Brian Gough’s Notes

I received a new 2048-bit RSA version 2 GPG smartcard today (ordered from Kernel Concepts). Previously I was using the older version 1.0 and 1.1 smartcards, with 1024-bit keys.

I’ve been signing software releases with a GPG smartcard for several years now (before that, with a key stored on disk) and have been migrating my systems over to smartcards for keysigning and SSH. The ultimate goal is to not have any keys stored on disk on any network accessible machine. I also verify the signatures of sources that I download as far as possible, through the web of trust. Initially this was pretty restrictive but after a few years making an effort to keysign at conferences, I’m able to check most packages.

During the keysigning session at the FSF’s LibrePlanet conference last month in Boston, Bradley Kuhn mentioned that he had actually built a basic working GNU/Linux system from scratch for crypto purposes, verifying all of the package signatures through people he had keysigned with — quite an achievement. I am inspired to follow in his footsteps and only use verified source-code.

Unfortunately, as far as I can tell — and I’m ready to be corrected here — neither GNOME nor KDE sign their source releases, which does concern me. Considering that most other projects have been signing releases for years, this appears to be an anomaly that I find hard to understand.

My personal motivation for better security dates back to 2003 when it was discovered that someone (or group) had cracked the ftp.gnu.org server and had root access for over 3 months without being detected. As a result every maintainer had to do a complete audit of all files on the server, which was an extremely timeconsuming process. This incident led to the requirement for all source packages on ftp.gnu.org to be gpg-signed by the developer.

Version 2 GPG Smartcard:

I received my admin pin earlier this week and have now got my FSFE cryptocard working. I’ve generated a key that I can use for signing files (or encryption). I’ve still got a lot to learn about smart cards—from browsing on the web I’ve read that its possible to use a smartcard with ssh, or for unix logins (via a PAM module). Those are both things I’d like to get working. Maybe one day I won’t need a password to login to this site if I have my card ;-)

Success.. I can now read and write to smart cards.

Got my new card reader this morning, so spent most of today getting it working.

I don’t have my FSFE pin yet, so I tried it out on some spare GPG cards I had left over from a talk I gave last year about free software & security.

The fsfe cryptocard arrived today. Looks very nice! After a bit of research I have ordered a new card reader (SPR532). I decided to go for one with an built-in keypad so that the pin can be entered directly into the reader (see here). May as well do things properly, the chain is only as strong as the weakest link and all that.