Como configurar um smartcard gnupg passo a passo

Introdução

Para iniciar a configuração do seu smartcard você terá que definir qual chave ele irá armazenar no cartão.

Você tem basicamente 3 opções:

  • Gerar uma nova chave privada (RSA) diretamente no cartão;
  • Mover sua chave privada atual
  • Gerar subchaves da sua chave atual

Das opções acima eu recomendo o uso de subchaves, basicamente uma subchave é uma chave privada para ser usada no seu dia a dia enquanto a sua chave primária é mantida em segurança.

Uma subchave pode fazer praticamente tudo que sua chave primária pode fazer, elas podem assinar, criptografar e descriptografar arquivos e mensagens,

mas elas não podem ser assinadas por outros usuários e também não podem assinar outras chaves.

A credibilidade de uma subchave é estabelecida através das assinaturas na sua chave primária.

Para este tutorial vou assumir que você optou por utilizar subchaves e que você ainda não tem uma chave primária 🙂

Desta forma vamos criar:

  • Chave primária (CS): Utilizada para assinar e certificar chaves e subchaves de outros usuários, prazo de validade indeterminado;
  • Subchave para Assinar (S): Utilizada para assinar documentos e mensagens, validade inicial de 2 anos;
  • Subchave para Criptografar (E): Utilizada para cifrar documentos e mensagens, validade inicial de 2 anos;
  • Subchave para Autenticar (A): Utilizada para autenticação de dois fatores, validade inicial de 2 anos;

Por questões de compatibilidade com o smartcard GnuPG, as chaves e subchaves que serão criadas devem ser do tipo RSA 2048 bits.

Para que possamos criar subchaves do tipo especifico que desejamos é necessário usar a opção “–expert” na linha de comando.

Criação da chave primária

$ gpg --expert --gen-key

gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)

Your selection? 8

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
current allowed actions: Sign Certify Encrypt
   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
current allowed actions: Sign Certify
   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capablity
   (Q) Finished

Your selection? q

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits

Please specify how long the key should be valid.
      0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years

Key is valid for? (0) 0
Key does not expire at all

Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "
Real name: Ze Ninguem
Email address: nospam@here.org
Comment: Tutorial GnuPG
You selected this USER-ID:
    "Ze Ninguem (Tutorial GnuPG) "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a Passphrase to protect your secret key.

Enter passphrase: <sua senha>
Repeat passphrase: <sua senha>

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
....+++++
........+++++

gpg: /home/ebrandi/.gnupg/trustdb.gpg: trustdb created
gpg: key BEE97FBD marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

pub   2048R/BEE97FBD 2010-11-21
      Key fingerprint = A250 8F7F 0096 6560 0E5C  FEA3 A8BE 34B1 BEE9 7FBD
uid                  Ze Ninguem (Tutorial GnuPG)

Criação das subchaves

Para criar as subchaves vamos precisar editar a nossa chave primária, para isso será necessário o ID da chave primária que acabamos de criar, no nosso exemplo ele é BEE97FBD, a sequencia de comandos para executar esta etapa esta abaixo:

$ gpg --expert --edit-key BEE97FBD
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/BEE97FBD  created: 2010-11-21  expires: never       usage: CS
                     trust: ultimate      validity: ultimate
[ultimate] (1). Ze Ninguem (Tutorial GnuPG) 

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Ze Ninguem (Tutorial GnuPG) "
2048-bit RSA key, ID BEE97FBD, created 2010-11-21

Enter passphrase: <sua senha>

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
      0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 2y
Key expires at Tue 20 Nov 2012 12:08:12 PM GMT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..+++++
+++++

pub  2048R/BEE97FBD  created: 2010-11-21  expires: never       usage: CS
                     trust: ultimate      validity: ultimate
sub  2048R/5B504F9A  created: 2010-11-21  expires: 2012-11-20  usage: S
[ultimate] (1). Ze Ninguem (Tutorial GnuPG) 

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Ze Ninguem (Tutorial GnuPG) "
2048-bit RSA key, ID BEE97FBD, created 2010-11-21

Enter passphrase: <sua senha>

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
      0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 2y
Key expires at Tue 20 Nov 2012 12:10:42 PM GMT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.........+++++
...+++++

pub  2048R/BEE97FBD  created: 2010-11-21  expires: never       usage: CS
                     trust: ultimate      validity: ultimate
sub  2048R/5B504F9A  created: 2010-11-21  expires: 2012-11-20  usage: S
sub  2048R/00BF7FF4  created: 2010-11-21  expires: 2012-11-20  usage: E
[ultimate] (1). Ze Ninguem (Tutorial GnuPG) 

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Ze Ninguem (Tutorial GnuPG) "
2048-bit RSA key, ID BEE97FBD, created 2010-11-21

Enter passphrase: <sua senha>

Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? a

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt Authenticate

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt Authenticate

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
   0 = key does not expire
     = key expires in n days
   w = key expires in n weeks
   m = key expires in n months
   y = key expires in n years
Key is valid for? (0) 2y
Key expires at Tue 20 Nov 2012 12:12:32 PM GMT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..+++++
.......+++++

pub  2048R/BEE97FBD  created: 2010-11-21  expires: never       usage: CS
trust: ultimate      validity: ultimate
sub  2048R/5B504F9A  created: 2010-11-21  expires: 2012-11-20  usage: S
sub  2048R/00BF7FF4  created: 2010-11-21  expires: 2012-11-20  usage: E
sub  2048R/A3D70E87  created: 2010-11-21  expires: 2012-11-20  usage: A
[ultimate] (1). Ze Ninguem (Tutorial GnuPG)

Command> quit
Save changes? (y/N) y

Caso você precise verificar qual a impressão digital de cada uma das suas subchaves você pode obtê-las com o comando abaixo:

$ gpg --fingerprint --fingerprint
/home/ebrandi/.gnupg/pubring.gpg
--------------------------------
pub   2048R/BEE97FBD 2010-11-21
      Key fingerprint = A250 8F7F 0096 6560 0E5C  FEA3 A8BE 34B1 BEE9 7FBD
uid                  Ze Ninguem (Tutorial GnuPG)
sub   2048R/5B504F9A 2010-11-21 [expires: 2012-11-20]
      Key fingerprint = 28EE 76C3 B091 8FD1 64F3  BAF3 1AB8 A6DF 5B50 4F9A
sub   2048R/00BF7FF4 2010-11-21 [expires: 2012-11-20]
      Key fingerprint = F1C3 5068 B3BE 7FB4 50DC  0B70 A6CB C19D 00BF 7FF4
sub   2048R/A3D70E87 2010-11-21 [expires: 2012-11-20]
      Key fingerprint = B7AA 2C4E CE11 78BE 5FEE  DFB8 F8E8 B95B A3D7 0E87

Crie um backup da sua chave e subchaves

Agora que a chave primária e as subchaves foram criadas, é essencial que você faça um backup das mesmas, pois você não terá como extraí-las do cartão no futuro.

Para realizar o backup da chave primária execute o comando:

$ gpg --export-secret-key --armor BEE97FBD > BEE97FBD-secret-key.asc

Para realizar o backup das subchaves execute o comando:

$ gpg --export-secret-subkey --armor BEE97FBD > BEE97FBD-secret-subkeys.asc

Estes arquivos devem ser armazenados em um local seguro, eles são a unica forma de recriar seu keyring no futuro caso no caso do smartcard ser danificado.

Crie o seu certificado de revogação

Imediatamente após a realização do backup você deve criar o certificado de revogação para a sua chave primária, este arquivo será necessário caso você perca o acesso a sua chave no futuro (perda da chave, esquecimento da senha, etc), ou caso a segurança e integridade da mesma seja comprometida.

Para gerar o certificado de revogação utilize o comando:

$ gpg --gen-revoke --armor BEE97FBD > BEE97FBD-revocation-certificate.asc

sec  2048R/BEE97FBD 2010-11-21 Ze Ninguem (Tutorial GnuPG) 

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
> Certificado gerado em 2010-11-21 como parte do procedimento padrão
>
Reason for revocation: No reason specified
Certificado gerado em 2010-11-21 como parte do procedimento padrão
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Ze Ninguem (Tutorial GnuPG) "
2048-bit RSA key, ID BEE97FBD, created 2010-11-21

Enter passphrase: <sua senha>

Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

Guarde uma cópia do certificado junto com o backup das suas chaves, e se tiver disponibilidade imprima uma cópia do mesmo e deixe junto com o backup. Midias eletrônicas estragam com o tempo, e uma cópia em papel pode durar muitos anos… na eventualidade de perder a cópia eletronica um OCR pode salvar sua vida 😉

Copie as subchaves para o smartcard

Antes de prosseguir certifique-se que que instalou corretamente o drive do leitor de smartcards que irá utilizar. Para saber se ele foi reconhecido execute o comando:

$ gpg --card-status
Application ID ...: D2760001240102000005000007D80000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 000007D8
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: [not set]
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Se a saida do comando foi semelhante a acima significa que seu smartcard foi reconhecido, e podemos prosseguir com a sua configuração.

Primeiro vamos editar as informações básicas do cartão (nome, sexo, idioma, url da chave publica):

$ gpg --card-edit
Application ID ...: D2760001240102000005000007D80000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 000007D8
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: [not set]
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> name
Cardholder's surname: Ninguem
Cardholder's given name: Ze

gpg/card> lang
Language preferences: en

gpg/card> sex
Sex ((M)ale, (F)emale or space): m

gpg/card> url
URL to retrieve public key: http://www.algumlugar.com/key.asc

gpg/card> verify

Application ID ...: D2760001240102000005000007D80000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 000007D8
Name of cardholder: Ze Ninguem
Language prefs ...: en
Sex ..............: male
URL of public key : http://www.algumlugar.com/key.asc
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: [not set]
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> quit

O proximo passo será mover as subchaves para o cartão, o processo é bem simples,  apenas tenha cuidado de mover as chaves para o lugar certo, se você errar restaure o backup das suas chaves e começe novamente.

Lembre-se de anotar qual a finalidade de cada subchave, quando vc usar o comando toggle, o gpg não irá mais mostrar essa informação.

No nosso exemplo as subchaves tem os seguintes usos:

5B504F9A - Assinatura
00BF7FF4 - Cifrar
A3D70E87 - Autenticar

E a sequencia de comandos para mover estas 3 chaves para o smartcard está abaixo:

$ gpg --edit-key BEE97FBD
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/BEE97FBD  created: 2010-11-21  expires: never       usage: CS
                     trust: ultimate      validity: ultimate
sub  2048R/5B504F9A  created: 2010-11-21  expires: 2012-11-20  usage: S
sub  2048R/00BF7FF4  created: 2010-11-21  expires: 2012-11-20  usage: E
sub  2048R/A3D70E87  created: 2010-11-21  expires: 2012-11-20  usage: A
[ultimate] (1). Ze Ninguem (Tutorial GnuPG) 

Command> toggle

sec  2048R/BEE97FBD  created: 2010-11-21  expires: never
ssb  2048R/5B504F9A  created: 2010-11-21  expires: never
ssb  2048R/00BF7FF4  created: 2010-11-21  expires: never
ssb  2048R/A3D70E87  created: 2010-11-21  expires: never
(1)  Ze Ninguem (Tutorial GnuPG) 

Command> key 1

sec  2048R/BEE97FBD  created: 2010-11-21  expires: never
ssb* 2048R/5B504F9A  created: 2010-11-21  expires: never
ssb  2048R/00BF7FF4  created: 2010-11-21  expires: never
ssb  2048R/A3D70E87  created: 2010-11-21  expires: never
(1)  Ze Ninguem (Tutorial GnuPG) 

Command> keytocard

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

You need a passphrase to unlock the secret key for
user: "Ze Ninguem (Tutorial GnuPG) "
2048-bit RSA key, ID BEE97FBD, created 2010-11-21

Enter passphrase: <sua senha>

sec  2048R/BEE97FBD  created: 2010-11-21  expires: never
ssb* 2048R/5B504F9A  created: 2010-11-21  expires: never
                               card-no: 0005 000007D8
ssb  2048R/00BF7FF4  created: 2010-11-21  expires: never
ssb  2048R/A3D70E87  created: 2010-11-21  expires: never
(1)  Ze Ninguem (Tutorial GnuPG) 

Command> key 1

sec  2048R/BEE97FBD  created: 2010-11-21  expires: never
ssb  2048R/5B504F9A  created: 2010-11-21  expires: never
                               card-no: 0005 000007D8
ssb  2048R/00BF7FF4  created: 2010-11-21  expires: never
ssb  2048R/A3D70E87  created: 2010-11-21  expires: never
(1)  Ze Ninguem (Tutorial GnuPG) 

Command> key 2

sec  2048R/BEE97FBD  created: 2010-11-21  expires: never
ssb  2048R/5B504F9A  created: 2010-11-21  expires: never
                               card-no: 0005 000007D8
ssb* 2048R/00BF7FF4  created: 2010-11-21  expires: never
ssb  2048R/A3D70E87  created: 2010-11-21  expires: never
(1)  Ze Ninguem (Tutorial GnuPG) 

Command> keytocard

Please select where to store the key:
   (2) Encryption key
Your selection? 2

You need a passphrase to unlock the secret key for
user: "Ze Ninguem (Tutorial GnuPG) "
2048-bit RSA key, ID BEE97FBD, created 2010-11-21

Enter passphrase: <sua senha>

sec  2048R/BEE97FBD  created: 2010-11-21  expires: never
ssb  2048R/5B504F9A  created: 2010-11-21  expires: never
                               card-no: 0005 000007D8
ssb* 2048R/00BF7FF4  created: 2010-11-21  expires: never
                               card-no: 0005 000007D8
ssb  2048R/A3D70E87  created: 2010-11-21  expires: never
(1)  Ze Ninguem (Tutorial GnuPG) 

Command> key 2

sec  2048R/BEE97FBD  created: 2010-11-21  expires: never
ssb  2048R/5B504F9A  created: 2010-11-21  expires: never
                               card-no: 0005 000007D8
ssb  2048R/00BF7FF4  created: 2010-11-21  expires: never
                               card-no: 0005 000007D8
ssb  2048R/A3D70E87  created: 2010-11-21  expires: never
(1)  Ze Ninguem (Tutorial GnuPG) 

Command> key 3

sec  2048R/BEE97FBD  created: 2010-11-21  expires: never
ssb  2048R/5B504F9A  created: 2010-11-21  expires: never
                               card-no: 0005 000007D8
ssb  2048R/00BF7FF4  created: 2010-11-21  expires: never
                               card-no: 0005 000007D8
ssb* 2048R/A3D70E87  created: 2010-11-21  expires: never
(1)  Ze Ninguem (Tutorial GnuPG) 

Command> keytocard

Please select where to store the key:
   (3) Authentication key
Your selection? 3

You need a passphrase to unlock the secret key for
user: "Ze Ninguem (Tutorial GnuPG) "
2048-bit RSA key, ID BEE97FBD, created 2010-11-21

Enter passphrase: <sua senha>

sec  2048R/BEE97FBD  created: 2010-11-21  expires: never
ssb  2048R/5B504F9A  created: 2010-11-21  expires: never
                               card-no: 0005 000007D8
ssb  2048R/00BF7FF4  created: 2010-11-21  expires: never
                               card-no: 0005 000007D8
ssb* 2048R/A3D70E87  created: 2010-11-21  expires: never
                               card-no: 0005 000007D8
(1)  Ze Ninguem (Tutorial GnuPG) 

Command> save

Pronto, suas chaves já foram transferidas para o smartcard 🙂

O próximo passo é deletar a sua chave secreta primária (você já fez o backup certo?), no futuro quando você precisar assinar a chave de alguém ou quando precisar gerar novas subchaves você poderá importá-la do seu backup.

Para deletá-la basta executar:

$ gpg --delete-secret-key bee97fbd
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

sec  2048R/BEE97FBD 2010-11-21 Ze Ninguem (Tutorial GnuPG) 

Delete this key from the keyring? (y/N) y

Neste ponto o seu keyring gnupg só possui a sua chave publica, e para finalizar a configuração você deve regerar as entradas das suas subchaves no seu keyring que apontam para o seu smartcard.

Para fazer isto basta executar o comando “gpg –card-status“:

% gpg --card-status

Application ID ...: D2760001240102000005000007D80000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 000007D8
Name of cardholder: Ze Ninguem
Language prefs ...: en
Sex ..............: male
URL of public key : http://www.algumlugar.com/key.asc
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: [not set]
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: 28EE 76C3 B091 8FD1 64F3  BAF3 1AB8 A6DF 5B50 4F9A
      created ....: 2010-11-21 12:09:30
Encryption key....: F1C3 5068 B3BE 7FB4 50DC  0B70 A6CB C19D 00BF 7FF4
      created ....: 2010-11-21 12:12:27
Authentication key: B7AA 2C4E CE11 78BE 5FEE  DFB8 F8E8 B95B A3D7 0E87
      created ....: 2010-11-21 12:15:01
General key info..: pub  2048R/5B504F9A  created: 2010-11-21 Ze Ninguem (Tutorial GnuPG)
sec# 2048R/BEE97FBD  created: 2010-11-21  expires: never
ssb  2048R/5B504F9A  created: 2010-11-21  expires: 2012-11-20
                               card-no: 0005 000007D8
ssb  2048R/00BF7FF4  created: 2010-11-21  expires: 2012-11-20
                               card-no: 0005 000007D8
ssb  2048R/A3D70E87  created: 2010-11-21  expires: 2012-11-20
                               card-no: 0005 000007D8

Se a saida do comando contiver as informações acima, referentes as suas chaves, o processo de configuração do smartcard foi concluido com sucesso.

Se você tentar realizar qualquer operação agora que envolva suas subchaves, sem que o seu smartcard esteja inserido no leitor você irá receber um erro:

$ gpg -s teste.txt
gpg: selecting openpgp failed: Card not present
gpg: assinatura falhou: Operation cancelled
gpg: signing failed: Operation cancelled

Não se esqueça de alterar as senhas default do seu cartão. Ele vem de fabrica com a senha 123456 para o usuário normal, e com a senha 12345678 para o administrador.

A alteração deve ser feita com o comando “gpg –card-edit“, e é bem simples, quando vc escolher qual senha quer alterar o gpg vai solicitar a senha atual, pedindo na sequencia você digite e confirme a senha nova.

% gpg --card-edit

Application ID ...: D2760001240102000005000007D80000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 000007D8
Name of cardholder: Ze Ninguem
Language prefs ...: en
Sex ..............: male
URL of public key : http://www.algumlugar.com/key.asc
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: [not set]
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: 28EE 76C3 B091 8FD1 64F3  BAF3 1AB8 A6DF 5B50 4F9A
      created ....: 2010-11-21 12:09:30
Encryption key....: F1C3 5068 B3BE 7FB4 50DC  0B70 A6CB C19D 00BF 7FF4
      created ....: 2010-11-21 12:12:27
Authentication key: B7AA 2C4E CE11 78BE 5FEE  DFB8 F8E8 B95B A3D7 0E87
      created ....: 2010-11-21 12:15:01
General key info..: pub  2048R/5B504F9A  created: 2010-11-21 Ze Ninguem (Tutorial GnuPG)
sec# 2048R/BEE97FBD  created: 2010-11-21  expires: never
ssb  2048R/5B504F9A  created: 2010-11-21  expires: 2012-11-20
                               card-no: 0005 000007D8
ssb  2048R/00BF7FF4  created: 2010-11-21  expires: 2012-11-20
                               card-no: 0005 000007D8
ssb  2048R/A3D70E87  created: 2010-11-21  expires: 2012-11-20
                               card-no: 0005 000007D8

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. D2760001240102000005000007D80000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Opção? q

gpg/card> q

Bom era isso, ficou um pouco longo… Mas acho que ficou facil de reproduzir.

Bom divertimento 🙂

[ ]´s Edson

Comments are closed.