fuhry / initramfs-scencrypt

Arch Linux initramfs hook for smartcard support for LUKS full-disk encryption
MIT License
96 stars 18 forks source link

Fixed --export-secret, set all hashsums to SKIP in PKGBUILD for git #4

Closed ghost closed 7 years ago

fuhry commented 8 years ago

Hey, so I just saw this. GitHub is very bad about getting emails out.

Let me test this on a few systems first. I'm fairly certain you need --export-secret-keys, which is only a stub in GPG's local storage if you're using a smartcard.

ghost commented 8 years ago

Nope - that's the reason you can store a URL on OpenPGP cards, so you can download the public key easily on a strangers computer (or if you use them as part of building security, seen exactly one company do that). Either way, using --export-secret-subkeys will export an unprotected secret key for non-smartcard users (the hook works - with some modifications - for those users too)

fuhry commented 7 years ago

I ended up taking a different approach to this since gpg 2.1.15 has started behaving oddly on my system when I bought a new Yubikey NEO. It refused to allow --export-secret-keys to work. So we are now attempting to export the secret key, and if it returns nothing (egrep '.+' fails) it will use --export.

Unfortunately, they still have not deprecated the stub functionality entirely - keys will still show up in --list-secret-keys even when gpg does not in fact have the secret key on hand. This is incorrect behavior IMHO - gpg --export-secret-keys should work for anything that shows up in --list-secret-keys, but should output a public key block with some flag set indicating a smartcard stub.

Until gpg is able to easily discern between local and smartcard-hosted secret keys the behavior will remain the same for now, including (unfortunately) the storage of unnecessary subkeys.