Prepare Nitrokey 3A Mini for build artifact signing

These are collected notes of the steps we've done during preparation of Nitrokey 3A Mini (nk3) key for use during build artifacts signing.

This guide was written using following environment:

• Fedora 38 container
• gpg (GnuPG) 2.4.0
• libgcrypt 1.10.2-unknown

python3.10 -m venv venv
source venv/bin/activate
pip install -U pip
pip install pipx
pipx install nitropy
pipx list
...
pynitrokey 0.4.36, installed using Python 3.10.6

nitropy nk3 update --version v1.4.0
nitropy nk3 status
 ...
Firmware version:   v1.4.0

gpg --card-edit
gpg/card> admin
gpg/card> factory-reset
gpg/card> kdf-setup

and double check, that KDF is on:

gpg/card> list
 ...
 KDF setting ......: on

Gather some entropy from nk3

nitropy nk3 rng --length 4096 | sudo tee /dev/random | hexdump -C

Generate keys:

export PASSPHRASE=$(gpg --gen-random --armor 0 60)
 
export GNUPGHOME=$(mktemp -d -t gnupg_openwrt_nk3_$(date +%Y%m%d%H%M)_XXX)
 
cat > $GNUPGHOME/gpg.conf << EOF
  personal-cipher-preferences AES256 AES192 AES
  personal-digest-preferences SHA512 SHA384 SHA256
  personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
  default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
  cert-digest-algo SHA512
  s2k-digest-algo SHA512
  s2k-cipher-algo AES256
  charset utf-8
  fixed-list-mode
  no-comments
  no-emit-version
  keyid-format 0xlong
  list-options show-uid-validity
  verify-options show-uid-validity
  with-fingerprint
  require-cross-certification
  no-symkey-cache
  use-agent
  throw-keyids
EOF
 
cat > $GNUPGHOME/gpg-generate-nk3-keys.txt << EOF
  %echo Generating a Openwrt Build System signing key for Nitrokey3
  Key-Type: eddsa
  Key-Curve: ed25519
  Key-Usage: cert
  SubKey-Type: eddsa
  SubKey-Curve: ed25519
  SubKey-Usage: sign
  Name-Real: OpenWrt Build System
  Name-Comment: Nitrokey3
  Name-Email: contact@openwrt.org
  Expire-Date: 10y
  Passphrase: $PASSPHRASE
  %commit
  %echo done
EOF
 
gpg --batch --generate-key $GNUPGHOME/gpg-generate-nk3-keys.txt
gpg: Generating a Openwrt Build System signing key for Nitrokey3
gpg: /tmp/gnupg_openwrt_nk3_202305130941_eoc/trustdb.gpg: trustdb created
gpg: directory '/tmp/gnupg_openwrt_nk3_202305130941_eoc/openpgp-revocs.d' created
gpg: revocation certificate stored as '/tmp/gnupg_openwrt_nk3_202305130941_eoc/openpgp-revocs.d/E9025ED843D0FDC7866F7064CAE438715492B555.rev'
gpg: done

Export public key

export KEYID=$(gpg --list-signatures --with-colons | grep sig: | cut -d: -f 5 | head -1)
 
gpg --export --armor | tee $GNUPGHOME/gnupg-openwrt-nk3-$KEYID.asc

gpg --card-edit
gpg/card> admin
 
gpg/card> key-attr
ECC / Curve 25519
 
gpg/card> forcesig
 
gpg/card> name
Cardholder's surname: Build System Key 3.
Cardholder's given name: OpenWrt
 
gpg/card> url
URL to retrieve public key: https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/CAE438715492B555.asc;hb=HEAD

Gather some entropy from nk3

nk3 rng --length 4096 | sudo tee /dev/random | hexdump -C

Generate nk3 PIN, Admin PIN and Reset PIN

$ for k in $(seq 1 3); do gpg --gen-random --armor 0 60; sleep 60; done

Write down the keys and set the keys on the nk3 key

  gpg/card> passwd
  1 - change PIN
  4 - set the Reset Code
  3 - change Admin PIN

Verify correct settings

  gpg/card> list
  Name of cardholder: OpenWrt Build System Key 3.
  URL of public key : https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/CAE438715492B555.asc;hb=HEAD
  Signature PIN ....: not forced
  Key attributes ...: ed25519 cv25519 ed25519

gpg --edit-key $KEYID
 
  gpg (GnuPG) 2.4.0; Copyright (C) 2021 Free Software Foundation, Inc.
 
  Secret key is available.
 
  sec  ed25519/0xCAE438715492B555
       created: 2023-05-13  expires: 2033-05-10  usage: C   
       trust: ultimate      validity: ultimate
  ssb  ed25519/0x78BBEC94A894C992
       created: 2023-05-13  expires: 2033-05-10  usage: S   
  [ultimate] (1). OpenWrt Build System (Nitrokey3) <contact@openwrt.org>

Select signing key

  gpg> key 1
 
  sec  ed25519/0xCAE438715492B555
       created: 2023-05-13  expires: 2033-05-10  usage: C   
       trust: ultimate      validity: ultimate
  ssb* ed25519/0x78BBEC94A894C992
       created: 2023-05-13  expires: 2033-05-10  usage: S   
  [ultimate] (1). OpenWrt Build System (Nitrokey3) <contact@openwrt.org>

Move signing key to card

  gpg> keytocard
  Please select where to store the key:
    (1) Signature key
    (3) Authentication key
  Your selection? 1
 
  sec  ed25519/0xCAE438715492B555
       created: 2023-05-13  expires: 2033-05-10  usage: C   
       trust: ultimate      validity: ultimate
  ssb* ed25519/0x78BBEC94A894C992
       created: 2023-05-13  expires: 2033-05-10  usage: S   
  [ultimate] (1). OpenWrt Build System (Nitrokey3) <contact@openwrt.org>
 
  gpg> save

Check the keyring content

  $ gpg -K
  /tmp/gnupg_openwrt_nk3_202305130941_eoc/pubring.kbx
  ---------------------------------------------------
  sec   ed25519/0xCAE438715492B555 2023-05-13 [C] [expires: 2033-05-10]
        Key fingerprint = E902 5ED8 43D0 FDC7 866F  7064 CAE4 3871 5492 B555
  uid                   [ultimate] OpenWrt Build System (Nitrokey3) <contact@openwrt.org>
  ssb>  ed25519/0x78BBEC94A894C992 2023-05-13 [S] [expires: 2033-05-10]

Check nk3 card content, secret key sec# and sub-key ssb> means, that key move went fine.

  $ gpg --card-status 
  Name of cardholder: OpenWrt Build System Key 3.
  URL of public key : https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/CAE438715492B555.asc;hb=HEAD
  Signature PIN ....: not forced
  Key attributes ...: ed25519 cv25519 ed25519
  KDF setting ......: off
  Signature key ....: 6079 C3B2 0643 36C9 59E7  B37D 78BB EC94 A894 C992
        created ....: 2023-05-13 08:08:40
  Encryption key....: [none]
  Authentication key: [none]
  General key info..: sub  ed25519/0x78BBEC94A894C992 2023-05-13 OpenWrt Build System (Nitrokey3) <contact@openwrt.org>
  sec#  ed25519/0xCAE438715492B555  created: 2023-05-13  expires: 2033-05-10
  ssb>  ed25519/0x78BBEC94A894C992  created: 2023-05-13  expires: 2033-05-10
                                    card-no: 000F XXXXXXXX

http://lists.openwrt.org/pipermail/openwrt-devel/2018-December/020856.html

  $ gpg --list-signatures $KEYID
  pub   ed25519/0xCAE438715492B555 2023-05-13 [C] [expires: 2033-05-10]
        Key fingerprint = E902 5ED8 43D0 FDC7 866F  7064 CAE4 3871 5492 B555
  uid                   [ultimate] OpenWrt Build System (Nitrokey3) <contact@openwrt.org>
  sig 3        0xCAE438715492B555 2023-05-13  OpenWrt Build System (Nitrokey3) <contact@openwrt.org>
  sig          0xCD84BCED626471F1 2023-05-13  OpenWrt Build System (PGP key for unattended snapshot builds) <pgpsign-snapshots@openwrt.org>
  sig          0xCD54E82DADB3684D 2023-05-13  OpenWrt Build System (GnuPGP key for 22.03 release builds) <pgpsign-22.03@openwrt.org>
  sig          0x88CA59E88F681580 2023-05-13  OpenWrt Build System (PGP key for 21.02 release builds) <pgpsign-21.02@openwrt.org>
  sub   ed25519/0x78BBEC94A894C992 2023-05-13 [S] [expires: 2033-05-10]
  sig          0xCAE438715492B555 2023-05-13  OpenWrt Build System (Nitrokey3) <contact@openwrt.org>

gpg --send-key $KEYID
gpg --keyserver pgp.mit.edu --send-key $KEYID
gpg --keyserver keys.gnupg.net --send-key $KEYID
gpg --keyserver hkps://keyserver.ubuntu.com:443 --send-key $KEYID

1. gpg: add OpenWrt 21.02 signing key

1. openwrt-keyring: add OpenWrt 21.02 GPG/usign keys

1. Add new key info to signatures page