - offered firmware: None - all knowledge will likely be faraway from the system! - don't interrupt replace course of - the system could not run correctly! - the method shouldn't take greater than 1 minute Do you need to proceed? [yes/no]: sure ... Beginning bootloader add process Gadget: Nitrokey Begin FSIJ-1.2.15-5D271572 Linked to the system Working replace! Do NOT take away the system from the USB slot, till additional discover Downloading flash improve program... Executing flash improve... Ready for system to look: Wait 20 seconds..... Downloading this system Defending system End flashing Resetting system Replace process completed. Gadget may very well be faraway from USB slot. At present linked system strings (after improve): Gadget: Vendor: Nitrokey Product: Nitrokey Begin Serial: FSIJ-1.2.19-5D271572 Revision: RTM.13 Config: *:*:8e82 Sys: 3.0 Board: NITROKEY-START-G system can now be safely faraway from the USB slot last system strings: [{'name': '', 'Vendor': 'Nitrokey', 'Product': 'Nitrokey Start', 'Serial': 'FSIJ-1.2.19-5D271572', 'Revision': 'RTM.13', 'Config': '*:*:8e82', 'Sys': '3.0', 'Board': 'NITROKEY-START-G'}] ending session 2023-03-16 21:49:07.371291 Log saved to: /tmp/nitropy.log.gc5753a8 jas@kaka:~$ jas@kaka:~$ nitropy begin checklist Command line software to work together with Nitrokey units 0.4.34 :: 'Nitrokey Begin' keys: FSIJ-1.2.19-5D271572: Nitrokey Nitrokey Begin (RTM.13) jas@kaka:~$
Earlier than importing the grasp key to this system, it ought to be configured. Notice the instructions to start with to verify scdaemon/pcscd just isn’t working as a result of they might have cached state from earlier playing cards. Change PIN code as you want after this, my expertise with Gnuk was that the Admin PIN needed to be modified first, then you definately import the important thing, and then you definately change the PIN.
jas@kaka:~$ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye OK ERR 67125247 Slut på fil <GPG Agent> jas@kaka:~$ ps auxww|grep -e pcsc -e scd jas 11651 0.0 0.0 3468 1672 pts/0 R+ 21:54 0:00 grep --color=auto -e pcsc -e scd jas@kaka:~$ gpg --card-edit Reader ...........: 20A0:4211:FSIJ-1.2.19-5D271572:0 Utility ID ...: D276000124010200FFFE5D2715720000 Utility kind .: OpenPGP Model ..........: 2.0 Producer .....: unmanaged S/N vary Serial quantity ....: 5D271572 Identify of cardholder: [not set] Language prefs ...: [not set] Salutation .......: URL of public key : [not set] Login knowledge .......: [not set] Signature PIN ....: compelled Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 KDF setting ......: off Signature key ....: [none] Encryption key....: [none] Authentication key: [none] Basic key information..: [none] gpg/card> admin Admin instructions are allowed gpg/card> kdf-setup gpg/card> passwd gpg: OpenPGP card no. D276000124010200FFFE5D2715720000 detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - give up Your choice? 3 PIN modified. 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - give up Your choice? q gpg/card> title Cardholder's surname: Josefsson Cardholder's given title: Simon gpg/card> lang Language preferences: sv gpg/card> intercourse Salutation (M = Mr., F = Ms., or house): m gpg/card> login Login knowledge (account title): jas gpg/card> url URL to retrieve public key: https://josefsson.org/key-20190320.txt gpg/card> forcesig gpg/card> key-attr Altering card key attribute for: Signature key Please choose what sort of key you need: (1) RSA (2) ECC Your choice? 2 Please choose which elliptic curve you need: (1) Curve 25519 (4) NIST P-384 Your choice? 1 The cardboard will now be re-configured to generate a key of kind: ed25519 Notice: There isn't a assure that the cardboard helps the requested dimension. If the important thing technology doesn't succeed, please examine the documentation of your card to see what sizes are allowed. Altering card key attribute for: Encryption key Please choose what sort of key you need: (1) RSA (2) ECC Your choice? 2 Please choose which elliptic curve you need: (1) Curve 25519 (4) NIST P-384 Your choice? 1 The cardboard will now be re-configured to generate a key of kind: cv25519 Altering card key attribute for: Authentication key Please choose what sort of key you need: (1) RSA (2) ECC Your choice? 2 Please choose which elliptic curve you need: (1) Curve 25519 (4) NIST P-384 Your choice? 1 The cardboard will now be re-configured to generate a key of kind: ed25519 gpg/card> jas@kaka:~$ gpg --card-edit Reader ...........: 20A0:4211:FSIJ-1.2.19-5D271572:0 Utility ID ...: D276000124010200FFFE5D2715720000 Utility kind .: OpenPGP Model ..........: 2.0 Producer .....: unmanaged S/N vary Serial quantity ....: 5D271572 Identify of cardholder: Simon Josefsson Language prefs ...: sv Salutation .......: Mr. URL of public key : https://josefsson.org/key-20190320.txt Login knowledge .......: jas Signature PIN ....: not compelled Key attributes ...: ed25519 cv25519 ed25519 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 KDF setting ......: on Signature key ....: [none] Encryption key....: [none] Authentication key: [none] Basic key information..: [none] jas@kaka:~$
As soon as setup, carry out your offline machine and boot it and mount your USB stick to the offline key. The paths beneath will likely be totally different, and that is utilizing a considerably unorthodox method of working with contemporary GnuPG configuration paths that I chose for the USB stick.
jas@kaka:/media/jas/2c699cbd-b77e-4434-a0d6-0c4965864296$ cp -a gnupghome-backup-masterkey gnupghome-import-nitrokey-5D271572 jas@kaka:/media/jas/2c699cbd-b77e-4434-a0d6-0c4965864296$ gpg --homedir $PWD/gnupghome-import-nitrokey-5D271572 --edit-key B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software program Basis, Inc. That is free software program: you might be free to alter and redistribute it. There's NO WARRANTY, to the extent permitted by legislation. Secret secret is accessible. sec ed25519/D73CF638C53C06BE created: 2019-03-20 expired: 2019-10-22 utilization: SC belief: final validity: expired [ expired] (1). Simon Josefsson <simon@josefsson.org> gpg> keytocard Actually transfer the first key? (y/N) y Please choose the place to retailer the important thing: (1) Signature key (3) Authentication key Your choice? 1 sec ed25519/D73CF638C53C06BE created: 2019-03-20 expired: 2019-10-22 utilization: SC belief: final validity: expired [ expired] (1). Simon Josefsson <simon@josefsson.org> gpg> Save adjustments? (y/N) y jas@kaka:/media/jas/2c699cbd-b77e-4434-a0d6-0c4965864296$
At this level it’s helpful to verify that the Nitrokey has the grasp key accessible and that’s potential to signal statements with it, again in your common machine:
jas@kaka:~$ gpg --card-status Reader ...........: 20A0:4211:FSIJ-1.2.19-5D271572:0 Utility ID ...: D276000124010200FFFE5D2715720000 Utility kind .: OpenPGP Model ..........: 2.0 Producer .....: unmanaged S/N vary Serial quantity ....: 5D271572 Identify of cardholder: Simon Josefsson Language prefs ...: sv Salutation .......: Mr. URL of public key : https://josefsson.org/key-20190320.txt Login knowledge .......: jas Signature PIN ....: not compelled Key attributes ...: ed25519 cv25519 ed25519 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 1 KDF setting ......: on Signature key ....: B1D2 BD13 75BE CB78 4CF4 F8C4 D73C F638 C53C 06BE created ....: 2019-03-20 23:37:24 Encryption key....: [none] Authentication key: [none] Basic key information..: pub ed25519/D73CF638C53C06BE 2019-03-20 Simon Josefsson <simon@josefsson.org> sec> ed25519/D73CF638C53C06BE created: 2019-03-20 expires: 2023-09-19 card-no: FFFE 5D271572 ssb> ed25519/80260EE8A9B92B2B created: 2019-03-20 expires: 2023-09-19 card-no: FFFE 42315277 ssb> ed25519/51722B08FE4745A2 created: 2019-03-20 expires: 2023-09-19 card-no: FFFE 42315277 ssb> cv25519/02923D7EE76EBD60 created: 2019-03-20 expires: 2023-09-19 card-no: FFFE 42315277 jas@kaka:~$ echo foo|gpg -a --sign|gpg --verify gpg: Signature made Thu Mar 16 22:11:02 2023 CET gpg: utilizing EDDSA key B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE gpg: Good signature from "Simon Josefsson <simon@josefsson.org>" [ultimate] jas@kaka:~$
Lastly to retrieve and signal a key, for instance Andre Heinecke’s that I may affirm the OpenPGP key identifier from his enterprise card.
jas@kaka:~$ gpg --locate-external-keys aheinecke@gnupg.com gpg: key 1FDF723CF462B6B1: public key "Andre Heinecke <aheinecke@gnupg.com>" imported gpg: Whole quantity processed: 1 gpg: imported: 1 gpg: marginals wanted: 3 completes wanted: 1 belief mannequin: pgp gpg: depth: 0 legitimate: 2 signed: 7 belief: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 legitimate: 7 signed: 64 belief: 7-, 0q, 0n, 0m, 0f, 0u gpg: subsequent trustdb examine due at 2023-05-26 pub rsa3072 2015-12-08 [SC] [expires: 2025-12-05] 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 uid [ unknown] Andre Heinecke <aheinecke@gnupg.com> sub ed25519 2017-02-13 [S] sub ed25519 2017-02-13 [A] sub rsa3072 2015-12-08 [E] [expires: 2025-12-05] sub rsa3072 2015-12-08 [A] [expires: 2025-12-05] jas@kaka:~$ gpg --edit-key "94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1" gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software program Basis, Inc. That is free software program: you might be free to alter and redistribute it. There's NO WARRANTY, to the extent permitted by legislation. pub rsa3072/1FDF723CF462B6B1 created: 2015-12-08 expires: 2025-12-05 utilization: SC belief: unknown validity: unknown sub ed25519/2978E9D40CBABA5C created: 2017-02-13 expires: by no means utilization: S sub ed25519/DC74D901C8E2DD47 created: 2017-02-13 expires: by no means utilization: A The next key was revoked on 2017-02-23 by RSA key 1FDF723CF462B6B1 Andre Heinecke <aheinecke@gnupg.com> sub cv25519/1FFE3151683260AB created: 2017-02-13 revoked: 2017-02-23 utilization: E sub rsa3072/8CC999BDAA45C71F created: 2015-12-08 expires: 2025-12-05 utilization: E sub rsa3072/6304A4B539CE444A created: 2015-12-08 expires: 2025-12-05 utilization: A [ unknown] (1). Andre Heinecke <aheinecke@gnupg.com> gpg> signal pub rsa3072/1FDF723CF462B6B1 created: 2015-12-08 expires: 2025-12-05 utilization: SC belief: unknown validity: unknown Major key fingerprint: 94A5 C9A0 3C2F E5CA 3B09 5D8E 1FDF 723C F462 B6B1 Andre Heinecke <aheinecke@gnupg.com> This key is because of expire on 2025-12-05. Are you certain that you just need to signal this key together with your key "Simon Josefsson <simon@josefsson.org>" (D73CF638C53C06BE) Actually signal? (y/N) y gpg> give up Save adjustments? (y/N) y jas@kaka:~$
That is on my day-to-day machine, utilizing the NitroKey Begin with the offline key. No have to boot the outdated offline machine simply to signal keys or prolong expiry anymore! At FOSDEM’23 I managed to get at the very least one DD signature on my new key, and the Debian keyring maintainers accepted my Ed25519 key. Hopefully I can now lastly let my 2014-era RSA3744 key expire in 2023-09-19 and never prolong it any additional. This could end my transition to a less complicated OpenPGP key setup, yay!