From eb0e913eee8642ced5d25a47263523ccc7237cb7 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Fri, 3 Aug 2012 10:53:04 +0900 Subject: [PATCH] Add doc --- doc/generating-2048-RSA-key.rst | 228 ++++++++++++++++++ doc/gnuk-keytocard-noremoval.rst | 177 ++++++++++++++ doc/gnuk-keytocard.rst | 183 ++++++++++++++ doc/gnuk-personalization.rst | 118 +++++++++ doc/gnuk-token-initial-configuration.rst | 34 +++ doc/images/gnuk-sticker.png | Bin 0 -> 21955 bytes doc/index.rst | 8 + doc/stop-scdaemon.rst | 37 +++ doc/udev-rules.rst | 48 ++++ ...using-gnuk-token-with-another-computer.rst | 173 +++++++++++++ 10 files changed, 1006 insertions(+) create mode 100644 doc/generating-2048-RSA-key.rst create mode 100644 doc/gnuk-keytocard-noremoval.rst create mode 100644 doc/gnuk-keytocard.rst create mode 100644 doc/gnuk-personalization.rst create mode 100644 doc/gnuk-token-initial-configuration.rst create mode 100644 doc/images/gnuk-sticker.png create mode 100644 doc/stop-scdaemon.rst create mode 100644 doc/udev-rules.rst create mode 100644 doc/using-gnuk-token-with-another-computer.rst diff --git a/doc/generating-2048-RSA-key.rst b/doc/generating-2048-RSA-key.rst new file mode 100644 index 0000000..81633f4 --- /dev/null +++ b/doc/generating-2048-RSA-key.rst @@ -0,0 +1,228 @@ +============================ +Generating 2048-bit RSA keys +============================ + +This document describes how I generate 2048-bit RSA keys. + +.. BREAK + +Here is the log to generate signature key and encryption subkey. + +I invoke GnuPG with ``--gen-key`` option. :: + + $ gpg --gen-key + gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + +and GnuPG asks kind of key. Select ``RSA and RSA``. :: + + Please select what kind of key you want: + (1) RSA and RSA (default) + (2) DSA and Elgamal + (3) DSA (sign only) + (4) RSA (sign only) + Your selection? 1 + RSA keys may be between 1024 and 4096 bits long. + +and select 2048-bit (as Gnuk Token only suppurt this). :: + + What keysize do you want? (2048) + Requested keysize is 2048 bits + +and select expiration of the key. :: + + Please specify how long the key should be valid. + 0 = key does not expire + = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years + Key is valid for? (0) 0 + Key does not expire at all + +Confirm key types, bitsize and expiration. :: + + Is this correct? (y/N) y + +Then enter user ID. :: + + You need a user ID to identify your key; the software constructs the user ID + from the Real Name, Comment and Email Address in this form: + "Heinrich Heine (Der Dichter) " + + Real name: Niibe Yutaka + Email address: gniibe@fsij.org + Comment: + You selected this USER-ID: + "Niibe Yutaka " + + Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o + +and enter passphrase for this **key on PC**. :: + + You need a Passphrase to protect your secret key. + + +Then, GnuPG generate keys. It takes some time. :: + + We need to generate a lot of random bytes. It is a good idea to perform + some other action (type on the keyboard, move the mouse, utilize the + disks) during the prime generation; this gives the random number + generator a better chance to gain enough entropy. + ...+++++ + +++++ + We need to generate a lot of random bytes. It is a good idea to perform + some other action (type on the keyboard, move the mouse, utilize the + disks) during the prime generation; this gives the random number + generator a better chance to gain enough entropy. + ..+++++ + + Not enough random bytes available. Please do some other work to give + the OS a chance to collect more entropy! (Need 15 more bytes) + ...+++++ + gpg: key 28C0CD7C marked as ultimately trusted + public and secret key created and signed. + + gpg: checking the trustdb + gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model + gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u + pub 2048R/28C0CD7C 2011-05-24 + Key fingerprint = 0B4D C763 D57B ADBB 1870 A978 BDEE 4A35 28C0 CD7C + uid Niibe Yutaka + sub 2048R/F01E19B7 2011-05-24 + $ + +Done. + +Then, I create authentication subkey. Authentication subkey is not that common, but very useful (say, for SSH authentication). As it is not that common, we need ``--expert`` option for GnuPG. :: + + $ gpg --expert --edit-key 28C0CD7C + gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + Secret key is available. + + pub 2048R/28C0CD7C created: 2011-05-24 expires: never usage: SC + trust: ultimate validity: ultimate + sub 2048R/F01E19B7 created: 2011-05-24 expires: never usage: E + [ultimate] (1). Niibe Yutaka + + gpg> + +Here, I enter ``addkey`` command. Then, I enter the passphrase of **key on PC**, I specified above. :: + + gpg> addkey + Key is protected. + + You need a passphrase to unlock the secret key for + user: "Niibe Yutaka " + 2048-bit RSA key, ID 28C0CD7C, created 2011-05-24 + + gpg: gpg-agent is not available in this session + +GnuPG askes kind of key. I select ``RSA (set your own capabilities)``. :: + + Please select what kind of key you want: + (3) DSA (sign only) + (4) RSA (sign only) + (5) Elgamal (encrypt only) + (6) RSA (encrypt only) + (7) DSA (set your own capabilities) + (8) RSA (set your own capabilities) + Your selection? 8 + +And select ``Authenticate`` for the capabilities for this key. Initially, it's ``Sign`` and ``Encrypt``. I need to deselect ``Sign`` and ``Encryp``, and select ``Authenticate``. To do that, I enter ``s``, ``a``, and ``e``. :: + + Possible actions for a RSA key: Sign Encrypt Authenticate + Current allowed actions: Sign Encrypt + + (S) Toggle the sign capability + (E) Toggle the encrypt capability + (A) Toggle the authenticate capability + (Q) Finished + + Your selection? s + + Possible actions for a RSA key: Sign Encrypt Authenticate + Current allowed actions: Encrypt + + (S) Toggle the sign capability + (E) Toggle the encrypt capability + (A) Toggle the authenticate capability + (Q) Finished + + Your selection? a + + Possible actions for a RSA key: Sign Encrypt Authenticate + Current allowed actions: Encrypt Authenticate + + (S) Toggle the sign capability + (E) Toggle the encrypt capability + (A) Toggle the authenticate capability + (Q) Finished + + Your selection? e + + Possible actions for a RSA key: Sign Encrypt Authenticate + Current allowed actions: Authenticate + + (S) Toggle the sign capability + (E) Toggle the encrypt capability + (A) Toggle the authenticate capability + (Q) Finished + +OK, I set the capability of ``Authenticate``. I enter ``q`` to finish setting capabilities. :: + + Your selection? q + +GnuPG asks bitsize and expiration, I enter 2048 for bitsize and no expiration. Then, I confirm that I really create the key. :: + + RSA keys may be between 1024 and 4096 bits long. + What keysize do you want? (2048) + Requested keysize is 2048 bits + Please specify how long the key should be valid. + 0 = key does not expire + = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years + Key is valid for? (0) 0 + Key does not expire at all + Is this correct? (y/N) y + Really create? (y/N) y + +Then, GnuPG generate the key. :: + + We need to generate a lot of random bytes. It is a good idea to perform + some other action (type on the keyboard, move the mouse, utilize the + disks) during the prime generation; this gives the random number + generator a better chance to gain enough entropy. + .......+++++ + +++++ + + pub 2048R/28C0CD7C created: 2011-05-24 expires: never usage: SC + trust: ultimate validity: ultimate + sub 2048R/F01E19B7 created: 2011-05-24 expires: never usage: E + sub 2048R/B8929606 created: 2011-05-24 expires: never usage: A + [ultimate] (1). Niibe Yutaka + + gpg> + +I save the key. :: + + gpg> save + $ + +Now, we have three keys (one primary key for signature and certification, subkey for encryption, and another subkey for authentication). + + +Publishing public key +===================== + +I make a file for my public key by ``--export`` option of GnuPG. :: + + $ gpg --armor --output gniibe.asc --export 4CA7BABE + +and put it at: http://www.gniibe.org/gniibe.asc diff --git a/doc/gnuk-keytocard-noremoval.rst b/doc/gnuk-keytocard-noremoval.rst new file mode 100644 index 0000000..0e3abb9 --- /dev/null +++ b/doc/gnuk-keytocard-noremoval.rst @@ -0,0 +1,177 @@ +============================================= +Key import from PC to Gnuk Token (no removal) +============================================= + +This document describes how I put my **keys on PC** to the Token without removing keys from PC. + +The difference is just not-to-save changes after key imports. + +.. BREAK + +After personalization, I put my keys into the Token. + +Here is the log. + +I invoke GnuPG with my key (4ca7babe) and with ``--homedir`` option to specify the directory which contains my secret keys. :: + + $ gpg --homedir=/home/gniibe/tmp/gnuk-testing-dir --edit-key 4ca7babe + gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + Secret key is available. + + pub 2048R/4CA7BABE created: 2010-10-15 expires: never usage: SC + trust: ultimate validity: ultimate + sub 2048R/084239CF created: 2010-10-15 expires: never usage: E + sub 2048R/5BB065DC created: 2010-10-22 expires: never usage: A + [ultimate] (1). NIIBE Yutaka + + +Then, GnuPG enters its own command interaction mode. The prompt is ``gpg>``. +To enable ``keytocard`` command, I type ``toggle`` command. :: + + gpg> toggle + + sec 2048R/4CA7BABE created: 2010-10-15 expires: never + ssb 2048R/084239CF created: 2010-10-15 expires: never + ssb 2048R/5BB065DC created: 2010-10-22 expires: never + (1) NIIBE Yutaka + +Firstly, I import my primary key into Gnuk Token. +I type ``keytocard`` command, answer ``y`` to confirm keyimport, +and type ``1`` to say it's signature key. :: + + gpg> keytocard + Really move the primary key? (y/N) y + gpg: detected reader `FSIJ Gnuk (0.12-38FF6A06) 00 00' + Signature key ....: [none] + Encryption key....: [none] + Authentication key: [none] + + Please select where to store the key: + (1) Signature key + (3) Authentication key + Your selection? 1 + +Then, GnuPG asks two passwords. One is the passphrase of **keys on PC** and another is the password of **Gnuk Token**. Note that the password of the token and the password of the keys on PC are different things, although they can be same. + +I enter these passwords. :: + + You need a passphrase to unlock the secret key for + user: "NIIBE Yutaka " + 2048-bit RSA key, ID 4CA7BABE, created 2010-10-15 + + gpg: writing new key + gpg: 3 Admin PIN attempts remaining before card is permanently locked + + Please enter the Admin PIN + Enter Admin PIN: + + sec 2048R/4CA7BABE created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb 2048R/084239CF created: 2010-10-15 expires: never + ssb 2048R/5BB065DC created: 2010-10-22 expires: never + (1) NIIBE Yutaka + +The primary key is now on the Token and GnuPG says its card-no (F517 00000001) , where F517 is the vendor ID of FSIJ. + +Secondly, I import my subkey of encryption. I select key number '1'. :: + + gpg> key 1 + + sec 2048R/4CA7BABE created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb* 2048R/084239CF created: 2010-10-15 expires: never + ssb 2048R/5BB065DC created: 2010-10-22 expires: never + (1) NIIBE Yutaka + +You can see that the subkey is marked by '*'. +I type ``keytocard`` command to import this subkey to Gnuk Token. I select ``2`` as it's encryption key. :: + + gpg> keytocard + Signature key ....: [none] + Encryption key....: [none] + Authentication key: [none] + + Please select where to store the key: + (2) Encryption key + Your selection? 2 + +Then, GnuPG asks the passphrase of **keys on PC** again. I enter. :: + + You need a passphrase to unlock the secret key for + user: "NIIBE Yutaka " + 2048-bit RSA key, ID 084239CF, created 2010-10-15 + + gpg: writing new key + + sec 2048R/4CA7BABE created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb* 2048R/084239CF created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb 2048R/5BB065DC created: 2010-10-22 expires: never + (1) NIIBE Yutaka + +The sub key is now on the Token and GnuPG says its card-no for it. + +I type ``key 1`` to deselect key number '1'. :: + + gpg> key 1 + + sec 2048R/4CA7BABE created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb 2048R/084239CF created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb 2048R/5BB065DC created: 2010-10-22 expires: never + (1) NIIBE Yutaka + +Thirdly, I select sub key of suthentication which has key number '2'. :: + + gpg> key 2 + + sec 2048R/4CA7BABE created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb 2048R/084239CF created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb* 2048R/5BB065DC created: 2010-10-22 expires: never + (1) NIIBE Yutaka + +You can see that the subkey number '2' is marked by '*'. +I type ``keytocard`` command to import this subkey to Gnuk Token. I select ``3`` as it's authentication key. :: + + gpg> keytocard + Signature key ....: [none] + Encryption key....: [none] + Authentication key: [none] + + Please select where to store the key: + (3) Authentication key + Your selection? 3 + +Then, GnuPG asks the passphrase of **keys on PC** again. I enter. :: + + You need a passphrase to unlock the secret key for + user: "NIIBE Yutaka " + 2048-bit RSA key, ID 5BB065DC, created 2010-10-22 + + gpg: writing new key + + sec 2048R/4CA7BABE created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb 2048R/084239CF created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb* 2048R/5BB065DC created: 2010-10-22 expires: never + card-no: F517 00000001 + (1) NIIBE Yutaka + +The sub key is now on the Token and GnuPG says its card-no for it. + +Lastly, I quit GnuPG. Note that I **don't** save changes. :: + + gpg> quit + Save changes? (y/N) n + Quit without saving? (y/N) y + $ + +All keys are imported to Gnuk Token now. diff --git a/doc/gnuk-keytocard.rst b/doc/gnuk-keytocard.rst new file mode 100644 index 0000000..e223c16 --- /dev/null +++ b/doc/gnuk-keytocard.rst @@ -0,0 +1,183 @@ +================================ +Key import from PC to Gnuk Token +================================ + +This document describes how I put my **keys on PC** to the Token, and remove keys from PC. + +Note that there is **no ways** to export keys from the Token, so please be careful. + +.. BREAK + +If you want to import same keys to multiple Tokens, please copy ``.gnupg`` directory before. In my case, I do something like following: :: + + $ cp -a .gnupg tmp/gnuk-testing-dir + +See `another document`_ to import keys to the Token from copied directory. + +.. _another document: gnuk-keytocard-noremoval + +After personalization, I put my keys into the Token. + +Here is the log. + +I invoke GnuPG with my key (4ca7babe). :: + + $ gpg --edit-key 4ca7babe + gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + Secret key is available. + + pub 2048R/4CA7BABE created: 2010-10-15 expires: never usage: SC + trust: ultimate validity: ultimate + sub 2048R/084239CF created: 2010-10-15 expires: never usage: E + sub 2048R/5BB065DC created: 2010-10-22 expires: never usage: A + [ultimate] (1). NIIBE Yutaka + + +Then, GnuPG enters its own command interaction mode. The prompt is ``gpg>``. +To enable ``keytocard`` command, I type ``toggle`` command. :: + + gpg> toggle + + sec 2048R/4CA7BABE created: 2010-10-15 expires: never + ssb 2048R/084239CF created: 2010-10-15 expires: never + ssb 2048R/5BB065DC created: 2010-10-22 expires: never + (1) NIIBE Yutaka + +Firstly, I import my primary key into Gnuk Token. +I type ``keytocard`` command, answer ``y`` to confirm keyimport, +and type ``1`` to say it's signature key. :: + + gpg> keytocard + Really move the primary key? (y/N) y + gpg: detected reader `FSIJ Gnuk (0.12-38FF6A06) 00 00' + Signature key ....: [none] + Encryption key....: [none] + Authentication key: [none] + + Please select where to store the key: + (1) Signature key + (3) Authentication key + Your selection? 1 + +Then, GnuPG asks two passwords. One is the passphrase of **keys on PC** and another is the password of **Gnuk Token**. Note that the password of the token and the password of the keys on PC are different things, although they can be same. + +I enter these passwords. :: + + You need a passphrase to unlock the secret key for + user: "NIIBE Yutaka " + 2048-bit RSA key, ID 4CA7BABE, created 2010-10-15 + + gpg: writing new key + gpg: 3 Admin PIN attempts remaining before card is permanently locked + + Please enter the Admin PIN + Enter Admin PIN: + + sec 2048R/4CA7BABE created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb 2048R/084239CF created: 2010-10-15 expires: never + ssb 2048R/5BB065DC created: 2010-10-22 expires: never + (1) NIIBE Yutaka + +The primary key is now on the Token and GnuPG says its card-no (F517 00000001) , where F517 is the vendor ID of FSIJ. + +Secondly, I import my subkey of encryption. I select key number '1'. :: + + gpg> key 1 + + sec 2048R/4CA7BABE created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb* 2048R/084239CF created: 2010-10-15 expires: never + ssb 2048R/5BB065DC created: 2010-10-22 expires: never + (1) NIIBE Yutaka + +You can see that the subkey is marked by '*'. +I type ``keytocard`` command to import this subkey to Gnuk Token. I select ``2`` as it's encryption key. :: + + gpg> keytocard + Signature key ....: [none] + Encryption key....: [none] + Authentication key: [none] + + Please select where to store the key: + (2) Encryption key + Your selection? 2 + +Then, GnuPG asks the passphrase of **keys on PC** again. I enter. :: + + You need a passphrase to unlock the secret key for + user: "NIIBE Yutaka " + 2048-bit RSA key, ID 084239CF, created 2010-10-15 + + gpg: writing new key + + sec 2048R/4CA7BABE created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb* 2048R/084239CF created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb 2048R/5BB065DC created: 2010-10-22 expires: never + (1) NIIBE Yutaka + +The sub key is now on the Token and GnuPG says its card-no for it. + +I type ``key 1`` to deselect key number '1'. :: + + gpg> key 1 + + sec 2048R/4CA7BABE created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb 2048R/084239CF created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb 2048R/5BB065DC created: 2010-10-22 expires: never + (1) NIIBE Yutaka + +Thirdly, I select sub key of suthentication which has key number '2'. :: + + gpg> key 2 + + sec 2048R/4CA7BABE created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb 2048R/084239CF created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb* 2048R/5BB065DC created: 2010-10-22 expires: never + (1) NIIBE Yutaka + +You can see that the subkey number '2' is marked by '*'. +I type ``keytocard`` command to import this subkey to Gnuk Token. I select ``3`` as it's authentication key. :: + + gpg> keytocard + Signature key ....: [none] + Encryption key....: [none] + Authentication key: [none] + + Please select where to store the key: + (3) Authentication key + Your selection? 3 + +Then, GnuPG asks the passphrase of **keys on PC** again. I enter. :: + + You need a passphrase to unlock the secret key for + user: "NIIBE Yutaka " + 2048-bit RSA key, ID 5BB065DC, created 2010-10-22 + + gpg: writing new key + + sec 2048R/4CA7BABE created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb 2048R/084239CF created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb* 2048R/5BB065DC created: 2010-10-22 expires: never + card-no: F517 00000001 + (1) NIIBE Yutaka + +The sub key is now on the Token and GnuPG says its card-no for it. + +Lastly, I save changes of **keys on PC** and quit GnuPG. :: + + gpg> save + $ + +All secret keys are imported to Gnuk Token now. On PC, only references (card-no) to the Token remain. diff --git a/doc/gnuk-personalization.rst b/doc/gnuk-personalization.rst new file mode 100644 index 0000000..7aab551 --- /dev/null +++ b/doc/gnuk-personalization.rst @@ -0,0 +1,118 @@ +============================= +Personalization of Gnuk Token +============================= + + +Personalize your Gnuk Token +=========================== + +Invoke GnuPG with the option ``--card-edit``. :: + + $ gpg --card-edit + gpg: detected reader `FSIJ Gnuk (0.12-34006E06) 00 00' + Application ID ...: D276000124010200F517000000010000 + Version ..........: 2.0 + Manufacturer .....: FSIJ + Serial number ....: 00000001 + Name of cardholder: [not set] + Language prefs ...: [not set] + Sex ..............: unspecified + URL of public key : [not set] + Login data .......: [not set] + Signature PIN ....: forced + Key attributes ...: 2048R 2048R 2048R + Max. PIN lengths .: 127 127 127 + PIN retry counter : 3 3 3 + Signature counter : 0 + Signature key ....: [none] + Encryption key....: [none] + Authentication key: [none] + General key info..: [none] + +It shows the status of the card (as same as the output of ``gpg --card-status``). It shows token's name and its USB serial string (0.12-34006E06) from PC/SC-lite. + +Then, GnuPG enters its own command interaction mode. The prompt is ``gpg/card>``. + +Firstly, I change PIN of card user from factory setting (of "123456"). Note that, only changing PIN of user enables "admin less mode" of Gnuk. Admin password will become same one of user's. :: + + gpg/card> passwd + gpg: OpenPGP card no. D276000124010200F517000000010000 detected + + Please enter the PIN + Enter PIN: 123456 + + New PIN + Enter New PIN: + + New PIN + Repeat this PIN: + PIN changed. + +Secondly, enabling admin command, I put name of mine. Note that I input user's PIN (which I set above) here, because it is "admin less mode". :: + + gpg/card> admin + Admin commands are allowed + + gpg/card> name + Cardholder's surname: Niibe + Cardholder's given name: Yutaka + gpg: 3 Admin PIN attempts remaining before card is permanently locked + + Please enter the Admin PIN + Enter Admin PIN: + +Thirdly, I put some other informations, such as language, sex, login, and URL. URL specifies the place where I put my public keys. :: + + gpg/card> lang + Language preferences: ja + + gpg/card> sex + Sex ((M)ale, (F)emale or space): m + + gpg/card> url + URL to retrieve public key: http://www.gniibe.org/gniibe.asc + + gpg/card> login + Login data (account name): gniibe + +Since I don't force PIN input everytime, toggle it to non-force-pin-for-signature. :: + + gpg/card> forcesig + +Lastly, I setup reset code. This is optional. :: + + gpg/card> passwd + gpg: OpenPGP card no. D276000124010200F517000000010000 detected + + 1 - change PIN + 2 - unblock PIN + 3 - change Admin PIN + 4 - set the Reset Code + Q - quit + + Your selection? 4 + gpg: 3 Admin PIN attempts remaining before card is permanently locked + + Please enter the Admin PIN + Enter Admin PIN: + + New Reset Code + Enter New PIN: + + New Reset Code + Repeat this PIN: + Reset Code set. + + 1 - change PIN + 2 - unblock PIN + 3 - change Admin PIN + 4 - set the Reset Code + Q - quit + + Your selection? q + +Then, I quit. :: + + gpg/card> quit + +That's all. diff --git a/doc/gnuk-token-initial-configuration.rst b/doc/gnuk-token-initial-configuration.rst new file mode 100644 index 0000000..d2a5c9a --- /dev/null +++ b/doc/gnuk-token-initial-configuration.rst @@ -0,0 +1,34 @@ +=================================== +Initial Configuration of Gnuk Token +=================================== + +Conditions +========== + +I assume you are using GNU/Linux. + + +Preparation +=========== + +We need to kill ``scdaemon`` before configuring Gnuk Token. :: + + $ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye + + +Serial Number (optional) +======================== + +In the file ``GNUK_SERIAL_NUMBER``, each line has email and 6-byte serial number. + +The tool ``../tool/gnuk_put_binary.py`` examines environment variable of ``EMAIL``, and writes serial number to Gnuk Token. :: + + $ ../tool/gnuk_put_binary.py -s ../GNUK_SERIAL_NUMBER + Writing serial number + Token: FSIJ Gnuk (0.12-38FF6A06) 00 00 + ATR: 3B DA 11 FF 81 B1 FE 55 1F 03 00 31 84 73 80 01 40 00 90 00 24 + + +The tool ``../tool/gnuk_put_binary.py`` is for PC/SC Lite. Use +``../tool/gnuk_put_binary_libusb.py`` instead, if you don't use +PC/SC Lite but use libusb directly. diff --git a/doc/images/gnuk-sticker.png b/doc/images/gnuk-sticker.png new file mode 100644 index 0000000000000000000000000000000000000000..511c783fd1e6f68f409f5f21441777645dbafd96 GIT binary patch literal 21955 zcmeAS@N?(olHy`uVBq!ia0y~yVEDnnz>q1x#=yYfUTw6Ffq{W7$=luKKNxUEe80oM zz`$AH5n0T@z~BMKZYQ(tK!Rljj_EM{3=ultCNnUERC~HOhE&{oJGV4Og@w-TDz-9W5D?hW!^6$ZooreF;ZJ<<+1uOOyYbB% z&&kJn7)?z2WUb5B{X2dz>jA{5q=1l;7Z>)`Hq5&9>+9`po_R8B*v=g~bm&mf@-5lR z*R5L^`1`R*{=H49r>7k_Ik{iXw&us%|Hu2@-n)B}v!g?yX^oYb-kmL(kKGb(80hQk zuV1x&wq5Oo1qYiO)6c)VySu#q=bXcer}tK$J^S@*^<~3`7a0lX=1iJ2Y0|Bj__(;ZxU=uYuO3+1#=H6^PZK2I?QU$( ze|yXRKg+qf%3RA=G|hI}KHn(y07H5CgMWWlhp&$lt^IFTTT)_T((vZZrcIlSJn!=! zIJGKtb=cYnc?)iCZfTzViG~Go1#f#UkU$6h`W5$G;Yu4=9v&ZJZQ!j6C@9TAQ*!k;zefhb0$@^>D|D>CI zcz#~qrs9vpj{5({dh7pB{gNT2?>~=)g@u)Iy8e8d%6BpWfgqsxGH~OD4I3C-mZx1y z0RskC*VNS1r>mx4J@|Oy_c<$9HZ|?pvt<3mhs&=X*u3e|<;#~FD?hvS&$E-AVYD=U z|NT1VoSZjr-@Z|?-F2*c;>4LVS88sk`1s@FzI_h&_g%Zz%+6d_CvEoT4(F8V<~Vc*8V!VHjbngFWRUu$enDqT!w|L`?8z)X&3OaCRO=YpN@<(4Io%rOOoW#T|u8fR~ zOifM3!otA7pFa<5%k`dqZx834eQ)2_|F<(pKDH_}csY}w-``(fU#Y$f+`M6fiOa36 zmoF%kx?9L({bOS&Ee+~d(Rgur`HzZ={o?ZfKR!O*f8f#4$H#i*&u2U+*_m?k++6E2 z1|y?Qn>KA)B!B%*OkkiN-;F(%YR{^F-umjh`1*mzj~6daPHN~BuKp@z%ywf-=0m6Y zdZisNeb#IdDJYgUS`usR+5heN!eDjr>0-JwO6}&K*Vkora&B(c)@oqoKGt`4r*OpH zTgTHsCM{UgGes^XF)?xBg__rk7Bw|BF{Pb+EGjB0YIs{xYSye-vzUUwAXHvoU0qvS zoBP9e`?5DT4At(wd2+J$_qVsqGBQ`LT)EoV)O6?0ojb3NyPsFp_C7azN=Qh^>^<*y zExY*Z!1;M!KU-ocXcD}xTe%{}&duIMR)ZKlO-_wuJqB!mTzVi1VFMt2{HT>AtgNF_sQqr=rTJqu4 zQt$Qg`>R6tp4_cfvFFjFM@b93#cOMsnH8*m|9-EWnwpuZC%$5Z!m^)>7Ikr%aqVTh zkg!rzdzoMC28J6O65ri1PH$MUWQWDW1x=5Vp5-$$2M33SIs^y1ySuwz3jg>yAt50t zDaGa8>ZU{2|1UNUv74Xq?9!zJo6{Q`j~+enB>$R(^6B8FMyqf(a)Y0_6UMvp}5AW)0CrV2?R@z$c-m+y)&z{RtLcDRz`nsx1 zUoG>OH%fWr@?d^FpKR5CISm~h4FRz`S6s9+R=vG+^z7MdVIbFB+Lk+AZ`!o@dN=u^ z#9-le=9(WLp7m}qF-Sf(L2+{$V`t~ajgNlph=_=&le@R?>Bp|_#tsg<{fn9+?ds-C zn>H)zYu&SFW@ct)4gmo*H8C;@>h710wM@Ts>B#q3(JNc0&zw0c>gLZC@2!;?nVql+^I4NUlFmQI++>Pf^htJHfmrHAPUe)MvMl z(F^zDnlNcmAEVy(MNAW>hlfs`$hfQIr+OL05@@qT)!iASE9mwC`D`Q!0R`4bw;law_hNh-PixwsQjc4cP_I~W_fBwXY z6C518s;$v2AHV+n``!K@L)p8Styx#KKKAD)FJ7}|1&2-TthsZihyVSSduzpt6|2Jj z*2l-!|K}EG5TAaqnVo;#->>F3G`^&sR`Z=@&dhkIwl+5Q z&p%aOW6_uV24@rKL6W^ej?pXV%bu{i?{KVb-jP6Q_tQSeKWi zwByQ!j9VcEbMuz3S+oB9Lx!TFtSlKm1^x947A#;Wd2wM~?Eboj=H}L;3mgy3G~QkA z{ir%5C@65^Mu1>^VGt{(fKRtnPQ^|BuLs2r0cQi#(eXR!4P3 z6@`ZI@IHO|^hv{$Cy$a2ewX;V`}NC{r|QnT{9l}DAZ5X;bz^`1-(QQ}J!fxyrFAc0 za%E~G>(i%8mwt^@d~<87u=>BB>@V)#zFGOmr9rA^>eR1aEMy#_qT=QqX3UV4udGZG znm$#vt@vR8PgGw+iywncT%~0@vxul5b8+U%Ra))LA|f^aVgeagtX#SBpIHW8DpxVgJu1YFnl zbzhzPYt+Q6grcRys`Q)inrzRq3! zpPl_$FRP=Y!^|tgLL~y4bs*n(5sRHnt@*yB03o zxpSxGXG`5XN;-RFWkN!yPHj|n7ZTE{_ForY|Kh^I=2G*0H#c8j6S;ZWtN-3MT(#%t z-LJpDtv4h@cx!f##w^qR@R*oD#ydL-|NVJ-`oM<7$!fi_r~mvv+-{zK=um@oxnAt9 zTImNxsVOEV47|L#xx&Iq7DmR6lO{cSbjHUa{Q3chP|<>NdE2TN7xKM7?%c&E`|2Iv z9P90spJy63w7Xwk7QD=0S%H;y^0fH#mzONwjNde0#fJezJ+Jq@>W7^aKYT@z&NO)2GbgdGT6Wdi82%X7)Zw z6`PpY zwD}XA+w<=J`W~NfYRbOa-(Q*E-Q8XJ`I+y>{>6(gFY%nLcHr*rCAlj%JkwEiy=H3S zp(yU^x+v)8jTI|2w3zhco;-W@yuSL5qO+RM41>m(o6PF=%#L0kw`jZW(#H{-k6kZ6 zFPCtHBR@a?{i^NLXYkMYr6y;yqw@1n?oW}Wv&=;WAB7yUtS;4C4CpY$`u0Em*yJeSSWF z$*U)?e(hy%o-}###EG-Ge*9V&`}#Gvh1It=FCQ?Jyt%R1eS6-4soLuP_jaq_E7xCj z-ouS;NBR3>y%Pi;Y`_2S&*m*#e(muS6B9eRc)@}tOO||j-1q)@`Qu|>UpMrh2X_a) zzwcH%!OQCzcIoWwi4z3{LucFc+*XGlEzwJIz8 z)r%L89zA0E@q2%Tpb%4!un>-a?BQpFCAn4-a85&$p}CkS}kLcjwX3 z%gY!U8O8PE_Vd;Jn=>UO$cbxR$0vsncNdq87tQP`&%^~7WbF2ozHVk;bl!k9Fj)EY z`=32KVlrPIa!R1=+JZK)YKyyeziACJRcVA7po5m zUcNBVH!NtYV+vD~sHO*a?-|>s#()-WVj^$6Erlxjvr5q~%ZKi!7GD3=3RP_D5)>g)# zAStP+C8a9cNv;^3XfSPm-OV9)5l~+pmVD-}`*{RMF{&6;%)XsBwEx z=Wn?3^{yA9qB4C`L=HU7%F4=Qtf_N!OjJ}*P0hTy=H~X>!Mt-;uUofv?b5APrMI`m z?kag1w7q#%k8`_OzFkp^%fn8s885|u?9~tQ>^#EeH^U(R-j$UO>*Ji;xn@myEtS<| zXkcKPdvlV>M-5HJdwVMX*=TTV*q(oTTe7>5so&w7FXl0PE|@ZX@_q?N-)Sb2eUa*) zeX^YDzrOnUdAWb%kt1i$TnSkay}j=5GC$SIoA*DrUKe9!RaF%gT~M5EzP;{m!}s^` zdv}#`d-(tV6M4nNEQ?EAH7m~1(R1aBjw41q(%&Ah>uzmb`Yk1eN8YYLK|wt|J3F2I z$+LeypRWpS*s`UuaiU;A;KT_NW_YmFR#+T(YL=Olz>t!9cE-b}tRmv^d#hdw9eB*j zZePhXW%^__HCEQ+{qlA^1s0N$GiNqTnF8w62Lw9Cw5qCpf6va!`19w!eY?vTFI{@| zN=nKh^5*O7>*JX#D{pVlzr!ISI`Q%8lQU;d47#AwVQF9g{M_2;#-^s=<$bcuT3U}D zKYrYJ=~6>O{eRXaORiisHEsO!r}p>1U)&E0IvUQNy}L2_vYJEKwF?)nOsRr~CV+YU(|FsHmu@DAeI}{>-0Gu2WtVIPNnSo-}RRG(COwgJFMv zGoL%h%+@0lS%2Nx&}`d=4V#&NeVuKP_^;-{q1M&m=jSjwIp5z?`EQQk0h8(pYP)N9 zFHtLYJIppCi%+eJX5CZsrvd!H6Tt- z`140)1^xHWu5H&>(7(UDf4B94hXV4&o+p2Q&%e*a#r5{KwH4FRql${>=P|anK0i0t zid97H-{c7pP$F5s#;iRXxOl3O{?qYXJ=ZRd~;u3y1JTCPT$7HL_|Zk z_Sct-%4s%>g5FD6h&s6U<=n4(#?$#tZ0km=t9x3{iq+U%SlGO|cyro;D=WRH<=pu2 z_?W&{%(^XGdUz6&l2TLi`9YOX%|9NSnu_o5rfRFansb`f#AM5sFJEUaFn#rTndcaF`e{>wLc`P?i+1fgusXb7 z-oAoi%9N0~U)1~9^wgIx2#De7kuuGlwOn2L%&|k4CTMC_{`&GU*&%LU@bY!Bjhi+t zS<=GN(D`lRI?~VD~9UTJ&CrmFddUaEH#R?B!Ur)xA)RQhw5~~`E zo0^S{E?xdvV`}Q_>w8xI`_W4Y%;wwE&fdA(_~gltion_jTRzQN;E{3Z$O#WOwi`P> z{`eTYoFO!{v^4jvy!pRfN>)}je{LEpSpIx`+&urp;lMygIe)%(!MRyMD}qNVY=54FrRew}|uXVF4XBWWRH$%_k%-JhR(V*F5ot&nBMv}x=ZC(0M!I1aPxplSG(b1o_YivEs_~}r1NJx;DHuJBq(w0SsT7K>`h$^!=+K~1`EcF3X7<^$nJ+J2AGNh~^^te8 zPuSE}eSg<0ePD0(bbWRfhM6;0uH@os=;4{3o#dn?%o)Zdv}U5;^-R_6kCGZrPo3J^ z&D_(YqdRpeyM5;}42+=(B58XII!TmF28p+j6;*)|Qkx98@@ z#)gJA9&XRSZ&&1UDg5As>F#PVb#=eL+t+Z+u`d7jr(68Y^U~hd)}1^1_!1HlGFGhP zv#I#-z%k^?_S=zBQ4ud*Fih8v-}U5i@ZZAw`)YriSxVm6QTX{;^!5gRdAph)eXx6JT(0cXwaD z^y;5IVq#A!XIqz_lMxqRkbJyP_UxH`cmG{jc(`5Omg(F)+u~*FV%U-hZ?Q$@q}@1LF?ZfD+G%`a?;?L(C-tL8E-qe(8mr z{qr;VSVa|+y#2oF@Vorm7d1t++}f6FarcB?%!lvwU%75<%e}qLy1e1cnKe3vS)c!B zq@;Qt-G6<3{JxlNYhJy5QT*iDwcX#>#X1xj3C=NXU1mSey8Kzsbny#|T)V}7{R++h z|L^bb@0ywiE-XCU_Vef89lsM35)u}y^YPJ^Oo#LH^z?3TXWqH9va;0j;-u-* zCr_Tp$i&3Nly*K%&Fm0pP~k&`L%*DDb>97RYp#oa+4KD!E9=?0-nWFjJq?>KojiH7 z^0t|Rwzl@_4IAE_TfJ)4A|-u(7B)7vb91>hG)|m8eS*P%o=v5YFtg9BCr?ZNRNS50 zzi9paC7rXR1Oy6xe|vND>i5V0ZZ6n*LG>Dc&6yc5FCXt!eyfu?uRK*lLqqdpMZ?~` zix*Fx{3I_TG$n1>(%OGKKYp%_-JLByVdl&k8EI@9T3Q+}UQd=>y~QN*)CmSIE-o%3 zqlP_u_UzeWvQkA|*SD@9MlW)?x29&=+`6*iHDE%{{P3V6TdI%=+o1@{sqBaUKwxq zy`MaB;>^f^fa-&~HS@2nSO30p*E6&H`}?Y=Px|!uJ^S8$;p^k}{`#`=9jp1$9W#z= z>#{Cdq@;ZL(yDuUAfUYX9jke(-SjJy96i0f{LYcBe={_TQV*`s}4M-rInRsWOO9Nr+J|iQ%Hfl?XJ|* z|Nb`g_*7PYe%7#T*|KF#ObeDSU8<_?KJC+|`|Gl^va&8Mog=eg)v8rm8aGxth>P55 zdcCE(cZx{+;x#;b>T3VjRazE2IWbLlwwdRzcQxHzUAwGSuJ}^BX6@UzU%z-TiVIKv zC7)htxv@egW=F=wR_+5ElaKe?*GBz+{38$)4;@jAfiiJ>Dn2UN$#HP)D%UsqRQ+6C z?Zz)B&=i2{)8q5oXH~3ra$H!qF8aqmEzPUvE2mD`x34ZT@>cyv_xaoF<}Yt+IENgKe02}z}4vr50>!Mzu~W?S0&D|ef|3NYwi^*PMq47!I+Vek#XXb5z|br z3`a&iofA)=oTzK^E-fuBjg0){G-2Y;Fy`e=zoQ-XRF^JbXlb{vcDvOx&$|3k%aZqE z&6_rLd6hEl*)rwFzS~B)6T1{SUH1RJy}iBt{?6d7`m=v|UA=PUN?nRn#`}AFtGDNz{LyiHTkh>|?mirA z*REYV+az&XXkyl_Ei0#8>;HVS?A4W(lXqG!Sh{qjX2zlGmo8lj3St5c#hpF-`rjTt zK0ZF**-UM1M^YUNOG^tkZd_TH6de5Gqo_#TnU*aJl{e<49NLm`aa-={umio)&(Ht= zYd&G}?LKl9E|Q&kOd6osr@D_?E$^_sgq?pPxQyICA91jTsUL zE=^+jxMFp7me;1F*pQHlAKl^(5jQ?RFD!gw>^OhwPRoI@|Bv3j?w|Jhiwg5o zPfyd|U-I&`1Z$v#VbYHeWp5j7tIOWYSqc>t6%}P&>-l)}l7jZHzo$+L&fmIj-MV#M zTo)EP|NgdY*?|Veckjx|TqgH+F%=aR743VTB-G}|vTAX1~T}WWb1I?{w zt$OiX*6PaP#ktX&wrpolJ3r6z^39nu8NR=CX0e)UVUoFM`SN9Kd+Pn0zPlVfoP1(} zS#Cq!-(O!hZ)KgPAHS`~Ph%MOEEhwJIy?)2AN&?aLk)l&haVeW>;G^W8fq ze(zkc$oc&3)zfFs?&S>>5D{gxwY9bVRD1o+9%eQki3_VlH>8|=baZcZeRW)D=%t*@ z3kw>Vqqnnlb$554K6S)=ZFH1b_OjKdZPv@lJ^4M?IQ`q3dA2j}U#{=1THhKcs~zSu zb5nt0!Mi(+%qFL%9cBbgXaoc?U0Y{c5im(A)z8n(ElaE5%ZoPNeft^~CQer4<9ouY zqU#%X;mYx|PmP#n{o1rrK~G=(>N#(3&%+lUJ$m%$Q;`sFRG3>$%F?AOQajf4=y-cK zf+n_qRc2~h`c+yke#xPq`C<0Nz|Co$od@3Be0^=XJC;BH@UX7#jK%85cXxmI5V|_6?w*)#PVV(JEC2rZ`o)8FFKDb_ zzF{+G-mk#ND_)jfzg{Wz%A)Q|<>AAJ4^N)daB}kAJ$`cpY{eSgF2BFKJN^8Mz%wi} zS{)W&P<_TMp7!d>(eCBG%2Ri(=@Cz9=e6S>~Pg$9I;7mXNQzW252B)hk!7JbB7!mi1f?4J|FLqMc`29OB~Q=K1lw zXlclLamc$NvhJ6NXlNYYkz;NyEv=sK{!N`au_iOIq~y!jN}GgNSC)D&_h0|Nkd@`m z&d>k${%D##%jx-?=Jt65mpfH+WfIGxTnV>VD{$E4UD?clg@W6^RmwH zZkr?|w|)hOhp%ejw4x%F+!n5oETQF1)45V=Yiny$Qx{}jUgmrCipRYbyQ~s&a&p!z zI>b@5>fq&!Qb)(LPmK;LfLc^0T6?t^`D%1MPCT#K*U4G%_t(qI&(C?jvl9~+7kl=6 z^8S@8*DhjuadYwvhOb|EczJnV)yLG;vGdtfsr;+!7T1ruvReGW(@SQZ_H5Tb7qi#fJ+E-TUieL`=L7Kl=Lm`g&oZhLe+*`&bq_ec8oycUS4_YilGQH~m`w zYn!X+Kew%$4%=>64@Sef%5NRepVSad88KLttRowKF|?G*+&kby#tq zyryQFr*_WD)vH&ZKFyq#mXK_o{=LH8`Z>!61C zwQC3B>)+n7tg)CJe*ROf)EqXyz;IBB&*aws?c2NC;u>07IyyQm6?+~fd7gQ&c#)Iy z;lrLEd{Z404zY%<;GZ>Z-tM=BbPppcH zjg6;HY3P@~zkhja@vF&u_Plv>C&t0eEo|Es5ed_*TU-A9^*md`+xtuY{Nv+GF0||b zfr#kq@eesHEiElGGZUWq2u%qUHHlcUPw*;J;jb?9~U@aN}> ziiL#-rfA-~x7@EY?q+Wq=bIZFb7wDC5ANu2HIZ7w<~P%#@ZX=z%M8-e)zz}H3Z|xt z3)S@R+?q7iwWcyPH8r*AV7jU*XmpaH|M=sJsg;(UQqMj%=*RD?(bQ34mD#kpv7@7- z<4cJGNR_?(i8E);=x8N1U4QZK%a0Pz^V$+i)N~H9vf6&Wc|F?Gv(Tcg?ZD^fj*jK; zuKce(b5@mUPyYRfhtHmEp*`9{RY@7Wg@xpu!_%KcZP?q}+m z8GW*i_5UpE>rROzJU+%N-NwV%Cu?1l@~1*gYx_P)%c3V9ftUVeoc$5IyX-9&&zk>* zo37|?FaHMMYj-9-q6Km=r)GjOOAU{r&yt zPcni=YCe7Lbc>7e`KGO@sHR@EXOoed)!cdgej+a{SWHVFM4#QeNwu9>MC8d+&qJz; zy1L4f=kosf`TSrr@4^dbmiu#ZnqFj?ZK|B9JL%A|wk4?-#T9$6O%2gJ`SNmY&73(d z=i~QReZ94HgTbR+EBd=~bV|8(C%$_7_OUZddErJ4L$79beyNmv{x#9t^X@KitlSMuPR<&dwZLi zNy={;XLrVrA7^G1{xS*Fa9Qia$S`qYVBpG?Pioaq&R90T)opQO@Q#?w%tE;tw}b=* zrGC8->~uPRGV#;;*3X+(J~(^s+_`5T_lZ4dV)}i0x_c#B==XVd z>-4Lc4?+$+f0mYZ>^SqwmztU%KYlHie}9+x*7owESGTtQ+qeJKi8CsOoR1c*IkRkQ z$gvfH%I@3p{Ws}u*|O^XysV;r`N{8Mbb6T!SM@nhXuuu$w^ zYU(VD*yjZnb6Qvu-rRV2*t(Rdt1Brv|1MMBT`nFUe|8z!-(Np}VhRbpdiC|Dq-fBD zy&vDk1uIrw{T>|r{YqH8P35O6D<330xUw>M`8<1dLqSVRpWvQbPKzsgdwP0JO&T&U z@7cS%R9W;uPHz33+J*bhxORI;pU=EpQ{y*(UEO}&Xpi#kesir#H*H9$)7PE z#iv0-8k2;MiTL|IJ0yBtOZZ7su6rx1)!q9SFJ9cZWeSV6?|i;9b6!4v{FF84=BBEz zZ*Dr|yjkq--p6o$-raq*pHkkw&j+nwb7VZJmC^CiS4v7ss;leK`|!*A?r+&}bbkH1 z=<>&G0@Bjr)91yNH_dkHcmHjxAG0H4;(q&$Z?3ez+*DmY>HO`T#)2oV3JMAee*9_t zvA4bL-;a+QO?Xx)#P6*-J1hHoM0nQ@6DfHM*SI)GN5@8&;Oon3W1^ypigI)cet+u} zULD5RE#^D>*-K8J`F5qRj&%AI3vj(lwrST3J!VXZ7}+P$dh$#i!&rqy9T|N!~{C}%Z7*#Q^S^si2w;}gTV z+;6U(tW3=R@13qDD^{o6-liLEW6KzS-?rMVk7du^ic#&Z%$5L9nL5#tGV(?O2WxWKR>6R{S|gutZi1w zw%pqrlfUOBTw3Bex$LbH(>Cwvr%Y259pi4NruurZOmAwM`|DD7S63GcYX!)o*Vi?) zw=aKwXXgRXsM~zY;J>xOVIaU(_U6Wx%(GGomOsx**Vil9*(p7GdV1CO-#@_zPj4?atWC$mxe}h`ONrmT3^{ctUg9d;`!O=O)VuaFJ66nLr_Ei zc|l0%YOy7Unzn24##a13W%6d#x5cxzJ*Zr<5tvEvnscdb)nx95db*7Z0CYX{L7WmQylsO-)UWOXbGv)7Q^iv}DN&4ZjZ}{q9M@ zueuf~1-UzgsLW+`%$^p0^vlbXLt(*}f2|B&?r&eucjU;CW6PF%zq69I0)>=?_3qu@ z-+KRA6u0k8&AbT$va(WKD^^UIcI+6_VmDrSyA+SF#}_x{oSZaO`}$huoZRYfb8I9H z%=0fUs;xe7>C&|@|NcEYSesApOaJt5UfbWjf3+{~cv*LdY4;}8yZj6yB2%W?*R$QZ z>)!wE1H+m%QQO~LAr$9)57}$k!F?^nU%jqO>vp{=VAp z@4bIzN$K^*F)yE$`2L=p+}V2G@_E?wGC9Nm zRAydI*m-K2s;a8$)XYn|(c3Z)KV=FFD=XvUJM)~4ZP_y2C<({q=yPHizd-jZyS1d1Hh0Tj!w{qp`>;#4_`S0K4WO}k>IWj6oeE$6TbLLYM z$AjM9>$s-HiQehsdH@<=-Lz?a|M$JB{l_13P74xsb9Q!D*X=do{dv#j*p(}{ZXIOo z==t+!=Ng_L9~708j5huH?biJ0*_oMErDr4@!o&UjBO^DRck=!4MaF7NZuG~?r!vep zyLM00`S?9uEl%ft`>Zdrvf0lLt;o*F$;mmgGPnNit*zM)AC{K?J3W1U3@5j6`kp2J zHOULz`{iucteLT{YLQcO5x<;G#Rj#vb@gQ{*v{SE`1s6B#O$Xk@WI5Ts$IU_rJ`g1|$Rrk+d+Xh;a-FV@`g9qB- z4M&dbuwZ5V#3ZhF=Fs!{-AkIn3p{5p4B6(#eXK+3)uE?FJ6l^1Tv#Zq9u>hb*LwHP zP9tVBqfHw!?n-_5ZeM!pJpYTkw~sE3-u~+Q<%<_DUcAO8XS=KZ|G(M;7cLw-c8qPp zgyIh#EBjD_WX&$^hJX}JlOwOIXs{3|bxNzaZ5|sm>xv?WH846o>)@4n+xjWn@ z_|cb_c6PQ^A^T;wGQ{qwczJ2IdBgtyN4xXyO;FgoMCIc7>GS5ziwj_|srvHb;_-fm zkdTm&D5->ujEoiQ{;fSfE$Up<7KNtIcXob$9=~TrZKF)!`sf*;Huxc@2j}Kmm)q5> zsQV4-|Ml=3xO3-DOtf^ywVoYGN1i@9>ODPfKU<%SWzmz9!WX~KHamNJcXj!J8xecf zFh$8fc)#Cs*R`jor|Y-3b^Wh>{^ZFM5piZuPfg96H;;%eT^w8*EcB~3IvTvNY>s8| zw;Yd-7ta@;56;pmG;L{}`0cuh=b=K|LwQbw9Yp<^6-Y$E2Nup-@p&!5B z-`!oV|KWDNo!#Z--S@5}-rg3w``cUQoSZpxj`gdX?sA=ZpuhsO5+@-yH~;<~O98QO ze<}k6Cd~Z#w0n`#s@~In%CX`bK>1haY|fPX{ku((v)|^K+udg&f~U zM@r7u*X5luB_;j%apq;qd}ntFtb$6?K5^p2 zi7QtwdOv@{gc&oY9_3g90&`@RG0k7Irl)6%N#(g6F>cAr)ef=q%h~nxvGvJXm%X`Z zoN#s3)z$0cQeQE5bggL0IoQ<7{r4}U{eEV4IU9lhu6~ujzrDTvB<0yrFYhHmjD{&E zCMbUU*3i_{)RZ8#c-pjS(>57RnD_6gcb%PpoL^sXaF*7A-rn9G6O$QSm5ZW+K=U|u zH3>D3v_L~qMLw>ER)%LzpFXXv$94!b7&e(P{{G(T_xIVqy%E&EHH&K%XqU&k%kE#k z%Un%S_x<$As!qnDb{0$L)i1x7{l2@q{C!-A$cIl)PfzFMToUQ|`dVmzcinxE-!n5E ze0+R*G#s-^{^Z}E6tqTBamo7~pwzfNp4oTytQi?uOrZ8gRn?<-|72Ag8x<85mI--l z>^?ks;y>T6mTAozAD<&HkGXtaCMBA>fHG2P5zx7m7Dc^4<1TMo!Df)bop1(H+k1 zRTW!uxn=C@9<^wERb7#=P}pqOpTHh@`@A`e7yro2-}1l8!^7i5|BG6O-;L^Olbjq& zoI*tJ-3wk`_L}X^K3Rc)$Zr#N#O$ef8I+-6kihWr-1qo}7k?jUZqkd{QPAizlV4u% zR~;yFVn0 z+O+Aw#l`LX{nF|`O>_bUO|5or2-vdkY^iIhW8JJ-Qc_-C2exEhUUqevfJg33FEc~oVl_^k+riFGyy+TQuwI8-WJ(U{ccx2UntuVyQ}0~jQCz1E-o(a%02S+wYc~t(IXGlU1xj}&d&P#JN*oUTi=&&-#)JV{rmJ&EzQg< zCP&Bb?>duTZQiVGe0Yb2(CiBl3!DC|-(U7t%8=>9$C+klPj+UCT?$xGyW{$r$h}nu z8eVO`e(BPckRT==o-bctFW%{MdYW!jN6^cHGcztO_M9bY*xAK3{rBG{pG8i-f3|Fz zu|(^6;H~ZX*Uw!Mxv??%wweF=S>~07hKiZh_NylF*Z%YInPn#Wyn422_A{UK=eM+F z)<)gDB_(z3Z>ed?3buPMY98#|85tQF>5!Kf6H{YzVc*{7=7g${QWjR*%1=KGKiclA zW?!*l#cF9uMlP}+Z21>ySq{r~(g*@vbyi9JCYHg z)$fkYF5*+ZwB7`5jXQSi%n#6DQ0ME#X&1k2VVbj0@#EEVGmX>z&d*cf+F4nA@%#4e z`FC%f;Nak^`)6Y}Pcl68`o)cl7cZVEX^?T@K;zoz>;LR7|9i&FJ_)?RYU(tmz`%07f>v$GQ%vOcA!2;8^nSO53* zLTBGr)6Ta4f4`e%-?{6#rpMyvUz6JN7cN`~@a<(;UHj9isk?H|DsG>^?%wY1?(VIo z2KE2;RIXdM#3|N!R>c2|75sCAp<7QuJ4UZ9b@&lzQ}1VT=-Jt+Q>IL9EPH!vtMKxa z=d(<2Z_B;Q)gxtE{_f7s16#Ax&;R<(EGe0pDJt5~>^xmhPL82H*xdMcn_tnV<^F<# z4lywov2`n7ATMR{`}16ZI#%x z_Y*xK>Qc}acy?5`j^NG~|pClv{)rnI?#J|6j)vT;~FLz;8=dcq3SQkb{&6+uLCV0oz#*GcVy?giW-MeJ{zIO|yJkQUwt&WN|_MSGMTdTp=ri~}_ za$Dr44IWIdnDa{lU$nMXR#sLvEK57910FV?dbYsSbnDiwTN?`>KRfgB6H`%;#cN_S ztV&N#I>l0!dVHnl+jLXY(9qCO1>3n#Zi9E6Ug5pMe(#0J2T(*@x-^U3-ovwVTDos6 zSMu?5GYm6@GLr&gcvx6t_y2pp-@)a`Y;#Rbm&MPE7=?w4i`m%^+_-UQQRwPlmv4Y} zcm@ZZ=y`LHdD6bAGd*iw$LL+yTRq>-wwg&zO-$_3lnqPlG&EPvN?mrjGbl2$t}gak zUs_^f;?MP$GfWFoQy+PsJ*jBNFsokY*FVtwse>nH|MABY4@oUz>AY|%X>WCP1&`E` z8o$q{z&lz#Hf8Kl_hWE%RgqY{X3d@$uP%yI+itS zbab*Ny_-07>fE_=&(_3)w@Q~fFTQ%9w6wRkx3{qc1Xw<@R$O1FGRw;33uwtvL)qJ1 zUQp9N`s4TV0)?%Y7B7z9 zHzlQ2=M_^x=+z4sE-2WQ%F3SP&g1HLR}(YsHTCfH^!4>+H8JtXVFd3*zI!10yitSGGIyc9%*zHpI<$@i>?RWUgzk}wR zh3o(O&-du9($y6f4xF_Bw4-@Lhx_8SN8BEM?&P%6?*0+w>(h}R6S4#}2(}cmxim&W zSJ&KJylwIU#Vd znI$qJA|k@2IV>rAi`0&}vYc+atG|P`+-BF!*;fnN7u2w0$AbsY&o}<5QM&M7yXKdO ztgI|=N}8LitNY}4$)=pI7CTnVoayS?+PWkpCwAJh)WpP0n<=2S*i^>G#{Yjlf6?4f z@bEz6Y%|8czh1ubo2T>gqG_GfTK+$`xnEvbSX=$z<>dzt9z2*OfBbg!p%zZzhR@H- z-`&|MtfBK~C-;P!pP*S0raL=}A00V4`M@90+Ua?*pC8Y)a5Tvm7k@M>Au;ji`%e!K zcZ(YuIusS<j@*t)9hWxK|i)x3hS+UD$?uzf(x3@XB z^U1Na@z1v`e&*vD|FmCO;lZ1m$NL+#!}(-)Rf~K0`g)u=!5}2Ocu`OggRHExv#;-h zJv+bvzr{PX9{ zo2;x2Jv^CWi3tg5%T{xLdGYY!#f{1ad3P=?b#7xQDq6B+&60PwZ)_|p`}~|)-hR@@ z;Ha&y?(D2APWb`$n%zF5Kf4}thbpC)CpR5_TZ*0lW&*Xe_v-tbFQ&St7 zm|i{-6)Jk}7a>vb?#{Wn=6MX9oEI-@YC3p%#oU>$f8^`3g^XX`{(imw?r!GEYHOoR zb0iA>{fV!?yMyu0{`!|e9vl-U2uRMH!;_L)`*YH4?^m`{rZReYWo31BHEiA5+}z6g z;OW-1vl|l6{BTV@J1f5K=3eO?m7kAv{{Ei*FGeS_=)r+2D-RrKoUFck$CW=8M~^PK zyL|KJNtg8ZGq|};o3`Y*Q^=Kdv8ML#>Sd$2_g>6?Fr`nHo#(}Ud5h9lcXk#(&#IFF z&BM96CVYM6+AXHbv@ZVpXX^q64*vCX+w?Q#?Do|C{Z;zls`e$n(!akxSzfbnY?(YYi@7JqW{$*wDQJ6Sc`K*qV7O36E#dTnTV_ck`o}p^u3VWT^US8NFU84; z)n@LFFYj#Ae75HuxV!u3&*S}|D2;jflGCPMPC!74ODD!6T>*9;<3%Qf?@{*I2nU^dR6Bid{1TCWb{x0@xzq+>ftco>J zTPr?3I@&NLBr7XQs^HI$X}Zzd7+hUhSy@>p?R&M#(_g*v20P!HxV>q-37IQbty;#W z6X&yQ!_{s4?{9AY|L600dxzK8^77WLvtNI{`g5B6eCPIt2M=ynjn<2g+cBZ? zVqnzPS65D+;)>Y)?aj^mb}_tjhpM!_xf)>pT6sAYFhpJoSwEfGdMdtuu4=#wf4`CpT-xqWPW}& zHP>HPSj2kwy4c*D8Kug~+}yUd36GC;i;L?p)YO>eNEo;M+`n<-)T#UICQO?)K|$lh zEYs|}yE2216&Yqsm_B{A_UHQ0P+i@^I)Bj28!KzW^5;F0d#jn%)Z*j)gDxHKU%B$k zu7wY;H%-~L`t8ljmp2Eir`2p#HT?Mcvy`-X_P2N*p>^4HQt~?t{{H^|>-GBmOvn3w z|Bm0mprQ@}*Z=KkX5YPg_ipCT&wS^-dCD5Ib5nZ%di{cTb3jK}T>j${bmX|Zo0}Vx zy8k3jw}=~8S6^SpSpRQl$;(Si9lpN<&3{Mz{@l_sfyqKsQzhc;tzEve=Wo;wj<_*d zed5FeS6Bc4egE$60}YJAY8KYavu63us#*VO{^I2McHh4B9Psw{_d9oriBJCD4A#0cy6wXea`D=b44Y#9JeiA)_wZ@e&g$&3xx$$RYR|y;xasX z+}&;25`)*Ev4vyDdKzx;D7>|WnSDm#pO4398W%t7sQbHW)vQ^kP94zSuM-s#`P3zm zF)t-0apCIUZ_A9+a_-rb=@>UII)A%Uc(!@`KAwt-88dz7^I2G)Jl!wJd}h9V!hts4 z9`6UYe|yKUO{GM$@yd+Y08U-SE?&+yo{{_5)E zeScr;FYuSoed{@y!Q8y`>&M59kB^(@?Wve}bKko9dfwLge$3)&cPtiJ=HGty{P}bC zBS()OKYslBza3jjUVnPZEv^^CQBln=Z?lUX;rzV6uh;MY$8>I<>fc?TKi%8^{{v&h)~t7TDnB=@3_khYOP6!&(}&JN zZ|h%&6@1v7?y$cOv?4qD_hYjVy_gSQ_m*}?zQ1+#?%v$!kNt~Rc-#u$lY8^_?rL$( zz~BFDC(NBYZ{BqFH+L+{-)&4j&@JBBn1A0$Kj775UjF)DAs>EvdMetzzHy`cy^wI@ zfdl*h*ZrFEWxe>7h|8CRgpG|Fyr=*9^X?Agx_J946OE25m!22xmsS7j8tmh<@7k1o zHJ)Cl&ajx}DmAt3dr(_*ZN0qhu6OTe?@&>xv8_{HoOX7f`hk@Ri@smJvE$R*m8l2r z+_`q`2unvFA8&6z`!b)GcPf7tB^>RVs9gRgA%@|Qh}g5IqN0qFlA4;4k!PM?UjF^f z&)@G4Y)G6o%{ZNDd;WZ@uOAd2Jh-sf{q(d&{thlrqj~QfdQ^RU{fZSU9(-<0J$-`3 z(Bj9nwHE>&yto*?-Yl1ijdzyO(W{~rUtZkWI$gi*T?KkV%?B`|JT>o*O`UYg&MO{uda#A z)#?r0vek3tg`1meYiep{oZk#u+qJ2|x}1rbnYr=vbN$#|HIffLd%pehsi@&RyO+1; zFHzAg;L~-UF1g6Llds`0v!cwTU%ROCtO^#GI;Oa*M1J+NAK=-baZq)aC-X2 zjfRE|%a?E8u952@ZGC0B$Hq-rm)#8X?d<*?ZeOCJpr&SHqqy+Z<1M+b-`v@hdiDSE zwnv$ludS6feHHDPkalfR>qNoLex_IKYCHH#zrSPU_M5{HwN2$Wu`zu8wYBwkYJ-D? z&rX>$Lqb$F!_mNO+m=7`R!;ksmbq(k=gI3$t&;oq?p>)VC^Flex%}N6>+erEHw!MmC;JS(f6YESyH0<)o~p{5yQeeONt^l1eDs_>X3vY~;sOr0 z#HUYTSRE#7ZIcL*L>zh5uXD21c4 z-rLhq_;f2bJO8~sGb1F}c$s#UN}H^xt$uKJc00d)O+w%Og@>=7SML4z;A2;}xA%V8 z`8)RSZ*yAw)=f=s%gqxloJXeAJma|-6TQ8!W5WgpHeM-%gaZw`?AN!ktt@=^^5w&a z4;5eTRc-P~^P)nP8oLNybEdB07M7t(8 z+}-c)?k;7n`u;EfS?TH(D^_c38NHr4GoD+`+uM5gGT+9P!PnQxS_*C0pzwN%=j5=p zpForHCMHv+H2BZoS2uC?tXnrEq>S_nPQAV!pDiM5{q0q1`uDd#nwtLnoo}ChZMBy< z7ytiT;kTFhet*~G7$Nd1dI<-+rRS@Com{4sL7??gSw~m(+_rC^QQ;xA{67|2(U!XM1;47#TOddDGLgXV0qRAD^5&JG*Jt z-s$1b&uND-JbZY5o~t|a?d|t>Y%I~-kazcf{rS1kr94it|Np6+^?%R2p3mJKv{p9Z z#s<*(Vcr{iZl2HoUzc!yUo$(uT#8or-!)I3Pj)hWeSPwR?Z)Z<{(gVvoABw${rdRL zZJn?FufMdgdG_oDntijpRy##B=UzH;CFFyv?i+5AYZ)5r}ZK{@U5SydQoR*Zi5Te?MxDM(N+*lTH3x^6t?R5t%Y&%9I99VUG*5m!|g1`S~6A z^i$}D!5SZ~oF6~e##DaODR_PDH5Cs>?2{%XC1r^GI@sJWP3)xje9Pj~)8gw^K0K`L zQ1hpqziC!_==r$@TLSo>zPMQW`p;j__Z^Fr9=r%l+O_Op+LabxL9quWUh{rkSgCJq z^5x=Ue))#e)A{B06t`FEy*v_R(e~ukRb}^gca#75*M2xXy;k=`giu_ zmm3n#&N@4b^~I}6r&6xCyI)?TF3-vhHo~-_+6IJp_ zrPGa{gJD;hti^^{YqeLu-tRAezprw#V9AvdZ`0Yl(trLwKc60V;A`!DmsYN0!s=$Z zyGlAguD#63wDyY|_X?jG8)|m8yMGmZl4aGmE_Ufs_r5i|qLse720J?KpZ@W&XR7t8 zo7bm=u6FCcx0QQG@$)}F)%|Du_S-CQtS53q!UG4j3U3Lm73MiJj8gyCJvi8Wdb+dI zj0J}h52u}bbGhB8fsHRk$6RDpc{(O(GkKL5=A>mo|@{IzYpM8D5Kap8L^y{zE z9G%JSc8Q0&M4j7>gx6kOeZ1%9)^3+pcUMC(rSk8dldHa|h${U4#+s7)^r`mjifdor z`(L`?l>AEmGTxgE_@8#g3=RY!g zDn5RAc({EHTio*tlI2cLK0ZD?A4T_8u`XFQ$)+T2n%B1EOGi6i?%K0w(V|66D^@7{ zU%x`(|MW>p|IN*|ZQ8VnX_mRVFte?#^Wpcd=Qn|d8~?;?kg@=cT5@|Uw_H5{9wv;C zQnZgXHv%7tIqg4Fj))bef;Et1FArVfNQ54qIn9j&dMM)t6Q>B?IiN|2)}?}nU`J>6 z3WPDIgAS-n%xnqZo%8zf=9-_Mo~{nRoEPQkSy)(D$S~hOs|bAF=Q-%Hp9R;ZP64fa zX!y^}5HIkPd1Bdq1_lPz64!{5l*E!$tK_28#FA77BLhQ2T>}$cBZCk_b1MTQD?>AF z14}CdgS3CI#Zffm=BH$)RpQnlzBqU_0|P@U$cEywbgQJq;#A$zqD+Rg%$!s!eSQ6m z{M=Oi^t{Z>q*VR#{Gx3A^73*$2wyM1C|$oevm{l&C_leMKQ}cuUq2 + +It says, there is no key info related to this token on your PC (``[none]``). + +Fetch the public key from URL specified in the Token. :: + + gpg/card> fetch + gpg: requesting key 4CA7BABE from http server www.gniibe.org + gpg: key 4CA7BABE: public key "NIIBE Yutaka " imported + gpg: no ultimately trusted keys found + gpg: Total number processed: 1 + gpg: imported: 1 (RSA: 1) + + gpg/card> + +Good. The public key is now in ``.gnupg``. We can examine by ``gpg --list-keys``. + +However, the secret key reference (to the token) is not in ``.gnupg`` yet. + +It will be generated when I do ``--card-status`` by GnuPG with correspoinding public key in ``.gnupg``, or just type return at the ``gpg/card>`` prompt. :: + + gpg/card> + + Application ID ...: D276000124010200F517000000010000 + Version ..........: 2.0 + Manufacturer .....: FSIJ + Serial number ....: 00000001 + Name of cardholder: Yutaka Niibe + Language prefs ...: ja + Sex ..............: male + URL of public key : http://www.gniibe.org/gniibe.asc + Login data .......: gniibe + Signature PIN ....: not forced + Key attributes ...: 2048R 2048R 2048R + Max. PIN lengths .: 127 127 127 + PIN retry counter : 3 3 3 + Signature counter : 6 + Signature key ....: 1241 24BD 3B48 62AF 7A0A 42F1 00B4 5EBD 4CA7 BABE + created ....: 2010-10-15 06:46:33 + Encryption key....: 42E1 E805 4E6F 1F30 26F2 DC79 79A7 9093 0842 39CF + created ....: 2010-10-15 06:46:33 + Authentication key: B4D9 7142 C42D 6802 F5F7 4E70 9C33 B6BA 5BB0 65DC + created ....: 2010-10-22 06:06:36 + General key info..: + pub 2048R/4CA7BABE 2010-10-15 NIIBE Yutaka + sec> 2048R/4CA7BABE created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb> 2048R/084239CF created: 2010-10-15 expires: never + card-no: F517 00000001 + ssb> 2048R/5BB065DC created: 2010-10-22 expires: never + card-no: F517 00000001 + + gpg/card> + +OK, now I can use the Token on this computer. + + +Update trustdb for the key on Gnuk Token +======================================== + +Yes, I can use the Token by the public key and the secret key reference to the card. More, I need to update the trustdb. + +To do that I do: :: + + $ gpg --edit-key 4ca7babe + gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + Secret key is available. + + pub 2048R/4CA7BABE created: 2010-10-15 expires: never usage: SC + trust: unknown validity: unknown + sub 2048R/084239CF created: 2010-10-15 expires: never usage: E + sub 2048R/5BB065DC created: 2010-10-22 expires: never usage: A + [ unknown] (1). NIIBE Yutaka + [ unknown] (2) NIIBE Yutaka + + gpg> + +See, the key is ``unknown`` state. Add trust for that. :: + + gpg> trust + pub 2048R/4CA7BABE created: 2010-10-15 expires: never usage: SC + trust: unknown validity: unknown + sub 2048R/084239CF created: 2010-10-15 expires: never usage: E + sub 2048R/5BB065DC created: 2010-10-22 expires: never usage: A + [ unknown] (1). NIIBE Yutaka + [ unknown] (2) NIIBE Yutaka + + Please decide how far you trust this user to correctly verify other users' keys + (by looking at passports, checking fingerprints from different sources, etc.) + + 1 = I don't know or won't say + 2 = I do NOT trust + 3 = I trust marginally + 4 = I trust fully + 5 = I trust ultimately + m = back to the main menu + + Your decision? 5 + Do you really want to set this key to ultimate trust? (y/N) y + + pub 2048R/4CA7BABE created: 2010-10-15 expires: never usage: SC + trust: ultimate validity: unknown + sub 2048R/084239CF created: 2010-10-15 expires: never usage: E + sub 2048R/5BB065DC created: 2010-10-22 expires: never usage: A + [ unknown] (1). NIIBE Yutaka + [ unknown] (2) NIIBE Yutaka + Please note that the shown key validity is not necessarily correct + unless you restart the program. + + $ + +Next time I invoke GnuPG, it will be ``ultimate`` key. Let's see: :: + + $ gpg --edit-key 4ca7babe + gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + Secret key is available. + + pub 2048R/4CA7BABE created: 2010-10-15 expires: never usage: SC + trust: ultimate validity: ultimate + sub 2048R/084239CF created: 2010-10-15 expires: never usage: E + sub 2048R/5BB065DC created: 2010-10-22 expires: never usage: A + [ultimate] (1). NIIBE Yutaka + [ultimate] (2) NIIBE Yutaka + + gpg> quit + $