From e269e8bf9c73e3188683ae9832e62c3c71357de2 Mon Sep 17 00:00:00 2001 From: Jan Mosig Date: Fri, 21 Feb 2020 15:16:36 +0100 Subject: [PATCH 1/4] [4] Added a Dockerfile. So that debugging Unix errors on Windows gets a more realistic test environment option other than git-bash. --- Dockerfile | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..4ac1938 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,18 @@ +# Build with: docker build -t yubiset_arch . +# Run with: docker run -it yubiset_arch /bin/bash +# Remove Container(s) on Windows: for /F "tokens=*" %i in ('docker ps -aqf "ancestor=yubiset_arch"') do docker rm -f %i +# Remove Container(s) on Unix: docker rm -f $(docker ps -aqf "ancestor=yubiset_arch") +# Remove with: docker image rm -f yubiset_arch + +FROM archlinux:latest + +RUN groupadd -r usergroup && useradd --no-log-init -r -g usergroup user +RUN mkdir /home/user +ADD yubiset /home/user/yubiset +RUN find /home/user/yubiset -exec chown user:usergroup {} \; +#rw-r--r-- +RUN find /home/user/yubiset -type f -iname "*" -exec chmod 0644 {} \; +#rwx-r--r-- +RUN find /home/user/yubiset -type f -iname "*.sh" -exec chmod 740 {} \; +USER user +WORKDIR /home/user/yubiset From 4e912b4030e4c57075968dd4ee3b4410e3cc77c9 Mon Sep 17 00:00:00 2001 From: Jan Mosig Date: Fri, 21 Feb 2020 16:30:17 +0100 Subject: [PATCH 2/4] [4] Now filtering parantheses out of comment branding (CMD) --- README.md | 10 ++++++++-- windows/batch/lib/bootstrap.bat | 2 +- windows/batch/lib/branding.bat | 2 ++ windows/batch/yubiset.bat | 9 +++++++-- 4 files changed, 18 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 51ffe9c..4e371e3 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,9 @@ It generates ["the perfect key pair"](https://blog.eleven-labs.com/en/openpgp-al The Yubikey is also provided with user info and PIN setup. -The scripts do also feature a fully automatic heuristic for finding and setting up the correct (Windows) smart card slot device in case gpg does not find your Yubikey automatically. +The scripts do also feature a fully automatic heuristic for finding and setting up the correct (Windows) smart card slot device in case gpg does not find your Yubikey automatically. + +*Remember:* On most installations, scripts may be interrupted by pressing Ctrl+C. - [YUBISET](#yubiset) - [What does it do?](#what-does-it-do) @@ -72,7 +74,7 @@ The file is accompanied by the [SHA-512](https://en.wikipedia.org/wiki/SHA-2) ha ``` # This makes sure, you downloaded an exact copy of the release from GitHub. sha512sum -c yubiset_vt.t.t.test.201907042021.sha512 -yubiset_vt.t.t.test.201907042021.zip: OK # This is the expected output. +yubiset_vt.t.t.test.201907042021.zip: OK # This is the supposed output. ``` @@ -162,6 +164,8 @@ sec rsa4096/0x94AF5E3D1575AC6A 2019-07-01 [C] [expires: 2020-06-30] Key fingerprint = 3B90 7B16 76E6 9F6F 59D1 D103 94AF 5E3D 1575 AC6A uid [ultimate] Max Muster (itemis AG) (Vocational OpenPGP key of itemis AG's Max Muster) ``` + +*Be aware:* GPG does not support arbitrary charaters in key comments. Especially parantheses '(' and ')' will cause problems. On Windows some additional characters may cause trouble, e. g. * ? & or %. Don't use them. ## Unix @@ -216,6 +220,8 @@ sec rsa4096/0x94AF5E3D1575AC6A 2019-07-01 [C] [expires: 2020-06-30] uid [ultimate] Max Muster (itemis AG) (Vocational OpenPGP key of itemis AG's Max Muster) ``` +*Be aware:* GPG does not support arbitrary charaters in key comments. Especially parantheses '(' and ')' will cause problems. Don't use them. + ### Override GPG Binaries Since the original bash scripts have been developed on Windows with git-bash and gpg4win, it was necessary to override the gpg binaries provided by git-bash with those of gpg4win. diff --git a/windows/batch/lib/bootstrap.bat b/windows/batch/lib/bootstrap.bat index a55d9af..03d99b4 100644 --- a/windows/batch/lib/bootstrap.bat +++ b/windows/batch/lib/bootstrap.bat @@ -6,7 +6,7 @@ REM Arg 1: Full path to caller script REM Arg 2: Full path to yubiset windows script folder REM -set yubiset_version=0.4.2 +set yubiset_version=0.4.3.CMD set me=%~1 set root_folder=%~2..\.. set error_prefix=ERROR diff --git a/windows/batch/lib/branding.bat b/windows/batch/lib/branding.bat index 5d6b16b..3d62795 100644 --- a/windows/batch/lib/branding.bat +++ b/windows/batch/lib/branding.bat @@ -6,6 +6,8 @@ REM Arg 1: User name REM set branded_user_name=%~1 +REM Be aware: GPG does not support arbitrary charaters in key comments. Especially parantheses '(' and ')' will cause problems. +REM On Windows some additional characters may cause trouble, e. g. * ? & or %. Don't use them. set branded_user_comment= REM What follows is a trick to get the variables into the context of the calling script (which should be a local context as well) without polluting the global env. diff --git a/windows/batch/yubiset.bat b/windows/batch/yubiset.bat index d3db8ee..c2d714b 100644 --- a/windows/batch/yubiset.bat +++ b/windows/batch/yubiset.bat @@ -92,6 +92,8 @@ if defined powershell_available ( set /p passphrase=Please enter your passphrase: ) +echo. + call %lib_dir%/branding.bat "%user_name%" %ifErr% echo %error_prefix%: Could not load key branding information. & call :cleanup & goto end_with_error @@ -99,13 +101,16 @@ call %lib_dir%/branding.bat "%user_name%" echo %branded_user_name%>> %keygen_input_copy% echo %user_email%>> %keygen_input_copy% if defined branded_user_comment ( - echo %branded_user_comment%>> %keygen_input_copy% + REM Some characters are not supported in key comments. See https://github.com/JanMosigItemis/yubiset/issues/4 + set sanitized_user_comment=!branded_user_comment:^(=! + set sanitized_user_comment=!sanitized_user_comment:^)=! + echo Found custom user comment branding: !sanitized_user_comment! + echo !sanitized_user_comment!>> %keygen_input_copy% ) else ( echo.>> %keygen_input_copy% ) REM Master key generation -echo. echo Now generating the master key. This may take a while.. type %keygen_input_copy% | gpg --command-fd=0 --status-fd=1 --expert --full-gen-key --pinentry-mode loopback --passphrase %passphrase% >nul 2>&1 %ifErr% echo %error_prefix%: Generating the keypair raised an error. Exiting. & call :cleanup & goto end_with_error From 3060efb778807d0679e182a4662e42b9f83748ee Mon Sep 17 00:00:00 2001 From: Jan Mosig Date: Fri, 21 Feb 2020 17:09:07 +0100 Subject: [PATCH 3/4] [4] Now filtering parantheses out of comment branding (Bash) --- unix/bash/lib/bootstrap.sh | 2 +- unix/bash/lib/branding.sh | 3 ++- unix/bash/yubiset.sh | 8 ++++++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/unix/bash/lib/bootstrap.sh b/unix/bash/lib/bootstrap.sh index b1b34a6..5905353 100644 --- a/unix/bash/lib/bootstrap.sh +++ b/unix/bash/lib/bootstrap.sh @@ -10,7 +10,7 @@ end_with_error() exit 1 } -if [[ -z "${yubiset_version}" ]] ; then declare -r yubiset_version="0.3.1" ; fi +if [[ -z "${yubiset_version}" ]] ; then declare -r yubiset_version="0.3.2.Bash" ; fi if [[ -z "${me}" ]] ; then declare -r me="$(basename $0)" ; fi # https://stackoverflow.com/questions/630372/determine-the-path-of-the-executing-bash-script diff --git a/unix/bash/lib/branding.sh b/unix/bash/lib/branding.sh index 5aa95ed..ed10f73 100644 --- a/unix/bash/lib/branding.sh +++ b/unix/bash/lib/branding.sh @@ -1,2 +1,3 @@ declare -r branded_user_name="${user_name}" -declare -r branded_user_comment="" \ No newline at end of file +# Be aware: GPG does not support arbitrary charaters in key comments. Especially parantheses '(' and ')' will cause problems. Don't use them. +declare -r branded_user_comment= diff --git a/unix/bash/yubiset.sh b/unix/bash/yubiset.sh index 0019c94..29be2de 100644 --- a/unix/bash/yubiset.sh +++ b/unix/bash/yubiset.sh @@ -93,15 +93,19 @@ echo "First, we need a little information from you." read -p "Please enter your full name: " user_name read -p "Please enter your full e-mail address: " user_email read -s -p "Please enter your passphrase: " passphrase +echo . "${lib_dir}"/branding.sh silentCopy "${keygen_input}" "${keygen_input_copy}" echo "${branded_user_name}" >> "${keygen_input_copy}" echo "${user_email}" >> "${keygen_input_copy}" -echo "${branded_user_comment}" >> "${keygen_input_copy}" + +# Some characters are not supported in key comments. See https://github.com/JanMosigItemis/yubiset/issues/4 +declare -r sanitized_user_comment=$( echo "${branded_user_comment}" | sed -r 's/[\(\)]+//g' ) +if [[ ! -z "${sanitized_user_comment}" ]]; then echo "Found custom user comment branding: ${sanitized_user_comment}" ; fi +echo "${sanitized_user_comment}" >> "${keygen_input_copy}" # Master key generation -echo echo "Now generating the master key. This may take a while.." { cat "${keygen_input_copy}" | "${YUBISET_GPG_BIN}" --command-fd=0 --status-fd=1 --expert --full-gen-key --pinentry-mode loopback --passphrase "${passphrase}" ; } || { cleanup; end_with_error "Generating the keypair raised an error." ; } echo ..Success! From d948785a91c6c2c14334ac84e61724ff1e6835e6 Mon Sep 17 00:00:00 2001 From: Jan Mosig Date: Fri, 21 Feb 2020 17:14:57 +0100 Subject: [PATCH 4/4] [4]: Renamed batch dir to cmd. In order to be able to distinguish it better from 'bash'. --- README.md | 12 ++++++------ windows/{batch => cmd}/findyubi.bat | 0 windows/{batch => cmd}/lib/are_you_sure.bat | 0 windows/{batch => cmd}/lib/bootstrap.bat | 0 windows/{batch => cmd}/lib/branding.bat | 0 .../lib/check_powershell_availability.bat | 0 windows/{batch => cmd}/lib/mask_user_input.bat | 0 windows/{batch => cmd}/lib/pretty_print.bat | 0 windows/{batch => cmd}/lib/restart_gpg_agent.bat | 0 windows/{batch => cmd}/lib/restart_scdaemon.bat | 0 windows/{batch => cmd}/resetyubi.bat | 0 windows/{batch => cmd}/setupyubi.bat | 0 windows/{batch => cmd}/yubiset.bat | 0 13 files changed, 6 insertions(+), 6 deletions(-) rename windows/{batch => cmd}/findyubi.bat (100%) rename windows/{batch => cmd}/lib/are_you_sure.bat (100%) rename windows/{batch => cmd}/lib/bootstrap.bat (100%) rename windows/{batch => cmd}/lib/branding.bat (100%) rename windows/{batch => cmd}/lib/check_powershell_availability.bat (100%) rename windows/{batch => cmd}/lib/mask_user_input.bat (100%) rename windows/{batch => cmd}/lib/pretty_print.bat (100%) rename windows/{batch => cmd}/lib/restart_gpg_agent.bat (100%) rename windows/{batch => cmd}/lib/restart_scdaemon.bat (100%) rename windows/{batch => cmd}/resetyubi.bat (100%) rename windows/{batch => cmd}/setupyubi.bat (100%) rename windows/{batch => cmd}/yubiset.bat (100%) diff --git a/README.md b/README.md index 4e371e3..bfbe55c 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ The scripts do also feature a fully automatic heuristic for finding and setting * [README.md Table of Contents](#readmemd-table-of-contents) # Supported Environments -* Windows (Batch) +* Windows (CMD) * Windows ([git-bash](https://gitforwindows.org)) * Unix (Bash) @@ -102,7 +102,7 @@ gpg --import JanMosigItemisGitHub.asc ### Start here: Key generation & Yubikey setup (all in one script) ``` -cd windows\batch +cd windows\cmd yubiset.bat ``` In case your Yubikey does only support subkeys of 2048bit length (like the NEO), use `yubiset.bat 4` instead. @@ -112,7 +112,7 @@ The main script will use Powershell if it is available in order to hide the pass The following scripts may be used standalone but are also called from the `yubiset` main script: #### Move PGP keys to Yubikey only ``` -cd windows\batch +cd windows\cmd setupyubi.bat "Given Name Surname" "my.email@provider.com" "PGP key id" "passphrase" ``` @@ -121,18 +121,18 @@ If ```passphrase``` is omitted, it will be prompted for. The prompt will be hidd #### Reset Yubikey's OpenPGP module **BE AWARE:** Only tested with Yubikey 4 NEO and Yubikey 5 ``` -cd windows\batch +cd windows\cmd resetyubi.bat ``` #### Find Yubikey Slot ``` -cd windows/batch +cd windows\cmd findyubi.bat ``` ### Key Branding -It is possible to "brand" your generated keys, i. e. give the user name and the comment a custom touch e. g. for your company. This can be controlled by editing the file `windows/batch/lib/branding.bat`. +It is possible to "brand" your generated keys, i. e. give the user name and the comment a custom touch e. g. for your company. This can be controlled by editing the file `windows\cmd\lib\branding.bat`. The default will produce a key like this: diff --git a/windows/batch/findyubi.bat b/windows/cmd/findyubi.bat similarity index 100% rename from windows/batch/findyubi.bat rename to windows/cmd/findyubi.bat diff --git a/windows/batch/lib/are_you_sure.bat b/windows/cmd/lib/are_you_sure.bat similarity index 100% rename from windows/batch/lib/are_you_sure.bat rename to windows/cmd/lib/are_you_sure.bat diff --git a/windows/batch/lib/bootstrap.bat b/windows/cmd/lib/bootstrap.bat similarity index 100% rename from windows/batch/lib/bootstrap.bat rename to windows/cmd/lib/bootstrap.bat diff --git a/windows/batch/lib/branding.bat b/windows/cmd/lib/branding.bat similarity index 100% rename from windows/batch/lib/branding.bat rename to windows/cmd/lib/branding.bat diff --git a/windows/batch/lib/check_powershell_availability.bat b/windows/cmd/lib/check_powershell_availability.bat similarity index 100% rename from windows/batch/lib/check_powershell_availability.bat rename to windows/cmd/lib/check_powershell_availability.bat diff --git a/windows/batch/lib/mask_user_input.bat b/windows/cmd/lib/mask_user_input.bat similarity index 100% rename from windows/batch/lib/mask_user_input.bat rename to windows/cmd/lib/mask_user_input.bat diff --git a/windows/batch/lib/pretty_print.bat b/windows/cmd/lib/pretty_print.bat similarity index 100% rename from windows/batch/lib/pretty_print.bat rename to windows/cmd/lib/pretty_print.bat diff --git a/windows/batch/lib/restart_gpg_agent.bat b/windows/cmd/lib/restart_gpg_agent.bat similarity index 100% rename from windows/batch/lib/restart_gpg_agent.bat rename to windows/cmd/lib/restart_gpg_agent.bat diff --git a/windows/batch/lib/restart_scdaemon.bat b/windows/cmd/lib/restart_scdaemon.bat similarity index 100% rename from windows/batch/lib/restart_scdaemon.bat rename to windows/cmd/lib/restart_scdaemon.bat diff --git a/windows/batch/resetyubi.bat b/windows/cmd/resetyubi.bat similarity index 100% rename from windows/batch/resetyubi.bat rename to windows/cmd/resetyubi.bat diff --git a/windows/batch/setupyubi.bat b/windows/cmd/setupyubi.bat similarity index 100% rename from windows/batch/setupyubi.bat rename to windows/cmd/setupyubi.bat diff --git a/windows/batch/yubiset.bat b/windows/cmd/yubiset.bat similarity index 100% rename from windows/batch/yubiset.bat rename to windows/cmd/yubiset.bat