Closed oajara closed 2 years ago
The original guide I followed, Using PKCS#11 Token With GPG, mentions this:
As of Feb, 2022, the following does not work for me with gnupg-pkcs11-scd-0.9.2-6.fc35. So I compiled gnupg-pkcs11-scd-0.10.0-1.fedorap11.fc35 myself.
So you may want to try using gnupg-pkcs11-scd 0.10.0 instead, and see if that works. I've only tested with a Fedora 36 base image, which has the newer version.
It worked in Fedora 36 after a few tweaks. I had to install (downgrade to) openssl1.1
and also the libjson-c.so.4
library version.
Now, I have a question if I may. My understanding was that the gpg --expert --full-generate-key
created a stub private key without private key material and that the signing operations were made using signing calls to the KMS service through the PKCS11 module. However, this does not seem to be the case since I can create signatures with the imported key without even having AWS credentials in place. What am I missing here?
That's a great - and terrifying! - question.
My first guess is that perhaps there are ambient AWS creds available; if you have a default profile in ~/.aws/config
or you're running on an EC2 instance with an instance role, the provider would automatically try to use those. That seems unlikely but good to rule out.
If that's not it, my second guess is that something about your gpg --expert --full-generate-key
workflow might be generating a new private key, and not actually using the provider as expected. Can you share the specific steps so I can try to repro?
In my own local setup, running on an EC2 instance with role creds, if I replace the kms:Sign
in the role with something else, like kms:UpdateAlias
, then I get this error when I run these commands:
$ gpg --import ~/.gnupg/signing.gpg
$ gpg --card-status
$ gpg --detach-sign "${BOOT_MOUNT}/grub/grub.cfg"
gpg: signing failed: Card error
gpg: signing failed: Card error
If I omit the gpg --card-status
step, then I get:
$ gpg --import ~/.gnupg/signing.gpg
$ gpg --detach-sign "${BOOT_MOUNT}/grub/grub.cfg"
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
That leads to a third guess which is that you might have a "default secret key" that gpg
is using instead.
So, while creating a recipe to reproduce the error it worked as expected! For the record, I will share the bogus process that led me to the confusion:
aws-kms-pkcs11
module tests from a docker container. I granted AWS CLI access in the container by pasting the needed AWS environment variables that I got using aws-vault
in my workstation.Unable to locate credentials. You can configure credentials by running "aws configure".
and that was the reasons I considered the signing shouldn't be allowed anymore. However, the signing still worked normally for some reason.gpg: signing failed: Card error
as expected.However, using plain AWS CLI profiles configuration (with credentials stored in ~/.aws/
) worked as expected. Deleting the ~/.aws/
content would immediately result in signing errors. This behavior makes me think the agent process has it's own copy of the environment variables, therefore unsetting the environment variables after the agent processes are created does not affect the AWS access needed to sign.
Back to this observation:
It worked in Fedora 36 after a few tweaks. I had to install (downgrade to) openssl1.1 and also the libjson-c.so.4 library version.
Did you have to do these tweaks in your Fedora 36 testing environment as well?
Did you have to do these tweaks in your Fedora 36 testing environment as well?
I didn't need to downgrade any packages.
For reference, my environment is now published as the newest versions of the Bottlerocket SDK:
public.ecr.aws/bottlerocket/bottlerocket-sdk-x86_64:v0.27.0
public.ecr.aws/bottlerocket/bottlerocket-sdk-aarch64:v0.27.0
The relevant packages are:
openssl-libs-3.0.5-1.fc36.x86_64
openssl-devel-3.0.5-1.fc36.x86_64
openssl-pkcs11-0.4.12-2.fc36.x86_64
json-c-0.15-3.fc36.x86_64
json-c-devel-0.15-3.fc36.x86_64
The full Dockerfile for this is pretty unwieldy - it's a very large container! - but the relevant build steps can be found in https://github.com/bottlerocket-os/bottlerocket-sdk/commit/d9fc285af739e042af23f7ece2411d0c4a0ed2c2, in case that's helpful.
Thank you very much for your help @bcressey!
Thanks for all the help @bcressey ! Is there anything from this thread we could/should capture in the docs to help folks in the future?
Seems like the usage notes could clarify that gnupg-pkcs11-scd 0.10.0+ is required, though I'm not sure if that was ultimately what resolved the issue.
@oajara do you have any thoughts on what might've helped?
@bcressey gnupg-pkcs11-scd 0.10.0
did not fix the issue in Ubuntu 22.04. I still got the same error at the final step of gpg --expert --full-generate-key
. I switched to a Fedora 36 environment and that problem did not happen.
One thing that might be worth putting here is that if one is using the aws_kms_pkcs11.x86_64.so v0.0.9 file published in the Github release the module will look for the files libcrypto.so.1.1
and libjson-c.so.4
. In Fedora 36 the package openssl1.1
provides libcrypto.so.1.1
. On the other side the json-c
package available is json-c-0.15-3
which provides /usr/lib64/libjson-c.so.5
, therefore my hotfix was creating a symlink /usr/lib64/libjson-c.so.4
-> /usr/lib64/libjson-c.so.5
.
For that category of issues, I am not sure there's a better solution than packaging aws-kms-pkcs11
for the various distros.
Thanks folks! I added a couple of notes to the gpg signing docs.
Hi! First of all, thank you very much for this awesome work!
I'm having issues using GPG with this module. Working with a RSA_4096 key, I'm able to create the certificate and the GPG Agent is able to discover it:
However, when I try to
gpg --expert --full-generate-key
it fails in the last step:Here is the related part in the GPG Agent logs:
And here is a log section of the
gnupg-pkcs11-scd
I think it's related:I attach the full logs for both, GPG Agent and
gnupg-pkcs11-scd
gpg-agent.log gnupg-pkcs11-scd.log
I'm working on an Ubuntu 22.04 system with:
Thanks!