The officially official Devuan Forum!

You are not logged in.

#1 Re: Documentation » Grsecurity/Pax installation on Devuan GNU/Linux » 2018-07-11 12:28:24

New stable packages:
https://www.croatiafidelis.hr/gnu/deb/l … 180710-21/
( https://www.croatiafidelis.hr/gnu/deb/l … c-current/ )
Any difficulty installing, pls. review previous long posts... (I'm probably too short on time currently)

#2 Re: Other Issues » Strange Bash under grsecurity's exec logging » 2018-06-16 18:44:05

It is the same info that I have, as I just posted at:

Re: Grsecurity/Pax installation on Debian GNU/Linux
http://forums.debian.net/viewtopic.php? … 41#p675341

(or would it be better that I simply paste it here, I don't know... The link, this time, should suffice).

#3 Re: Documentation » Grsecurity/Pax installation on Devuan GNU/Linux » 2018-06-01 13:29:13

The offered packages in the previous post (no issues have I had so far) are for any system hardware (well: x86_64 arch only).

The best way is surely, to compile. Nothing wrong with the other option. It's only that tailoring the compiled kernel for only your hardware reduces the huge attack surface.

While Dapper Secure Kernel Patchset  (
https://github.com/dapperlinux/dapper-s … e/releases
) is still grsecurity, my script for newbies has changed to help new GNU-Debianers/Devuaners who want to look into kernel compiling.

So pls. look up:

https://github.com/miroR/grsec-dapper-compile/

I'm not sure, you might need to get dapper-linux PGP key from:

https://dapperlinux.com/contact.html
https://dapperlinux.com/matthew_gpg_public_key.asc

Regards!

#4 Re: Documentation » Grsecurity/Pax installation on Devuan GNU/Linux » 2018-06-01 11:50:35

The:
https://www.croatiafidelis.hr/gnu/deb/l … c-current/
now points to:
https://www.croatiafidelis.hr/gnu/deb/l … 180601-06/
That is the kernel package for Debian/Devuan that _may_ be worth trying out, bearing in mind the caveats of Dapper Linux patchset:
https://dapperlinux.com/
I.e. no meltdown protection, no spectre protection, currently no retpoline.

However, all the othe usual protection that grsec offered are there. And the kernel is up to date.

I am testing that kernel right now, it appears to be fine.

If you want to use it, pls. see previous posts, there are a lot of info how to dowload it, how to verify it, etc.

Regards!

#5 Re: Installation » Legal on Pale Moon potential packaging and distribution » 2018-04-04 16:28:22

It's Wed  4 Apr 16:26:28 UTC 2018 UTC...
No replies on https://forum.palemoon.org/viewtopic.ph … 50#p138438
And maybe nothing untill morning comes to the U.S. if they went to sleep. Hours of uneasy waiting...

EDIT: I can't believe I calculated as if the Earth revolved the opposite direction around the Sun than it does... It wasn't night, but it was morning or even early morning in the U.S. when I posted that question about mozconfig... (BTW, I can do complex things, but I sometimes fail on binary stuff, or completely simple stuff, such as I failed my driving exam 42 yrs ago on driving backwards smile ...Aarrgh!...)

IOW, it's full daytime still in the U.S, while night is drawing over Europe where I live... Just why not answer... How can I compile if I don't know I can at least get some of the options to the liking of a good part (and to no detriment to others) of Devuan users?

I'm not going to be compiling a dbus- nor pulseaudio- Pale Moon... They hopefully will support those options...

#6 Re: Installation » Legal on Pale Moon potential packaging and distribution » 2018-04-04 14:33:13

chillfan wrote:

I'm not an expert but I think this would do it:

Change --enable-official-branding to --disable-official-branding and rename your package in debian/control to whatever name you like. I think so long as you don't use their artwork and don't call it palemoon you should be fine.

lf I remember the browser will call itself "New Moon" by default. That would seem ok in the meantime, but you'd want to rename eventually I think.

Otherwise just use the mozconfig they provide, but it will limit you to the defaults.

I see, but the better way is to try and get Moonchild and his friends confident of my packages and get them to allow the official branding to remain...

In case the few options that I'm pretty unwilling to change, and they're not so many, get a PASS from New Tobin Paradigm, see:

A Pale Moon repo for Devuan/Debian
https://forum.palemoon.org/viewtopic.ph … 38#p138438

which I hope they will, I am motivated to work more. Else... time wasted...

As far as changing the licence: The Iceweasel story is a sad example. It lost support completely (IIRC) from Mozilla.

And you don't get geniuses available for some core issues in any complex project just so easily (remember how the https://github.com/minipli/linux-unofficial_grsec/ still hasn't moved passed the specter/meltdown mitigations, geniuses to solve it missing or, being late to do it; if only it is the latter...). Some things about really complex projects, there's only a few people in the world who are able to do it (well, in real time, I mean)...

The support by Moonchild and his team is very close to indispensable. (Especially because we are not huge as Debian.)

I'm on edges. Reloaded that Pale Moon link above a few times only while writing here...

#7 Re: Installation » Legal on Pale Moon potential packaging and distribution » 2018-04-04 12:28:03

I also asked at:
A Pale Moon repo for Devuan/Debian
https://forum.palemoon.org/viewtopic.ph … 22#p138422
I hope this can be worked out. This is a browser that does not impose pulseaudio nor dbus, is fast, and they don't seem to work behind people's back with intrusional purposes.

#8 Re: Installation » A repo serving Pale Moon » 2018-04-04 11:43:24

There is probably not (but I'm not good at legal stuff) any non-compliance issue with Pale Moon license with my repo, but still, some already and more discussion might be at (or linked from):

Legal on Pale Moon potential packaging and distribution
https://dev1galaxy.org/viewtopic.php?id=1974

#9 Re: Installation » Legal on Pale Moon potential packaging and distribution » 2018-04-04 11:32:14

Is my mozconfig legal?

From publicly available sources at:

https://www.croatiafidelis.hr/foss/dev1miro/

/some/where/$ cat  palemoon-27.8.3~repack/debian/mozconfig 
export MOZILLA_OFFICIAL=1
export CC=gcc-4.9
export CXX=g++-4.9
mk_add_options MOZ_CO_PROJECT=browser
ac_add_options --enable-official-branding
ac_add_options --enable-application=browser
ac_add_options --enable-release
ac_add_options --disable-installer
ac_add_options --disable-updater
ac_add_options --enable-optimize="-O2 -msse2 -mfpmath=sse"
ac_add_options --disable-debug
ac_add_options --with-pthreads
ac_add_options --enable-shared-js
ac_add_options --enable-jemalloc
ac_add_options --enable-strip
ac_add_options --x-libraries=/usr/lib
ac_add_options --prefix=/usr
ac_add_options --enable-devtools
ac_add_options --disable-necko-wifi
ac_add_options --disable-gstreamer
ac_add_options --with-pthreads
ac_add_options --disable-precompiled-startupcache
ac_add_options --disable-accessibility
ac_add_options --disable-b2g
ac_add_options --disable-dbus
ac_add_options --disable-gamepad
ac_add_options --disable-omx-plugin
ac_add_options --disable-parental-controls
ac_add_options --disable-profiling
ac_add_options --disable-pulseaudio
ac_add_options --disable-safe-browsing
ac_add_options --disable-telemetry
ac_add_options --disable-webrtc
ac_add_options --disable-webspeech
ac_add_options --enable-alsa
ac_add_options --enable-ffmpeg
ac_add_options --enable-fmp4
ac_add_options --enable-freetype
ac_add_options --enable-gnu-ld
ac_add_options --enable-install-strip
ac_add_options --enable-jemalloc
ac_add_options --enable-jemalloc-lib
ac_add_options --enable-libjpeg-turbo
ac_add_options --enable-multithread
ac_add_options --enable-ogg
ac_add_options --enable-optimize
ac_add_options --enable-opus
ac_add_options --enable-png
ac_add_options --enable-pthreads
ac_add_options --enable-raw
ac_add_options --enable-shared-js
ac_add_options --enable-strip
ac_add_options --enable-svg
ac_add_options --enable-threads
ac_add_options --enable-threadsafe
ac_add_options --enable-wave
ac_add_options --enable-webgl
ac_add_options --enable-webm
/some/where/$ 

#10 Re: Installation » Legal on Pale Moon potential packaging and distribution » 2018-04-04 11:19:43

So this is the reply to this post:

Palemoon installation from source
https://dev1galaxy.org/viewtopic.php?id=616#p8206

moved here because it isn't to do with just compilation for a single person which that topic is about.
---

chillfan wrote:

Nice posts but I should point to this though (for your own benefit) which recently came up on the maling list.

https://github.com/jasperla/openbsd-wip/issues/86

I wasn't aware of that... Studying it carefully... However, I was compiling my Pale Moon since I started that topic:
Building Pale Moon on Devuan fails
https://forum.palemoon.org/viewtopic.php?f=57&t=15751
which is Fri, 07 Jul 2017, 19:03 and this is the first time somebody draws my attention to this...

A quick idea (to get free from the need to peruse that notification ): would it suffice that I remove the

export MOZILLA_OFFICIAL=1

or stick:

export MOZILLA_OFFICIAL=0

and what are the implications thereof?

But wait... See (if you or other gentle reader download the source as I explained how it can be done in my previous post):

$ grep with-system palemoon-27.8.3~repack/debian/mozconfig 
$

it's empty string. None! I don't have any --with-system-<whatever>! So I'd hope my Pale Moon repo is legit.

Do correct me if I'm wrong!

So, no for this (but do correct me if I'm wrong):

It would seem it's best to rebrand or disable branding when packaging, especially if you want to make changes to the build process.

and the changes that I made are not to do with anything --with-system-<whatever> options.

Also, I notice you mentioned grsecurity (the unofficial forward ports I guess). When I last looked they can't yet integrate meltdown/kpti, is much different there now?

Yeah, that's a thorny issue... No genius to help out there... Or the good few who are willing have not come to their full potential yet... Sad as can be... But that's a separate issue... If you want to discuss it more (just in case), pls. let's move to some of the grsec topic (of mine already on the forums, or create a new one if you prefer... Only saying, there's not much news there...)

Back to the licensing issue now.

I read more carefully on the OpenBSD attempt to package Pale Moon and the near "cease and decease" discussion as one of the BSD guys called it... Wow!... Hard stuff too... And sad, this issue is, too...

Dunno...

But thanks! (And do correct me if I'm wrong!)

#11 Installation » Legal on Pale Moon potential packaging and distribution » 2018-04-04 11:14:47

miroR
Replies: 6

I have put up a repo with one binary-amd64 package and one set of source: palemoon :

https://www.croatiafidelis.hr/foss/dev1miro/

It's provisional really at this time, but it's working.

I presented it at:
A repo serving Pale Moon
https://dev1galaxy.org/viewtopic.php?id=1972

With time, not yet, I might become knowledgeable enough to package Palemoon for Devuan... I might...

And I'd like to figure out about these legalities first. There is a fragment of a discussion over right after:

Palemoon installation from source
https://dev1galaxy.org/viewtopic.php?id=616#p8206

but I am moving my reply to here, because it is an issue that deserves a separate topic.

I'm not very good at legal issues at all, and the time to figure out all the parts of the licenses and read all the relevant discussions is adding to the hardship of it...

And advice is welcome... Do express your thoughts, it might help for the future. Pale Moon seems to me a really good browser, and maybe the licensing is eventually acceptable...

Also, pls look up my mozconfig that I used. You can easily download the sources (at least currently) from my:

https://www.croatiafidelis.hr/foss/dev1miro/

(even the less advanced in compilation) by reading the above linked "A repo serving Pale Moon" topic.

Is that mozconfig legal, as I think (for which read the next post in this topic)?

#12 Re: Installation » Palemoon installation from source » 2018-04-04 10:50:37

The post that miroR (me) posted here, and which was here for only 1/2 hour or so, is still complete, but is pasted over, manually, by the aforesaid forum user, to new topic:

Legal on Pale Moon potential packaging and distribution
https://dev1galaxy.org/viewtopic.php?id=1974


Regards!

#13 Re: Installation » A repo serving Pale Moon » 2018-04-04 07:35:51

Likewise (see about Packages in previous post), you download:

https://www.croatiafidelis.hr/foss/dev1 … ce/Sources

and make it be:

/var/lib/apt/lists/www.CroatiaFidelis.hr_foss_dev1miro_dists_ceres_main_source_Sources

and then you can:

$ apt-get source palemoon
Reading package lists... Done
Need to get 124 MB of source archives.
Get:1 tor+https://www.CroatiaFidelis.hr/foss/dev1miro ceres/main palemoon 27.8.3~repack-3 (dsc) [1,896 B]
Get:2 tor+https://www.CroatiaFidelis.hr/foss/dev1miro ceres/main palemoon 27.8.3~repack-3 (tar) [124 MB]
Get:3 tor+https://www.CroatiaFidelis.hr/foss/dev1miro ceres/main palemoon 27.8.3~repack-3 (diff) [28.2 kB]
Fetched 124 MB in 1min 3s (1,954 kB/s)                                                       
dpkg-source: info: extracting palemoon in palemoon-27.8.3~repack
dpkg-source: info: unpacking palemoon_27.8.3~repack.orig.tar.xz
dpkg-source: info: unpacking palemoon_27.8.3~repack-3.debian.tar.xz
dpkg-source: info: applying allow-sslkeylogfile
$

And:

$   dscverify --no-default-keyrings --keyring  /usr/share/keyrings/dev1miro.gpg  palemoon_27.8.3~repack-3.dsc 
palemoon_27.8.3~repack-3.dsc:
      Good signature found
   validating palemoon_27.8.3~repack.orig.tar.xz
   validating palemoon_27.8.3~repack-3.debian.tar.xz
All files validated successfully.

BTW, it would belong to the topic on Pale Moon forum (the --now-- months long one), but I'm pressed with time, these are some of the commands (they are, essentially, from my /home/$USER/.bash_history) which I issued when compiling, this time around:

ts=$(date +%y%m%d_%H%M%S) ; echo $ts ; read FAKE ; dpkg-source -x palemoon_27.8.3~repack-1.dsc |& tee /some-other-where/dpkg-source-x_palemoon_27.8.3_${ts}

The "ts" stands for [ t]ime[ s]tamp, so I get the logs, and they don't truncate, the next one the previous ones, upon multiple tries.

cd palemoon-27.8.3~repack
quilt new allow-sslkeylogfile
quilt add security/nss/lib/ssl/Makefile 
patch -p0  < /some/where/palemoon-27.7.2~repack_allow-sslkelogfile.patch 
quilt refresh
quilt applied
quilt diff
quilt push

That's the SSL-keys logging patch, details on that long months Pale Moon forum topic of mine, or in links from there.

And here is where I removed libdbus, libgdbus and pulseaudio from mozconfig and also from even build-deps. My mozconfig is based on Walter Dnes's (but it's that months-long topic to refer for details):

vi -p debian/{mozconfig,control} 

Again, same principle for logging, and also, this is how you --force-sign a non-maintainer upload:

ts=$(date +%y%m%d_%H%M%S) ; echo $ts; read FAKE ; dpkg-buildpackage -j4 --sign-key=FEF460A2666186A9 --force-sign |& tee /some-other-where/dpkg-buildpackage-j4--sign-key=FEF460A2666186A9--force-sign_${ts}

Regards!

#14 Re: Installation » A repo serving Pale Moon » 2018-04-03 21:27:02

The story how I apt-get'ed my NMU ([N]on-[M]aintainer [ U]pload]) palemoon package, and how other people, esp. people who wish to build a non-dbus Devuan machines (that's not yet completely feasible in Devuan; it is feasible in GNU/Linux, because Gentoo offers a completely dbus-free installation at least since a couple of years ago)...

Namely, once the repo is all set up well, and not provisorily as it is now (long term, I surely would like to contribute in Devuan development with Amprolla and git.devuan.org, but I'm not really yet capable of doing real advanced developer's work), you'll be able to more comfortable browse and see the changes btwn my NMU upload and what is offered on:
https://download.opensuse.org/repositor … venpusser/
( currently it is palemoon packages:
https://download.opensuse.org/repositor … ebian_9.0/ )
In short, it's SSL-key logging, and the mozconfig is meaner.

But how to get it and install it in your machine (NO WARRANTIES, the risk is all yours, gentle reader!) is...

Let's start from here:

DebianRepositoryUseThirdParty Instructions to connect to a third-party repository
https://wiki.debian.org/DebianRepositor … list_entry

In the case of my repo it is:

$ wget -O /usr/share/keyrings/dev1miro.gpg https://www.croatiafidelis.hr/foss/dev1-miro/keyring.gpg

For tor users (I'm only tickling readers' imagination: Devuan works well with Tor, but I've not time to explain it, and the place is not here anyways), it would be:

$ torsocks wget -O /usr/share/keyrings/dev1miro.gpg https://www.croatiafidelis.hr/foss/dev1-miro/keyring.gpg

( and www.CroatiaFidelis.hr --it's rented space, I'm not a wizzard to be able to cope with and maintain my own full time server-- takes tor+https fine )

( stable Jessie users, pls. study the wiki.debian.org link above, you might currently have more work to do here; I'm on Ceres, the unstable/testing Devuan beast )

And then get yourself this file, to look more or less exactly like this:

# cat /etc/apt/sources.list.d/dev1miro.list 
deb [signed-by=/usr/share/keyrings/dev1miro.gpg] https://www.CroatiaFidelis.hr/foss/dev1miro/ ceres main

For tor users it would be:

# cat /etc/apt/sources.list.d/dev1miro.list 
deb [signed-by=/usr/share/keyrings/dev1miro.gpg] tor+https://www.CroatiaFidelis.hr/foss/dev1miro/ ceres main

And then the usual apt-get update should get it... But it wouldn't work for me... Too many tries I did, but the errors that I always got verge around, e.g. (the try at  16:17:29 on 2018-04-03):

# cat ~mr/LOG_/apt-get_update_180403_161729_O
Get:1 tor+https://www.CroatiaFidelis.hr/foss/dev1miro ceres InRelease [4,458 B]
Err:1 tor+https://www.CroatiaFidelis.hr/foss/dev1miro ceres InRelease
  The following signatures were invalid: 47FEB28B15B8B727D4C9A64BFEF460A2666186A9
Reading package lists...
W: GPG error: tor+https://www.CroatiaFidelis.hr/foss/dev1miro ceres InRelease: The following signatures were invalid: 47FEB28B15B8B727D4C9A64BFEF460A2666186A9
E: The repository 'tor+https://www.CroatiaFidelis.hr/foss/dev1miro ceres InRelease' is not signed.
#

Truth is, after I cloned the Freight repo and hacked it a little, and got it capable of adding sources to my repo (which the current version 0.3.11 couldn't do, that story will, hopefully soon, appear in code on: https://github.com/miroR/freight, along with a pull request or two to https://github.com/freight-team/freight/ ), I had to create InRelease manually, but it's full correct InRelease, check it out from it's place in the repo:

https://www.croatiafidelis.hr/foss/dev1 … /InRelease

And once you got my PGP-key you download it it can only be good signature with gpg --verify InRelease if the internet is calm on all participating sides for it.

And all else having failed, I decided I will simply reconstruct my /var/lib/apt/lists/www.CroatiaFidelis.hr_foss_dev1miro_dists_ceres_InRelease (what you see there, and what you downloaded from there --later readers are likely to see a different InRelease than of the time of this writing-- is what I manually placed in there, Freight wouldn't do it. Freight does a lot of other things just right, I hope it's a fine repo tool...

So that same InRelease (I hope this is a temporary measure and later readers just won't need it) you too can put in your:

# cp -iav InRelease /var/lib/apt/lists/www.CroatiaFidelis.hr_foss_dev1miro_dists_ceres_InRelease
# chown root:root /var/lib/apt/lists/www.CroatiaFidelis.hr_foss_dev1miro_dists_ceres_InRelease

( the chowning here and below is just in case, won't harm, and might be necessary )

And then you also need to download:

https://www.croatiafidelis.hr/foss/dev1 … 4/Packages

and copy:

# cp -iav Packages /var/www/html/foss/dev1miro/dists/ceres/main/binary-amd64/Packages
# chown root:root /var/www/html/foss/dev1miro/dists/ceres/main/binary-amd64/Packages

Next, you can simply download the palemoon package, say with:

$ wget https://www.croatiafidelis.hr/foss/dev1miro/pool/ceres/main/p/palemoon/palemoon_27.8.3~repack-3_amd64.deb

and copy it to:

# cp -iav palemoon_27.8.3~repack-3_amd64.deb /var/cache/apt/archives/

And if you followed all the steps that I just posted (and if I haven't forgotten to tell some piece of instruction, which I hope I haven't), you now should be able to install my NMU Pale Moon with:

# apt-get install palemoon

Reports are welcome!

#15 Re: Installation » Palemoon installation from source » 2018-04-03 19:12:04

Ta-dah! This topic opens a way for a new one, more advanced, hopefully...
Look up, esp. admins, this repo is working, but only just, and with manual tweaking:

https://www.croatiafidelis.hr/foss/dev1miro/

I have (with manual adjusting in /var/lib/apt/lists managed to apt-get install my:

$ palemoon --version
Moonchild Productions Pale Moon 27.8.3
$

from it.
Here the log how it went:

$ apt-get install palemoon
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  palemoon
[...]

Oh, that doesn't belong here... Pls. go to:
A repo serving Pale Moon
https://dev1galaxy.org/viewtopic.php?id=1972

Regards!

#16 Installation » A repo serving Pale Moon » 2018-04-03 19:10:08

miroR
Replies: 3

Current title: A repo serving Pale Moon
---
This is the next stage after having compiled Pale Moon for months. See:
Palemoon installation from source
https://dev1galaxy.org/viewtopic.php?id=616
---

Only advanced users could make it here. Not trivial...
But I did successfully installed my newly built Pale Moon from:

https://www.croatiafidelis.hr/foss/dev1miro/

I have (with manual adjusting in /var/lib/apt/lists managed to apt-get install my:

$ palemoon --version
Moonchild Productions Pale Moon 27.8.3
$

from it.
Here the log how it went:

$ apt-get install palemoon
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  palemoon
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/30.5 MB of archives.
After this operation, 19.5 kB of additional disk space will be used.
Running external script with list of all .deb file: '/usr/bin/apt-listchanges --apt || test $? -lt 10'
Reading changelogs... Done
Running external script with list of all .deb file: '/usr/sbin/dpkg-preconfigure --apt || true'
(Reading database ... 224942 files and directories currently installed.)
Preparing to unpack .../palemoon_27.8.3~repack-3_amd64.deb ...
Unpacking palemoon (27.8.3~repack-3) over (27.8.0~repack-2) ...
Setting up palemoon (27.8.3~repack-3) ...
Processing triggers for mime-support (3.60) ...
Processing triggers for libc-bin (2.27-3) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Running external script: '/usr/bin/test -x /sbin/paxrat && /sbin/paxrat 1>/dev/null || true'
Running external script: 'if [ -x /usr/bin/rkhunter ] && grep -qiE '^APT_AUTOGEN=.?(true|yes)' /etc/default/rkhunter; then /usr/share/rkhunter/scripts/rkhupd.sh; fi'
$

As I wrote on:
A Pale Moon repo for Devuan/Debian
https://forum.palemoon.org/viewtopic.php?f=37&t=18805

I was only able to do it after manually tweaking and copying files to /var/lib/apt/lists. More coming about it, but (likely) in slow time.

#17 Re: Forum Feedback » "[quote] was opened within [s]" FluxBB bug? » 2018-03-12 08:44:57

ralph.ronnquist wrote:

The "s" bbcode makes a strike-through
See https://dev1galaxy.org/help.php#bbcode

Right, insufficient user understanding.
It is allowed in the

...[S]...

, as:

Safe GnuPG setup (with offlined master secret key)
https://dev1galaxy.org/viewtopic.php?id=1929#p7925

does have a lot of those. I isn't allow where it would only have the meaning of starting a strike-through...

Took me a while to understand...

Thanks. Regards!

#18 Re: Documentation » Safe GnuPG setup (with offlined master secret key) » 2018-03-11 23:18:37

From this page below:
--export-options export-reset-subkey-passwd
https://lists.gnupg.org/pipermail/gnupg … 60124.html
there might be corrections on my methods to be found, or more advice to read.

Regards!

#19 Re: Documentation » Safe GnuPG setup (with offlined master secret key) » 2018-03-11 18:40:31

I need to do some more checking... Well, the real checking is probably with hooks way deep into the code, which I am not apt to do now...
But this probably will work fine for me...

I might have to go without completely automatic signing subkey (with the password reset to empty).

Happy crypting, folks!

#20 Re: Documentation » Safe GnuPG setup (with offlined master secret key) » 2018-03-11 18:38:03

NOTE upon much later proofreading: I forgot the "--homedir ." below. But also with it (I repeated all with it, later), no luck.

~/.gnupg-2$ gpg --edit-key 98ECA48587E811A1
Secret key is available.

sec  rsa4096/EA9884884FBAF0AE
     created: 2014-01-16  expires: 2019-05-19  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/C94689581D481BD5
     created: 2014-01-16  expires: never       usage: E   
ssb  rsa3072/98ECA48587E811A1
     created: 2018-03-10  expires: never       usage: S   
[ultimate] (1). Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
[ revoked] (2)  Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>

gpg> passwd

I Cancel'd changing password for EA9884884FBAF0AE and C94689581D481BD5 and I am at:

     ┌──────────────────────────────────────────────────────────────────────────────────┐
     │ Please enter the passphrase to unlock the OpenPGP secret key:                    │
     │ "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"  │
     │ 3072-bit RSA key, ID 98ECA48587E811A1,                                           │
     │ created 2018-03-10 (main key ID EA9884884FBAF0AE).                               │
     │                                                                                  │
     │                                                                                  │
     │ Passphrase: ____________________________________________________________________ │
     │                                                                                  │
     │            <OK>                                                <Cancel>          │
     └──────────────────────────────────────────────────────────────────────────────────┘

where I entered the password that is still the same as for the primary key.

Upon which I get:

                   ┌──────────────────────────────────────────────────────┐
                   │ Please enter the new passphrase                      │
                   │                                                      │
                   │ Passphrase: ________________________________________ │
                   │                                                      │
                   │       <OK>                              <Cancel>     │
                   └──────────────────────────────────────────────────────┘

But there is no resetting the password. I leave empty (type nothing in the form after "Passphrase:") and hit "<OK>" but all I get is the prompt is back again, and it would be back again forever. No changing of password there.

So, still stuck here...

#21 Re: Documentation » Safe GnuPG setup (with offlined master secret key) » 2018-03-11 18:36:48

This time I didn't delete, but moved it out of the working area:

~$ mv -iv .gnupg-2 .gnupg-2-DEL1
renamed '.gnupg-2' -> '.gnupg-2-DEL1'
~$

The secring in that moved dir is same:

~$ sha256sum secring.gpg .gnupg-2-DEL1/secring.gpg
28f35e3777ea2182c5ae925cc29628e9dad8ae7ee19ec0ba0d4ea8b753c02d1d  secring.gpg
28f35e3777ea2182c5ae925cc29628e9dad8ae7ee19ec0ba0d4ea8b753c02d1d  .gnupg-2-DEL1/secring.gpg
~$

and can be deleted, so no ambiguity about the new secring.gpg arises.

~$ rm secring.gpg
~$

It's touchy here, every move must be right...

~$ gpg --list-secret-keys EA9884884FBAF0AE
sec   rsa4096/EA9884884FBAF0AE 2014-01-16 [SC] [expires: 2019-05-19]
      FCF13245ED247DCE443855B7EA9884884FBAF0AE
uid                 [ultimate] Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
ssb   rsa4096/C94689581D481BD5 2014-01-16 [E]
ssb   rsa3072/98ECA48587E811A1 2018-03-10 [S]

I'll now try, instead of just one subkey, export both.

~$ gpg --output secring.gpg --export-secret-subkeys  98ECA48587E811A1! C94689581D481BD5!

Hmmmh, why did I get:

     ┌──────────────────────────────────────────────────────────────────────────────────┐
     │ Please enter the passphrase to export the OpenPGP secret subkey:                 │
     │ "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"  │
     │ 4096-bit RSA key, ID C94689581D481BD5,                                           │
     │ created 2014-01-16 (main key ID EA9884884FBAF0AE).                               │
     │                                                                                  │
     │                                                                                  │
     │ Passphrase: ***********_________________________________________________________ │
     │                                                                                  │
     │            <OK>                                                <Cancel>          │
     └──────────────────────────────────────────────────────────────────────────────────┘

the password prompt for the first... Don't know, maybe that's OK...

The secring is bigger this time. Maybe it did take both subkeys as I wished it would.

~$ ls -l secring.gpg .gnupg-2-DEL1/secring.gpg 
-rw------- 1 mr mr 5476 2018-03-10 20:12 .gnupg-2-DEL1/secring.gpg
-rw------- 1 mr mr 7887 2018-03-10 20:57 secring.gpg
~$

Repasting the next step for clarity (it's the third time, but this is pretty hard stuff, newbies will be stumbling, and they do need it):

~$ mkdir .gnupg-2
~$ chmod 700 .gnupg-2
~$ cp -iav .gnupg/pubring.* secring.gpg .gnupg-2
'.gnupg/pubring.gpg' -> '.gnupg-2/pubring.gpg'
'.gnupg/pubring.gpg~' -> '.gnupg-2/pubring.gpg~'
'.gnupg/pubring.kbx' -> '.gnupg-2/pubring.kbx'
'secring.gpg' -> '.gnupg-2/secring.gpg'
~$ cd .gnupg-2
~/.gnupg-2$

Again, but the slight difference is important (find it yourself, gentle reader):

~$ ls -lRa
.:
total 11852
drwx------  2 mr mr    4096 2018-03-10 21:01 .
drwxr-xr-x 51 mr mr   20480 2018-03-10 20:59 ..
-rw-------  1 mr mr 6038487 2018-03-10 20:07 pubring.gpg
-rw-------  1 mr mr 6037010 2017-11-18 14:28 pubring.gpg~
-rw-r--r--  1 mr mr   22093 2012-11-12 03:10 pubring.kbx
-rw-------  1 mr mr    7887 2018-03-10 20:57 secring.gpg
~$

Now:

~/.gnupg-2$ gpg --homedir . --list-secret-keys
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/home/mr/.gnupg-2/secring.gpg' to gpg-agent
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key EA9884884FBAF0AE: secret key imported
gpg: migration succeeded
gpg: /home/mr/.gnupg-2/trustdb.gpg: trustdb created
/home/mr/.gnupg-2/pubring.gpg
-----------------------------
sec#  rsa4096 2014-01-16 [SC] [expires: 2019-05-19]
      FCF13245ED247DCE443855B7EA9884884FBAF0AE
uid           [ unknown] Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
ssb   rsa4096 2014-01-16 [E]
ssb   rsa3072 2018-03-10 [S]

~/.gnupg-2$

got me both the subkeys, while the sec# adamantly claims that the primary key is not at risk.

~/.gnupg-2$ ls -lRa
.:
total 11860
drwx------  3 mr mr    4096 2018-03-10 21:05 .
drwxr-xr-x 51 mr mr   20480 2018-03-10 20:59 ..
-rw-r--r--  1 mr mr       0 2018-03-10 21:05 .gpg-v21-migrated
drwx------  2 mr mr    4096 2018-03-10 21:05 private-keys-v1.d
-rw-------  1 mr mr 6038487 2018-03-10 20:07 pubring.gpg
-rw-------  1 mr mr 6037010 2017-11-18 14:28 pubring.gpg~
-rw-r--r--  1 mr mr   22093 2012-11-12 03:10 pubring.kbx
-rw-------  1 mr mr    7887 2018-03-10 20:57 secring.gpg
srwx------  1 mr mr       0 2018-03-10 21:05 S.gpg-agent
srwx------  1 mr mr       0 2018-03-10 21:05 S.gpg-agent.browser
srwx------  1 mr mr       0 2018-03-10 21:05 S.gpg-agent.extra
srwx------  1 mr mr       0 2018-03-10 21:05 S.gpg-agent.ssh
-rw-------  1 mr mr    1200 2018-03-10 21:05 trustdb.gpg

./private-keys-v1.d:
total 16
drwx------ 2 mr mr 4096 2018-03-10 21:05 .
drwx------ 3 mr mr 4096 2018-03-10 21:05 ..
-rw------- 1 mr mr 2578 2018-03-10 21:05 61D5243CD1CF616EBE7F2BEE3E830811B6BDCF85.key
-rw------- 1 mr mr 2001 2018-03-10 21:05 6D97E1E61FD4350A1E6E246819CCF06BDC5DEF94.key
~/.gnupg-2$

Phew!

The password now, in the next post.

#22 Re: Documentation » Safe GnuPG setup (with offlined master secret key) » 2018-03-11 18:35:20

Alright, maybe I'm making it.

This is the listing o my full key, never online, never-ever:

$ ls -lRa .gnupg
.gnupg:
total 11920
drwx------  3 mr mr    4096 2018-03-10 16:24 .
drwxr-xr-x 49 mr mr   20480 2018-03-10 19:35 ..
-rw-------  1 mr mr    8098 2018-03-10 16:24 gpg.conf
-rw-------  1 mr mr       0 2017-01-25 09:21 .gpg-v21-migrated
drwx------  2 mr mr    4096 2017-01-25 09:21 private-keys-v1.d
-rw-------  1 mr mr 6037010 2017-11-18 14:28 pubring.gpg
-rw-------  1 mr mr 6037010 2017-11-18 14:28 pubring.gpg~
-rw-r--r--  1 mr mr   22093 2012-11-12 03:10 pubring.kbx
-rw-------  1 mr mr     600 2018-02-16 13:30 random_seed
-rw-------  1 mr mr   11535 2014-05-20 20:39 secring.gpg
-rw-r--r--  1 mr mr   49152 2017-07-09 04:44 tofu.db
-rw-------  1 mr mr    1720 2017-11-18 14:28 trustdb.gpg

.gnupg/private-keys-v1.d:
total 32
drwx------ 2 mr mr 4096 2017-01-25 09:21 .
drwx------ 3 mr mr 4096 2018-03-10 16:24 ..
-rw------- 1 mr mr 2071 2017-01-25 09:38 61D5243CD1CF616EBE7F2BEE3E830811B6BDCF85.key
-rw------- 1 mr mr 2055 2017-01-25 09:34 69DCB3F7DFF03B916BFADC92F522F46A64565D92.key
-rw------- 1 mr mr 2571 2017-01-25 09:21 959336EEAAFDB6BFDDFE31DA64D5D9130BE96C85.key
-rw------- 1 mr mr 1118 2017-01-25 09:21 B3B690001E37C098B1CA3D8F30F1DDD1A5EA6690.key
-rw------- 1 mr mr 2571 2017-01-25 09:21 B555D13FEBE540A4BB84AA2ED0B2E7C69829DE29.key
-rw------- 1 mr mr  540 2017-10-17 15:17 EF856BB2FD4F96DCCF199A7D1B8641B5A1F6B034.key
$

The link with the --output suggestion (and the ! at end of subkeyID) was right, I might have just made it a better way than before, and I'm recreating the procedure and pasting the story as I go. BTW, previously I was doing it by copying over from the private-keys-v1.d directory the right files, and that's probably not right.

~$ gpg --edit-key EA9884884FBAF0AE
Secret key is available.

sec  rsa4096/EA9884884FBAF0AE
     created: 2014-01-16  expires: 2019-05-19  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/C94689581D481BD5
     created: 2014-01-16  expires: never       usage: E   
[ultimate] (1). Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
[ revoked] (2)  Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y

And I got here the ncurses (I could never go for GUI stuff to input password, yuk!):

     ┌──────────────────────────────────────────────────────────────────────────────────┐
     │ Please enter the passphrase to unlock the OpenPGP secret key:                    │
     │ "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"  │
     │ 4096-bit RSA key, ID EA9884884FBAF0AE,                                           │
     │ created 2014-01-16.                                                              │
     │                                                                                  │
     │                                                                                  │
     │ Passphrase: ***********_________________________________________________________ │
     │                                                                                  │
     │            <OK>                                                <Cancel>          │
     └──────────────────────────────────────────────────────────────────────────────────┘

And once it returned the prompt:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/EA9884884FBAF0AE
     created: 2014-01-16  expires: 2019-05-19  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/C94689581D481BD5
     created: 2014-01-16  expires: never       usage: E   
ssb  rsa3072/98ECA48587E811A1
     created: 2018-03-10  expires: never       usage: S   
[ultimate] (1). Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
[ revoked] (2)  Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>

gpg>

where the subkey 98ECA48587E811A1 has just been created.

Now I'm just not in the clear about password. It seems (to me) the FAQ is wrong about the redirection (the >) which it uses, as well as it fails to advise the user to add the ! immediately following the chosen subkey ID. But I don't know about it's claim about the password. I'll still try to use the password somehow on the new key...

Let's see.

gpg> password

It gave me exactly the same terminal look as 30 lines above here. And I input the very same password. The FAQ doesn't say change the password, but just use it. So on this screen:

                   ┌──────────────────────────────────────────────────────┐
                   │ Please enter the new passphrase                      │
                   │                                                      │
                   │ Passphrase: ________________________________________ │
                   │                                                      │
                   │       <OK>                              <Cancel>     │
                   └──────────────────────────────────────────────────────┘

I simply chose and hit Enter on Cancel.

Then I am presented with:

    ┌──────────────────────────────────────────────────────────────────────────────────┐
     │ Please enter the passphrase to unlock the OpenPGP secret key:                    │
     │ "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"  │
     │ 4096-bit RSA key, ID C94689581D481BD5,                                           │
     │ created 2014-01-16 (main key ID EA9884884FBAF0AE).                               │
     │                                                                                  │
     │                                                                                  │
     │ Passphrase: ____________________________________________________________________ │
     │                                                                                  │
     │            <OK>                                                <Cancel>          │
     └──────────────────────────────────────────────────────────────────────────────────┘

which is the encryption subkey. Again, just entered (it's still same password) the password...

NOTE: interruption here because of the timeout, but I'll repeat the procedure as above.

Continuing where I left in the procedure before timeout (which I repeated meticulously.

And of course I canceled changing the password on that one too in the same fashion.

And I am presented with the key that I would so much like to have empty password on it.

     ┌──────────────────────────────────────────────────────────────────────────────────┐
     │ Please enter the passphrase to unlock the OpenPGP secret key:                    │
     │ "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"  │
     │ 3072-bit RSA key, ID 98ECA48587E811A1,                                           │
     │ created 2018-03-10 (main key ID EA9884884FBAF0AE).                               │
     │                                                                                  │
     │                                                                                  │
     │ Passphrase: ____________________________________________________________________ │
     │                                                                                  │
     │            <OK>                                                <Cancel>          │
     └──────────────────────────────────────────────────────────────────────────────────┘

and in this attempt (if it only be the last one... but who knows if it'll work without changing that password; I mean, with changing the password later in the new, testing should I call it, directory?), and in this attempt I Cancel'ed it too.

Now we only go:

gpg> quit
Save changes? (y/N) y
~$

And now I plan to issue:

$ gpg --output secring.gpg --export-secret-subkeys  98ECA48587E811A1!

(pls. notice the exclamation mark immediately following the 16-hex char string of the new subkey ID)

Shall we?

 it was silence, no output, suspense...

 suspense...

 suspense...

There were no errors, the key must have been produced...

~$ ls -l secring.gpg
-rw------- 1 mr mr 5476 2018-03-10 20:12 secring.gpg
~$

So... Let's prepare the testing, should I call it, directory...

~$ mkdir .gnupg-TEST
~$ chmod 700 .gnupg-TEST/
~$ ls -lRa .gnupg-TEST/
.gnupg-TEST/:
total 24
drwx------  2 mr mr  4096 2018-03-10 20:15 .
drwxr-xr-x 50 mr mr 20480 2018-03-10 20:15 ..
~$

Now, as the FAQ says, let's copy the public key and this secring.gpg into it.

~$ cp -iav .gnupg/pubring.* secring.gpg .gnupg-TEST/
'.gnupg/pubring.gpg' -> '.gnupg-TEST/pubring.gpg'
'.gnupg/pubring.gpg~' -> '.gnupg-TEST/pubring.gpg~'
'.gnupg/pubring.kbx' -> '.gnupg-TEST/pubring.kbx'
'secring.gpg' -> '.gnupg-TEST/secring.gpg'
~$ ls -lRa .gnupg-TEST/
.gnupg-TEST/:
total 11852
drwx------  2 mr mr    4096 2018-03-10 20:17 .
drwxr-xr-x 50 mr mr   20480 2018-03-10 20:15 ..
-rw-------  1 mr mr 6038487 2018-03-10 20:07 pubring.gpg
-rw-------  1 mr mr 6037010 2017-11-18 14:28 pubring.gpg~
-rw-r--r--  1 mr mr   22093 2012-11-12 03:10 pubring.kbx
-rw-------  1 mr mr    5476 2018-03-10 20:12 secring.gpg
~$

Entering that directory. No typoes allowed during all this time, this is pretty stressful with concentration...

~$ cd .gnupg-TEST
~/.gnupg-TEST$

Now if it all (or be it just most of it... I fear I might not get the password reset easily yet, but who knows...) goes well, I should get the notice about starting migration and more (I've had it in my Air-Gapped machine before going over to prepare this into the online clone of that Air-Gapped).

And merely bey listing the (secret) keys.

NOTE: Very important to not forget the --homedir . option here.

$ gpg --homedir . --list-secret-keys
gpg: starting migration from earlier GnuPG versions
gpg: DBG: locking for '/home/mr/.gnupg-TEST/.gpg-v21-migrated.lock' done via O_EXCL
gpg: DBG: locking for '/home/mr/.gnupg-TEST/gnupg_spawn_agent_sentinel.lock' done via O_EXCL
gpg: porting secret keys from '/home/mr/.gnupg-TEST/secring.gpg' to gpg-agent
gpg: DBG: locking for '/home/mr/.gnupg-TEST/pubring.gpg.lock' done via O_EXCL
gpg: release_dotlock: error removing lockfile '/home/mr/.gnupg-TEST/pubring.gpg.lock'
gpg: can't unlock '/home/mr/.gnupg-TEST/pubring.gpg'
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key EA9884884FBAF0AE: secret key imported
gpg: migration succeeded
gpg: release_dotlock: error removing lockfile '/home/mr/.gnupg-TEST/.gpg-v21-migrated.lock'
gpg: failed to create temporary file '/home/mr/.gnupg-TEST/.#lk0x0000007754552660.gdOv.1580': File exists
gpg: Fatal: can't create lock for '/home/mr/.gnupg-TEST/trustdb.gpg'

Ah, I forgot to setup grsec rules for it... But this should be no worry, I'll just call the dir differently, fora name that will fit the rules...

However, I'll repeat the procedure, sorry for the inconvenience, since this is not neat to see...

See:

~/.gnupg-TEST$ ls -lRa
.:
total 11880
drwx------  3 mr mr    4096 2018-03-10 20:23 .
drwxr-xr-x 50 mr mr   20480 2018-03-10 20:15 ..
-rw-r--r--  1 mr mr      16 2018-03-10 20:23 gnupg_spawn_agent_sentinel.lock
-rw-r--r--  1 mr mr       0 2018-03-10 20:23 .gpg-v21-migrated
-rw-r--r--  1 mr mr      16 2018-03-10 20:23 .gpg-v21-migrated.lock
-rw-r--r--  1 mr mr      16 2018-03-10 20:23 .#lk0x0000007754552660.gdOv.1580
-rw-r--r--  1 mr mr      16 2018-03-10 20:23 .#lk0x0000007754554800.gdOv.1580
-rw-r--r--  1 mr mr      16 2018-03-10 20:23 .#lk0x0000007754554890.gdOv.1580
drwx------  2 mr mr    4096 2018-03-10 20:23 private-keys-v1.d
-rw-------  1 mr mr 6038487 2018-03-10 20:07 pubring.gpg
-rw-------  1 mr mr 6037010 2017-11-18 14:28 pubring.gpg~
-rw-r--r--  1 mr mr      16 2018-03-10 20:23 pubring.gpg.lock
-rw-r--r--  1 mr mr   22093 2012-11-12 03:10 pubring.kbx
-rw-------  1 mr mr    5476 2018-03-10 20:12 secring.gpg
srwx------  1 mr mr       0 2018-03-10 20:23 S.gpg-agent
srwx------  1 mr mr       0 2018-03-10 20:23 S.gpg-agent.browser
srwx------  1 mr mr       0 2018-03-10 20:23 S.gpg-agent.extra
srwx------  1 mr mr       0 2018-03-10 20:23 S.gpg-agent.ssh

./private-keys-v1.d:
total 12
drwx------ 2 mr mr 4096 2018-03-10 20:23 .
drwx------ 3 mr mr 4096 2018-03-10 20:23 ..
-rw------- 1 mr mr 2001 2018-03-10 20:23 6D97E1E61FD4350A1E6E246819CCF06BDC5DEF94.key
~/.gnupg-TEST$

That's not completely right.

~$ rm -rf .gnupg-TEST/
~$

More quickly this time:

~$ mkdir .gnupg-2
~$ chmod 700 .gnupg-2
~$ cp -iav .gnupg/pubring.* secring.gpg .gnupg-2
'.gnupg/pubring.gpg' -> '.gnupg-2/pubring.gpg'
'.gnupg/pubring.gpg~' -> '.gnupg-2/pubring.gpg~'
'.gnupg/pubring.kbx' -> '.gnupg-2/pubring.kbx'
'secring.gpg' -> '.gnupg-2/secring.gpg'
~$ cd .gnupg-2
~/.gnupg-2$

Still not right:

~/.gnupg-2$ gpg --homedir . --list-secret-keys
gpg: starting migration from earlier GnuPG versions
gpg: DBG: locking for '/home/mr/.gnupg-2/.gpg-v21-migrated.lock' done via O_EXCL
gpg: DBG: locking for '/home/mr/.gnupg-2/gnupg_spawn_agent_sentinel.lock' done via O_EXCL
gpg: porting secret keys from '/home/mr/.gnupg-2/secring.gpg' to gpg-agent
gpg: DBG: locking for '/home/mr/.gnupg-2/pubring.gpg.lock' done via O_EXCL
gpg: release_dotlock: error removing lockfile '/home/mr/.gnupg-2/pubring.gpg.lock'
gpg: can't unlock '/home/mr/.gnupg-2/pubring.gpg'
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key EA9884884FBAF0AE: secret key imported
gpg: migration succeeded
gpg: release_dotlock: error removing lockfile '/home/mr/.gnupg-2/.gpg-v21-migrated.lock'
gpg: failed to create temporary file '/home/mr/.gnupg-2/.#lk0x000000362630a220.gdOv.1600': File exists
gpg: Fatal: can't create lock for '/home/mr/.gnupg-2/trustdb.gpg'
~/.gnupg-2$

(the listing being similar to the immediately previous attempt just above)

and in the logs:

Mar 10 20:29:09 gdOv kernel: [348585.016922] grsec: (mr:U:/usr/bin/gpg) exec of /usr/bin/gpg (gpg --homedir . --list-secret-keys ) by /usr/bin/gpg[bash:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.032547] grsec: (mr:U:/usr/bin/gpg) denied link of /home/mr/.gnupg-2/.#lk0x000000362630a220.gdOv.1600 to /home/mr/.gnupg-2/.#lk0x000000362630a220.gdOv.1600x by /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.032643] grsec: (mr:U:/usr/bin/gpg) denied unlink of /home/mr/.gnupg-2/.#lk0x000000362630a220.gdOv.1600 by /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.034393] grsec: (mr:U:/usr/bin/gpg) denied link of /home/mr/.gnupg-2/.#lk0x000000362630c3c0.gdOv.1600 to /home/mr/.gnupg-2/.#lk0x000000362630c3c0.gdOv.1600x by /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.034482] grsec: (mr:U:/usr/bin/gpg) denied unlink of /home/mr/.gnupg-2/.#lk0x000000362630c3c0.gdOv.1600 by /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.037410] grsec: (mr:U:/usr/bin/gpg) chdir to / by /usr/bin/gpg[gpg:1601] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.040523] grsec: (mr:U:/usr/bin/gpg-agent) exec of /usr/bin/gpg-agent (gpg-agent --homedir /home/mr/.gnupg-2 --use-standard-socket --daemon ) by /usr/bin/gpg-agent[gpg:1602] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar 10 20:29:09 gdOv kernel: [348585.053064] grsec: (mr:U:/usr/bin/gpg-agent) chdir to / by /usr/bin/gpg-agent[gpg-agent:1603] uid/euid:1000/1000 gid/egid:1000/1000, parent /[gpg-agent:1602] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.057464] grsec: (mr:U:/usr/bin/gpg) denied unlink of /home/mr/.gnupg-2/gnupg_spawn_agent_sentinel.lock by /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.067366] grsec: (mr:U:/usr/bin/gpg) denied link of /home/mr/.gnupg-2/.#lk0x000000362630c450.gdOv.1600 to /home/mr/.gnupg-2/.#lk0x000000362630c450.gdOv.1600x by /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.067462] grsec: (mr:U:/usr/bin/gpg) denied unlink of /home/mr/.gnupg-2/.#lk0x000000362630c450.gdOv.1600 by /usr/bin/gpg[gpg:1600] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:29:09 gdOv kernel: [348585.071960] grsec: more alerts, logging disabled for 10 seconds

It was these lines that were missing, and this is short and incomplete explanation of the RBAC grsec rules details here:

# diff grsec_180310_164427_5 /etc/grsec/policy 
7502d7501
<       /home/mr/.gnupg-2               rwcdl
8170,8172d8168
<       /home
<       /home/mr
<       /home/mr/.gnupg*                rwcdl

Now rm -rf this one dir:

~$ rm -rf .gnupg-2
~$

And recreating it as I showed above (repasting for clarity:

~$ mkdir .gnupg-2
~$ chmod 700 .gnupg-2
~$ cp -iav .gnupg/pubring.* secring.gpg .gnupg-2
'.gnupg/pubring.gpg' -> '.gnupg-2/pubring.gpg'
'.gnupg/pubring.gpg~' -> '.gnupg-2/pubring.gpg~'
'.gnupg/pubring.kbx' -> '.gnupg-2/pubring.kbx'
'secring.gpg' -> '.gnupg-2/secring.gpg'
~$ cd .gnupg-2
~/.gnupg-2$

The logs, first:

Mar 10 20:40:49 gdOv kernel: [349284.930930] grsec: (mr:U:/usr/bin/gpg) exec of /usr/bin/gpg (gpg --homedir . --list-secret-keys ) by /usr/bin/gpg[bash:1704] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29862] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:40:49 gdOv kernel: [349284.948780] grsec: (mr:U:/usr/bin/gpg) chdir to / by /usr/bin/gpg[gpg:1705] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpg[gpg:1704] uid/euid:1000/1000 gid/egid:1000/1000
Mar 10 20:40:49 gdOv kernel: [349284.950945] grsec: (mr:U:/usr/bin/gpg-agent) exec of /usr/bin/gpg-agent (gpg-agent --homedir /home/mr/.gnupg-2 --use-standard-socket --daemon ) by /usr/bin/gpg-agent[gpg:1706] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar 10 20:40:49 gdOv kernel: [349284.961521] grsec: (mr:U:/usr/bin/gpg-agent) chdir to / by /usr/bin/gpg-agent[gpg-agent:1707] uid/euid:1000/1000 gid/egid:1000/1000, parent /[gpg-agent:1706] uid/euid:1000/1000 gid/egid:1000/1000

That's call neat logs by grsecurity.

Of course the standard output is equally beautiful:

~/.gnupg-2$ gpg --homedir . --list-secret-keys
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/home/mr/.gnupg-2/secring.gpg' to gpg-agent
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key EA9884884FBAF0AE: secret key imported
gpg: migration succeeded
gpg: /home/mr/.gnupg-2/trustdb.gpg: trustdb created
/home/mr/.gnupg-2/pubring.gpg
-----------------------------
sec#  rsa4096 2014-01-16 [SC] [expires: 2019-05-19]
      FCF13245ED247DCE443855B7EA9884884FBAF0AE
uid           [ unknown] Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>
ssb#  rsa4096 2014-01-16 [E]
ssb   rsa3072 2018-03-10 [S]

~/.gnupg-2$

I pasted it complete with even the empty line it close its talk this time.

And the .gnupg-2/ directory now looks like this:

~/.gnupg-2$ ls -lRa
.:
total 11860
drwx------  3 mr mr    4096 2018-03-10 20:40 .
drwxr-xr-x 50 mr mr   20480 2018-03-10 20:39 ..
-rw-r--r--  1 mr mr       0 2018-03-10 20:40 .gpg-v21-migrated
drwx------  2 mr mr    4096 2018-03-10 20:40 private-keys-v1.d
-rw-------  1 mr mr 6038487 2018-03-10 20:07 pubring.gpg
-rw-------  1 mr mr 6037010 2017-11-18 14:28 pubring.gpg~
-rw-r--r--  1 mr mr   22093 2012-11-12 03:10 pubring.kbx
-rw-------  1 mr mr    5476 2018-03-10 20:12 secring.gpg
srwx------  1 mr mr       0 2018-03-10 20:40 S.gpg-agent
srwx------  1 mr mr       0 2018-03-10 20:40 S.gpg-agent.browser
srwx------  1 mr mr       0 2018-03-10 20:40 S.gpg-agent.extra
srwx------  1 mr mr       0 2018-03-10 20:40 S.gpg-agent.ssh
-rw-------  1 mr mr    1200 2018-03-10 20:40 trustdb.gpg

./private-keys-v1.d:
total 12
drwx------ 2 mr mr 4096 2018-03-10 20:40 .
drwx------ 3 mr mr 4096 2018-03-10 20:40 ..
-rw------- 1 mr mr 2001 2018-03-10 20:40 6D97E1E61FD4350A1E6E246819CCF06BDC5DEF94.key
~/.gnupg-2$

Hmmhh... Not sure if this is all that I expected, or even if this is really it, even partly...

Now it's not, the encrypting sub is also offlined...
See:

ssb#  rsa4096 2014-01-16 [E]

Partly OK it might be though... Some progress there, I'd still say that I made...

What do I try first, the password reset, or getting the encryption subkey into there?

I'll try first another try to get the encryption subkey in.

In the next post.

#23 Re: Documentation » Safe GnuPG setup (with offlined master secret key) » 2018-03-11 18:31:23

Just solved this issue probably well. See:

https://github.com/miroR/uncenz/releases/tag/v0.31

where you can find:
[ this same title as in top of page ]
https://dev1galaxy.org/viewtopic.php?id=1929

and some code.

And v0.31 is verified.

But I have a backlog of some 3 or so posts (that I had prepared previously) to share.

#24 Re: Documentation » Safe GnuPG setup (with offlined master secret key) » 2018-03-10 18:15:47

I opened a topic at:
"[ quote ] was opened within [ s ]" FluxBB bug?
https://dev1galaxy.org/viewtopic.php?id=1930

(and I'll dedicate it as much time as I can/is needed, whichever possible/necessary)

But I went through this "Safe GnuPG setup" procedure, and there's more...
First, can't do it in such way that on signing subkey I may remove passwd.
Second, here the references from GnuPG users:

--export-options export-reset-subkey-passwd
https://lists.gnupg.org/pipermail/gnupg … 59887.html

where it links to a bug, which this referrer said is:
> Unfortunately this is still an open bug:

export-reset-subkey-passwd no longer works in GnuPG 2.1.0
https://dev.gnupg.org/T1753

And the discussion I found so far is at:

--export-options export-reset-subkey-passwd in gpg 2.1.x
https://lists.gnupg.org/pipermail/gnupg … html#28919

Also, another reference, maybe it's not exactly the right way to use redirection as in the FAQ item that I linked
(

gpg --export-secret-subkeys --no-comment newsubkeyID > secring.auto

)
but rather to use the --output or -o to save the subkeys.

And, another thing, only one subkey at a time (I was trying to export two subkeys, the one for [E] and the other for [ S ]).
As per:
export encryption (subkey) only?
https://lists.gnupg.org/pipermail/gnupg … 57400.html

BTW, let's see if I can get this post to be accepted with the [ S ].

#25 Re: Forum Feedback » "[quote] was opened within [s]" FluxBB bug? » 2018-03-10 18:14:18

I got it again!

And this time it's similar:

The following errors need to be corrected before the message can be posted:

    [ s ] was opened within itself, this is not allowed

And the text that I was trying  to past is exactly what I did eventually past (of course, the url tags will be added independent of my will), with the sole difference that I will, just right now, in the immediate next paste it with the spaces for the [ s ] added (s capatal or lowercase, that doesn't matter, I don't think).

The text at this time, with that error by FluxBB corresponds to this hash:

mr@gdOv:~$ sha256sum /Cmn/mr/Dev1_180310_GnuPG_safe_2.txt
d31a5f9a403c4103a17e2e313133f0bc0130d7507930b6a267dc47a3cb0f4004  /Cmn/mr/Dev1_180310_GnuPG_safe_2.txt
mr@gdOv:~$

I don't have my next post's exact link, but it's in that same new today's topic of mine.

Ah, while posting this, I got:

[ s ] was found without a matching [ /s ]

(without spaces, of course).

And now:

The following errors need to be corrected before the message can be posted:

    [ /s ] was found without a matching [ s ]

(without spaces, of course).

Board footer

Forum Software