oct can now set up cards in #KDF mode, the text output format was improved for readability, and some minor bugs were fixed.
Finally, version 0.11.0 uses #rPGP, a pure #Rust OpenPGP library 🦀.
As a result, the binary on #Linux links to four fewer dynamic libraries, while at the same time being 10% smaller.
@hko awesome. I use the openpgp-card-agent on 5 machines already and it made my life so much easier. And oct is also an amazing tool when having to deal with opnepgp cards. Thank you so much for that awesome projects 😊
openpgp-card is a Rust client library for using #OpenPGP card hardware security devices.
This version comes with a significantly adjusted API:
The low-level API has been moved to the "ocard" module. At the top level of the crate, more convenient abstractions are now directly available (including PIN handling for cards in KDF mode).
30 years ago today, #PGP 2.6 was released via MIT.
Up to this point, two major issues had been unresolved: The legal status of the use of RSA in PGP, and export of the software from the US to the rest of the world.
With the release of PGP 2.6, the first of these two issues was resolved.
oct-git focuses exclusively on ergonomic use with OpenPGP card-based signing keys
It is designed to be easy to set up, standalone (no long running processes), and entirely hands-off to use (no repeated PIN entry required, by default). It comes with desktop notifications for touch confirmation (if required)
I just released version 0.3.1 of https://crates.io/crates/rsop, a stateless #OpenPGP ("sop") card tool based on #rPGP.
rsop natively supports OpenPGP card (hardware cryptography) devices
rsop is featured in the "OpenPGP interoperability test suite" at https://tests.sequoia-pgp.org/ (under "rpgpie", which is rsop's high level OpenPGP library).
I spent a lot of time today trying to figure out #GNUPG / #GPG to encrypt and sign backups. I've used it occasionally for literally decades, but still struggle with it. I know if I used it more, I would get used to it and feel more comfortable, but I don't have the time or the need to use it more.
Is there another good open source program to symmetrically encrypt a file? But, for signing, you would still need to use key pairs, right?
This release adds the "oct admin signing-pin-validity" subcommand, to configure if a card requires User PIN presentation for each signature operation, or if User PIN presentation is valid for the full duration of a connection to the card.
FWIW, I am skeptical of the usefulness of "per-signature PIN presentation" on modern OpenPGP card devices.
This mode made sense with actual Smart Cards, when used in a reader with a physical pin pad.
However, with modern USB devices, I'd say that "touch confirmation" serves a similar goal, but is more fit for purpose.
Mechanisms that move authorization for signing operations outside the host computer add some defense in depth. Repeated PIN presentation from the host computer, less so.
Proton Mail automatically encrypts/decrypts messages between Proton Mail accounts via OpenPGP/PGP.
Proton Mail supports automatically encrypting/decrypting messages between Proton Mail accounts and external email accounts that support OpenPGP/PGP or GnuPG/GPG.
@protonprivacy@blueghost (can be) true, buuut, theres one thing wich mess people up - many takes writing from/to proton mail users as something wich will be encrypted "by default" without any knowledge of how pgp keys works + it just about trust that proton does not read messages when storing secret key themselves...
@iuvi@blueghost Note that Proton Mail servers don't hold your private master key directly — it is always stored encrypted with your account password. And we don't have access to your account password.
I moved to a Thinkpad w541 with coreboot so I needed to set up my email encryption on Thunderbird again.
It took me more time to reconfigure it again - as usual - so I decided to take notes this time and create a blog post about it. As this might be useful for somebody else … or me in the future :-)
@adamsdesk For the fsf europe fellowship card I don't know. I got my card 8 year ago from floss-shop.de. (I live in Europe/Belgium BTW ) You can check with them if they ship to Canada.
But the setup should work with any GPG compatible smartcard. I'm also looking at #nitrokey Not sure if nitrokey is available on your side of the ocean 🙂
@hko@wiktor I could help with the Windows installer. I've almost 25 years experience with Windows Installer and was previously the Visual Studio architect on the new installer, and worked on WiX (the original) for many years. I also wrote and maintain installers for PowerShell, OpenSSH for Windows, etc. al. I've also helped publish those to winget, chocolatey, and scoop.
Does the agent run as a service using the Service Control Manager on Windows, or just a loose exe with no recovery? Systray?
This version comes with substantial updates to the openpgp-card-state dependency (which handles User PIN storage for OpenPGP card devices, see https://codeberg.org/openpgp-card/state).
It now supports selecting different PIN storage backends, including one to store the User PIN directly in the config file.
PIN verification error cases are now handled more defensively
A card can be configured to use "direct" PIN storage in the config file by editing its configuration (in ~/.config/openpgp-card-state/config.toml on a typical linux setup) to read like this:
[[cards]]
ident = "0000:01234567"
[cards.pin_storage]
Direct = "123456"
(... if the card's identity is "0000:01234567" and the User PIN is "123456")