4.3 KiB
| keywords | ||
|---|---|---|
|
gpg usage
add to gpg.conf: keyserver hkps://keys.openpgp.org
gpg --refresh-keys
Gnuk
Passport-opensc: https://javacardos.com/tools/passport Black pill pin : https://user-images.githubusercontent.com/13839872/43411278-5f35afd8-9432-11e8-9385-cdd8d3db298d.png
https://hackaday.io/project/162597/logs the page mentioning a single free PA pin, the PA5. All other Pins seems to be PBs. However, chopstx defines the boards and the ack-button. That leads to two places where to patch things. Within the boards definition where is a comments segment, afterwards somehow a pin definition.
Black Pill change for LED, maybe backport to gnuk https://github.com/gl-sergei/u2f-token/issues/9#issuecomment-408945987 schematics https://s14-eu5.startpage.com/cgi-bin/serveimage?url=https:%2F%2Fembdev.net%2Fwikifiles_en%2Fthumb%2F0%2F09%2FStlink-clone-pinout.JPG%2F800px-Stlink-clone-pinout.JPG&sp=d29ef3816d5c329afdec6221d7c4c7ca [new] https://gist.github.com/rot42/cd6ff46be45f0b7d7cd461a7bcc14d79
----------mailgroup questions---------------- firmware upgrade with public RSA --> lost of all data? upgrade manual? get random data from gnuk more than 32byte? https://raw.githubusercontent.com/comio/comio-overlay/master/app-crypt/scdtools/files/scdrand.service https://github.com/vletoux/OpenPGP-CSP/issues https://incenp.org/dvlpt/scdtools.html
echo scd random 32 | gpg-connect-agent | xxd
Nutzer PIN erst mit Zertifikat adminless Modus mit PIN über 8 Zeichen, User Pin min 6 Zeichen PIN
---------UPGRADE----------—
koelner ~/src/gnuk/tool $./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk.bin
Admin password:
../regnual/regnual.bin: 4432
../src/build/gnuk.bin: 111616
CRC32: b548ca7b
Device:
Configuration: 1
Interface: 0
./upgrade_by_passwd.py:160: DeprecationWarning: tostring() is deprecated. Use tobytes() instead.
main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
20002a00:20005000
Downloading flash upgrade program...
start 20002a00
end 20003b00
Run flash upgrade program...
Waiting for device to appear:
Wait 1 second...
Wait 1 second...
Wait 1 second...
Wait 1 second...
Wait 1 second...
Device:
08001000:0bfffc00
Downloading the program
start 08001000
end 0801b400
Protecting device
Finish flashing
Resetting device
Update procedure finished
koelner ~/src/gnuk/tool $./usb_strings.py
Vendor: Free Software Initiative of Japan
Product: Gnuk Token
Serial: FSIJ-1.2.13-87123119
Revision: release/1.2.13-1-g3d06051-modified
Config: ST_DONGLE:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes
Sys: 3.0
https://github.com/gl-sergei/u2f-token https://riseup.net/en/security/message-security/openpgp/best-practices
gnuk root key station
rpi zero WH 1.1, CPU-Kühler, USB-A Mod, USB Hub Hat, 1.44 LCD with Buttons Optional hardware: NeuG as TRNG, keyboard, RTC
OS: DietPi additional installed software: vim.tiny, vim, stress, gnupg, libccid, opensc, scdaemon, pinentry-tty, rng-tools [http://webhome.phy.duke.edu/~rgb/General/dieharder.php, pam-poldi, keysafe]
activate timedatectl 4 register i2c-rtc and usb-serial, login with dietpi:dietpi
root@gnupg-root:~# cat hwmon-ds3231.sh #!/usr/bin/env bash rtctemp=$(cat /sys/class/i2c-adapter/i2c-1/1-0068/hwmon/hwmon0/temp1_input) rtctemp=$(bc -l <<< "$rtctemp / 1000") echo "RTC temp = $rtctemp"
First run Check for RNG pool create encrypted storage for the gpg folder [on a removable device] -with long passphrase -with the master key and PIN (afterwards) init gpg settings create master key -export as QR-Code for printing (on a SDcard, USB Stick) -copy it to GNUK token -N-of-M sharing -USB-Stick create hash over gpg folder and sign it remount as read-only
regulary base Unmount encrypted storage before update update only via terminal/(ssh)
[GUI] Main task are: -unlock encrypted storage -copy revocation certificate to unencrypted storage -renew the sub key -copy subkey to GNUK -lock encrypted storage -renew disable date [GUI DEBUG] -upgrade GNUK firmware -git update -git verify -configure -make -upgrade via publickey -reinit GNUK token with saved openpgp data