22 Mar 2019
Planet Debian
Enrico Zini: debian-vote statistics
Updated: re-run after fixing a bug in the code that skips signatures
Updated: re-run on a mailbox with only the post-nomination discussion.
I made a script to compute some statistics on debian-vote's election discussions.
Here are the result as of 2019-03-22 13:30 UTC+1:
These are the number of mails sent by people who posted more than 2 messages:
Name Mails ============================== Joerg Jaspert 15 Martin Michlmayr 13 Jonathan Carter 11 Andreas Tille 8 Sam Hartman 8 Lucas Nussbaum 7 Jose Miguel Parrella 5 Andreas Tille 3 Ian Jackson 3 Sean Whitton 3
These are sum and averages of lines of non-quoted message text sent by people:
Name Sum Avg ================================== Jonathan Carter 604 55 Sam Hartman 389 49 Martin Michlmayr 346 27 Joerg Jaspert 306 20 Andreas Tille 238 30 Lucas Nussbaum 165 24 Ian Jackson 140 47 Jose Miguel Parrella 136 27 Andreas Tille 49 16 Sean Whitton 38 13
These are the top keywords of messages sent by the candidates so far, scored by an improvised TFIDF metric:
Sam Hartman people, valuable, doing, ways, focus, work, might Jonathan Carter software, perhaps, help, make, free, easier, large Joerg Jaspert upload, thing, nice, something, good, such, just Martin Michlmayr believe, maybe, foss, change, question, absolutely, people
22 Mar 2019 11:48am GMT
21 Mar 2019
Planet Debian
Simon Josefsson: Offline Ed25519 OpenPGP key with subkeys on FST-01G running Gnuk
Below I describe how to generate an OpenPGP key and import it to a FST-01G device running Gnuk. See my earlier post on planning for my new OpenPGP key and the post on preparing the FST-01G to run Gnuk. For comparison with a RSA/YubiKey based approach, you can read about my setup from 2014.
Most of the steps below are covered by the Gnuk manual. The primary complication for me is the use of a offline machine and storing GnuPG directory stored on a USB memory device.
Offline machine
I use a laptop that is not connected to the Internet and boot it from a read-only USB memory stick. Finding a live CD that contains the necessary tools for using GnuPG with smartcards (gpg-agent, scdaemon, pcscd) is significantly harder than it should be. Using a rarely audited image begs the question of whether you can trust it. A patched kernel/gpg to generate poor randomness would be an easy and hard to notice hack. I'm using the PGP/PKI Clean Room Live CD. Recommendations on more widely used and audited alternatives would be appreciated. Select "Advanced Options" and "Run Shell" to escape the menus. Insert a new USB memory device, and prepare it as follows:
pgp@pgplive:/home/pgp$ sudo wipefs -a /dev/sdX pgp@pgplive:/home/pgp$ sudo fdisk /dev/sdX # create a primary partition of Linux type pgp@pgplive:/home/pgp$ sudo mkfs.ext4 /dev/sdX1 pgp@pgplive:/home/pgp$ sudo mount /dev/sdX1 /mnt pgp@pgplive:/home/pgp$ sudo mkdir /mnt/gnupghome pgp@pgplive:/home/pgp$ sudo chown pgp.pgp /mnt/gnupghome pgp@pgplive:/home/pgp$ sudo chmod go-rwx /mnt/gnupghome
GnuPG configuration
Set your GnuPG home directory to point to the gnupghome directory on the USB memory device. You will need to do this in every terminal windows you open that you want to use GnuPG in.
pgp@pgplive:/home/pgp$ export GNUPGHOME=/mnt/gnupghome pgp@pgplive:/home/pgp$
At this point, you should be able to run gpg --card-status and get output from the smartcard.
Create master key
Create a master key and make a backup copy of the GnuPG home directory with it, together with an export ASCII version.
pgp@pgplive:/home/pgp$ gpg --quick-gen-key "Simon Josefsson <simon@josefsson.org>" ed25519 sign 216d
gpg: keybox '/mnt/gnupghome/pubring.kbx' created
gpg: /mnt/gnupghome/trustdb.gpg: trustdb created
gpg: key D73CF638C53C06BE marked as ultimately trusted
gpg: directory '/mnt/gnupghome/openpgp-revocs.d' created
gpg: revocation certificate stored as '/mnt/gnupghome/openpgp-revocs.d/B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE.rev'
pub ed25519 2019-03-20 [SC] [expires: 2019-10-22]
B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE
B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE
uid Simon Josefsson <simon@josefsson.org>
pgp@pgplive:/home/pgp$ gpg -a --export-secret-keys B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE > $GNUPGHOME/masterkey.txt
pgp@pgplive:/home/pgp$ sudo cp -a $GNUPGHOME $GNUPGHOME-backup-masterkey
pgp@pgplive:/home/pgp$
Create subkeys
Create subkeys and make a backup of them too, as follows.
pgp@pgplive:/home/pgp$ gpg --quick-add-key B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE cv25519 encr 216d pgp@pgplive:/home/pgp$ gpg --quick-add-key B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE ed25519 auth 216d pgp@pgplive:/home/pgp$ gpg --quick-add-key B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE ed25519 sign 216d pgp@pgplive:/home/pgp$ gpg -a --export-secret-keys B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE > $GNUPGHOME/mastersubkeys.txt pgp@pgplive:/home/pgp$ gpg -a --export-secret-subkeys B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE > $GNUPGHOME/subkeys.txt pgp@pgplive:/home/pgp$ sudo cp -a $GNUPGHOME $GNUPGHOME-backup-mastersubkeys pgp@pgplive:/home/pgp$
Move keys to card
Prepare the card by setting Admin PIN, PIN, your full name, sex, login account, and key URL as you prefer, following the Gnuk manual on card personalization.
Move the subkeys from your GnuPG keyring to the FST01G using the keytocard command.
Take a final backup - because moving the subkeys to the card modifes the local GnuPG keyring - and create a ASCII armored version of the public key, to be transferred to your daily machine.
pgp@pgplive:/home/pgp$ gpg --list-secret-keys
/mnt/gnupghome/pubring.kbx
--------------------------
sec ed25519 2019-03-20 [SC] [expires: 2019-10-22]
B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE
uid [ultimate] Simon Josefsson <simon@josefsson.org>
ssb> cv25519 2019-03-20 [E] [expires: 2019-10-22]
ssb> ed25519 2019-03-20 [A] [expires: 2019-10-22]
ssb> ed25519 2019-03-20 [S] [expires: 2019-10-22]
pgp@pgplive:/home/pgp$ gpg -a --export-secret-keys B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE > $GNUPGHOME/masterstubs.txt
pgp@pgplive:/home/pgp$ gpg -a --export-secret-subkeys B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE > $GNUPGHOME/subkeysstubs.txt
pgp@pgplive:/home/pgp$ gpg -a --export B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE > $GNUPGHOME/publickey.txt
pgp@pgplive:/home/pgp$ cp -a $GNUPGHOME $GNUPGHOME-backup-masterstubs
pgp@pgplive:/home/pgp$
Transfer to daily machine
Copy publickey.txt to your day-to-day laptop and import it and create stubs using --card-status.
jas@latte:~$ gpg --import < publickey.txt
gpg: key D73CF638C53C06BE: public key "Simon Josefsson <simon@josefsson.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
jas@latte:~$ gpg --card-status
Reader ...........: Free Software Initiative of Japan Gnuk (FSIJ-1.2.14-67252015) 00 00
Application ID ...: D276000124010200FFFE672520150000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 67252015
Name of cardholder: Simon Josefsson
Language prefs ...: sv
Sex ..............: male
URL of public key : https://josefsson.org/key-20190320.txt
Login data .......: jas
Signature PIN ....: not forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: A3CC 9C87 0B9D 310A BAD4 CF2F 5172 2B08 FE47 45A2
created ....: 2019-03-20 23:40:49
Encryption key....: A9EC 8F4D 7F1E 50ED 3DEF 49A9 0292 3D7E E76E BD60
created ....: 2019-03-20 23:40:26
Authentication key: CA7E 3716 4342 DF31 33DF 3497 8026 0EE8 A9B9 2B2B
created ....: 2019-03-20 23:40:37
General key info..: sub ed25519/51722B08FE4745A2 2019-03-20 Simon Josefsson <simon@josefsson.org>
sec ed25519/D73CF638C53C06BE created: 2019-03-20 expires: 2019-10-22
ssb> cv25519/02923D7EE76EBD60 created: 2019-03-20 expires: 2019-10-22
card-no: FFFE 67252015
ssb> ed25519/80260EE8A9B92B2B created: 2019-03-20 expires: 2019-10-22
card-no: FFFE 67252015
ssb> ed25519/51722B08FE4745A2 created: 2019-03-20 expires: 2019-10-22
card-no: FFFE 67252015
jas@latte:~$
Before the key can be used after the import, you must update the trust database for the secret key.
Now you should have a offline master key with subkey stubs. Note in the output below that the master key is not available (sec#) and the subkeys are stubs for smartcard keys (ssb>).
jas@latte:~$ gpg --list-secret-keys
sec# ed25519 2019-03-20 [SC] [expires: 2019-10-22]
B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE
uid [ultimate] Simon Josefsson <simon@josefsson.org>
ssb> cv25519 2019-03-20 [E] [expires: 2019-10-22]
ssb> ed25519 2019-03-20 [A] [expires: 2019-10-22]
ssb> ed25519 2019-03-20 [S] [expires: 2019-10-22]
jas@latte:~$
If your environment variables are setup correctly, SSH should find the authentication key automatically.
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzCFcHHrKzVSPDDarZPYqn89H5TPaxwcORgRg+4DagE cardno:FFFE67252015
GnuPG and SSH are now ready to be used with the new key. Thanks for reading!
21 Mar 2019 8:45pm GMT
Simon Josefsson: Installing Gnuk on FST-01G running NeuG
The FST-01G device that you order from the FSF shop runs NeuG. To be able to use the device as a OpenPGP smartcard, you need to install Gnuk. While Niibe covers this on his tutorial, I found the steps a bit complicated to follow. The following guides you from buying the device to getting a FST-01G running Gnuk ready for use with GnuPG.
Once you have received the device and inserted it into a USB port, your kernel log (sudo dmesg) will show something like the following:
[628772.874658] usb 1-1.5.1: New USB device found, idVendor=234b, idProduct=0004 [628772.874663] usb 1-1.5.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [628772.874666] usb 1-1.5.1: Product: Fraucheky [628772.874669] usb 1-1.5.1: Manufacturer: Free Software Initiative of Japan [628772.874671] usb 1-1.5.1: SerialNumber: FSIJ-0.0 [628772.875204] usb-storage 1-1.5.1:1.0: USB Mass Storage device detected [628772.875452] scsi host6: usb-storage 1-1.5.1:1.0 [628773.886539] scsi 6:0:0:0: Direct-Access FSIJ Fraucheky 1.0 PQ: 0 ANSI: 0 [628773.887522] sd 6:0:0:0: Attached scsi generic sg2 type 0 [628773.888931] sd 6:0:0:0: [sdb] 128 512-byte logical blocks: (65.5 kB/64.0 KiB) [628773.889558] sd 6:0:0:0: [sdb] Write Protect is off [628773.889564] sd 6:0:0:0: [sdb] Mode Sense: 03 00 00 00 [628773.890305] sd 6:0:0:0: [sdb] No Caching mode page found [628773.890314] sd 6:0:0:0: [sdb] Assuming drive cache: write through [628773.902617] sdb: [628773.906066] sd 6:0:0:0: [sdb] Attached SCSI removable disk
The device comes up as a USB mass storage device. Conveniently, it contain documentation describing what it is, and you identify the version of NeuG it runs as follows.
jas@latte:~/src/gnuk$ head /media/jas/Fraucheky/README
NeuG - a true random number generator implementation (for STM32F103)
Version 1.0.7
2018-01-19
Niibe Yutaka
Free Software Initiative of Japan
To convert the device into the serial-mode that is required for the software upgrade, use the eject command for the device (above it came up as /dev/sdb): sudo eject /dev/sdb. The kernel log will now contain something like this:
[628966.847387] usb 1-1.5.1: reset full-speed USB device number 27 using ehci-pci [628966.955723] usb 1-1.5.1: device firmware changed [628966.956184] usb 1-1.5.1: USB disconnect, device number 27 [628967.115322] usb 1-1.5.1: new full-speed USB device number 28 using ehci-pci [628967.233272] usb 1-1.5.1: New USB device found, idVendor=234b, idProduct=0001 [628967.233277] usb 1-1.5.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [628967.233280] usb 1-1.5.1: Product: NeuG True RNG [628967.233283] usb 1-1.5.1: Manufacturer: Free Software Initiative of Japan [628967.233286] usb 1-1.5.1: SerialNumber: FSIJ-1.0.7-67252015 [628967.234034] cdc_acm 1-1.5.1:1.0: ttyACM0: USB ACM device
The strings NeuG True RNG and FSIJ-1.0.7 suggest it is running NeuG version 1.0.7.
Now both Gnuk itself and reGNUal needs to be built, as follows. If you get any error message, you likely don't have the necessary dependencies installed.
jas@latte:~/src$ git clone https://salsa.debian.org/gnuk-team/gnuk/neug.git jas@latte:~/src$ git clone https://salsa.debian.org/gnuk-team/gnuk/gnuk.git jas@latte:~/src$ cd gnuk/src/ jas@latte:~/src/gnuk/src$ git submodule update --init jas@latte:~/src/gnuk/src$ ./configure --vidpid=234b:0000 ... jas@latte:~/src/gnuk/src$ make ... jas@latte:~/src/gnuk/src$ cd ../regnual/ jas@latte:~/src/gnuk/regnual$ make jas@latte:~/src/gnuk/regnual$ cd ../../
You are now ready to flash the device, as follows.
jas@latte:~/src$ sudo neug/tool/neug_upgrade.py -f gnuk/regnual/regnual.bin gnuk/src/build/gnuk.bin gnuk/regnual/regnual.bin: 4544 gnuk/src/build/gnuk.bin: 113664 CRC32: 931cab51 Device: Configuration: 1 Interface: 1 20000e00:20005000 Downloading flash upgrade program... start 20000e00 end 20001f00 # 20001f00: 31 : 196 Run flash upgrade program... Wait 3 seconds... Device: 08001000:08020000 Downloading the program start 08001000 end 0801bc00 jas@latte:~/src$
Remove and insert the device and the kernel log should contain something like this:
[629120.399875] usb 1-1.5.1: new full-speed USB device number 32 using ehci-pci [629120.511003] usb 1-1.5.1: New USB device found, idVendor=234b, idProduct=0000 [629120.511008] usb 1-1.5.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [629120.511011] usb 1-1.5.1: Product: Gnuk Token [629120.511014] usb 1-1.5.1: Manufacturer: Free Software Initiative of Japan [629120.511017] usb 1-1.5.1: SerialNumber: FSIJ-1.2.14-67252015
The device can now be used with GnuPG as a smartcard device.
jas@latte:~/src/gnuk$ gpg --card-status Reader ...........: 234B:0000:FSIJ-1.2.14-67252015:0 Application ID ...: D276000124010200FFFE672520150000 Version ..........: 2.0 Manufacturer .....: unmanaged S/N range Serial number ....: 67252015 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] jas@latte:~/src/gnuk$
Congratulations!
21 Mar 2019 8:39pm GMT