Show pagesourceOld revisionsBacklinksBack to top × Table of Contents Prepare Nitrokey 3A Mini for build artifact signing Install nitropy toolkit Upgrade nk3 firmware to v1.4.0 Perform nk3 factory reset and enable KDF-DO Generate GPG key Setup nk3 key Transfer GPG keys to nk3 Cross sign new GPG key Upload public key to various public key servers Add GPG key to keyring.git repo Update package/system/openwrt-keyring/Makefile package Add new GPG key information to the release signatures page Prepare Nitrokey 3A Mini for build artifact signing These are collected notes of the steps we've done during preparation of Nitrokey 3A Mini (nk3) key for use during build artifacts signing. This guide was written using following environment: Fedora 38 container gpg (GnuPG) 2.4.0 libgcrypt 1.10.2-unknown Install nitropy toolkit python3.10 -m venv venv source venv/bin/activate pip install -U pip pip install pipx pipx install nitropy pipx list ... pynitrokey 0.4.36, installed using Python 3.10.6 Upgrade nk3 firmware to v1.4.0 nitropy nk3 update --version v1.4.0 nitropy nk3 status ... Firmware version: v1.4.0 Perform nk3 factory reset and enable KDF-DO Factory default admin PIN is 12345678 and PIN is 123456 gpg --card-edit gpg/card> admin gpg/card> factory-reset gpg/card> kdf-setup and double check, that KDF is on: gpg/card> list ... KDF setting ......: on Generate GPG key Gather some entropy from nk3 nitropy nk3 rng --length 4096 | sudo tee /dev/random | hexdump -C Generate keys: export PASSPHRASE=$(gpg --gen-random --armor 0 60) export GNUPGHOME=$(mktemp -d -t gnupg_openwrt_nk3_$(date +%Y%m%d%H%M)_XXX) cat > $GNUPGHOME/gpg.conf << EOF personal-cipher-preferences AES256 AES192 AES personal-digest-preferences SHA512 SHA384 SHA256 personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed cert-digest-algo SHA512 s2k-digest-algo SHA512 s2k-cipher-algo AES256 charset utf-8 fixed-list-mode no-comments no-emit-version keyid-format 0xlong list-options show-uid-validity verify-options show-uid-validity with-fingerprint require-cross-certification no-symkey-cache use-agent throw-keyids EOF cat > $GNUPGHOME/gpg-generate-nk3-keys.txt << EOF %echo Generating a Openwrt Build System signing key for Nitrokey3 Key-Type: eddsa Key-Curve: ed25519 Key-Usage: cert SubKey-Type: eddsa SubKey-Curve: ed25519 SubKey-Usage: sign Name-Real: OpenWrt Build System Name-Comment: Nitrokey3 Name-Email: contact@openwrt.org Expire-Date: 10y Passphrase: $PASSPHRASE %commit %echo done EOF gpg --batch --generate-key $GNUPGHOME/gpg-generate-nk3-keys.txt gpg: Generating a Openwrt Build System signing key for Nitrokey3 gpg: /tmp/gnupg_openwrt_nk3_202305130941_eoc/trustdb.gpg: trustdb created gpg: directory '/tmp/gnupg_openwrt_nk3_202305130941_eoc/openpgp-revocs.d' created gpg: revocation certificate stored as '/tmp/gnupg_openwrt_nk3_202305130941_eoc/openpgp-revocs.d/E9025ED843D0FDC7866F7064CAE438715492B555.rev' gpg: done Export public key export KEYID=$(gpg --list-signatures --with-colons | grep sig: | cut -d: -f 5 | head -1) gpg --export --armor | tee $GNUPGHOME/gnupg-openwrt-nk3-$KEYID.asc Setup nk3 key gpg --card-edit gpg/card> admin gpg/card> key-attr ECC / Curve 25519 gpg/card> forcesig gpg/card> name Cardholder's surname: Build System Key 3. Cardholder's given name: OpenWrt gpg/card> url URL to retrieve public key: https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/CAE438715492B555.asc;hb=HEAD Gather some entropy from nk3 nk3 rng --length 4096 | sudo tee /dev/random | hexdump -C Generate nk3 PIN, Admin PIN and Reset PIN $ for k in $(seq 1 3); do gpg --gen-random --armor 0 60; sleep 60; done Write down the keys and set the keys on the nk3 key gpg/card> passwd 1 - change PIN 4 - set the Reset Code 3 - change Admin PIN Verify correct settings gpg/card> list Name of cardholder: OpenWrt Build System Key 3. URL of public key : https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/CAE438715492B555.asc;hb=HEAD Signature PIN ....: not forced Key attributes ...: ed25519 cv25519 ed25519 Transfer GPG keys to nk3 gpg --edit-key $KEYID gpg (GnuPG) 2.4.0; Copyright (C) 2021 Free Software Foundation, Inc. Secret key is available. sec ed25519/0xCAE438715492B555 created: 2023-05-13 expires: 2033-05-10 usage: C trust: ultimate validity: ultimate ssb ed25519/0x78BBEC94A894C992 created: 2023-05-13 expires: 2033-05-10 usage: S [ultimate] (1). OpenWrt Build System (Nitrokey3) <contact@openwrt.org> Select signing key gpg> key 1 sec ed25519/0xCAE438715492B555 created: 2023-05-13 expires: 2033-05-10 usage: C trust: ultimate validity: ultimate ssb* ed25519/0x78BBEC94A894C992 created: 2023-05-13 expires: 2033-05-10 usage: S [ultimate] (1). OpenWrt Build System (Nitrokey3) <contact@openwrt.org> Move signing key to card Transferring keys to nk3 using keytocard is a destructive, one-way operation only. Make sure you've made a backup before proceeding: keytocard converts the local, on-disk key into a stub, which means the on-disk copy is no longer usable to transfer to subsequent security key devices or mint additional keys. gpg> keytocard Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1 sec ed25519/0xCAE438715492B555 created: 2023-05-13 expires: 2033-05-10 usage: C trust: ultimate validity: ultimate ssb* ed25519/0x78BBEC94A894C992 created: 2023-05-13 expires: 2033-05-10 usage: S [ultimate] (1). OpenWrt Build System (Nitrokey3) <contact@openwrt.org> gpg> save Check the keyring content $ gpg -K /tmp/gnupg_openwrt_nk3_202305130941_eoc/pubring.kbx --------------------------------------------------- sec ed25519/0xCAE438715492B555 2023-05-13 [C] [expires: 2033-05-10] Key fingerprint = E902 5ED8 43D0 FDC7 866F 7064 CAE4 3871 5492 B555 uid [ultimate] OpenWrt Build System (Nitrokey3) <contact@openwrt.org> ssb> ed25519/0x78BBEC94A894C992 2023-05-13 [S] [expires: 2033-05-10] Check nk3 card content, secret key sec# and sub-key ssb> means, that key move went fine. $ gpg --card-status Name of cardholder: OpenWrt Build System Key 3. URL of public key : https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/CAE438715492B555.asc;hb=HEAD Signature PIN ....: not forced Key attributes ...: ed25519 cv25519 ed25519 KDF setting ......: off Signature key ....: 6079 C3B2 0643 36C9 59E7 B37D 78BB EC94 A894 C992 created ....: 2023-05-13 08:08:40 Encryption key....: [none] Authentication key: [none] General key info..: sub ed25519/0x78BBEC94A894C992 2023-05-13 OpenWrt Build System (Nitrokey3) <contact@openwrt.org> sec# ed25519/0xCAE438715492B555 created: 2023-05-13 expires: 2033-05-10 ssb> ed25519/0x78BBEC94A894C992 created: 2023-05-13 expires: 2033-05-10 card-no: 000F XXXXXXXX Cross sign new GPG key http://lists.openwrt.org/pipermail/openwrt-devel/2018-December/020856.html $ gpg --list-signatures $KEYID pub ed25519/0xCAE438715492B555 2023-05-13 [C] [expires: 2033-05-10] Key fingerprint = E902 5ED8 43D0 FDC7 866F 7064 CAE4 3871 5492 B555 uid [ultimate] OpenWrt Build System (Nitrokey3) <contact@openwrt.org> sig 3 0xCAE438715492B555 2023-05-13 OpenWrt Build System (Nitrokey3) <contact@openwrt.org> sig 0xCD84BCED626471F1 2023-05-13 OpenWrt Build System (PGP key for unattended snapshot builds) <pgpsign-snapshots@openwrt.org> sig 0xCD54E82DADB3684D 2023-05-13 OpenWrt Build System (GnuPGP key for 22.03 release builds) <pgpsign-22.03@openwrt.org> sig 0x88CA59E88F681580 2023-05-13 OpenWrt Build System (PGP key for 21.02 release builds) <pgpsign-21.02@openwrt.org> sub ed25519/0x78BBEC94A894C992 2023-05-13 [S] [expires: 2033-05-10] sig 0xCAE438715492B555 2023-05-13 OpenWrt Build System (Nitrokey3) <contact@openwrt.org> Upload public key to various public key servers gpg --send-key $KEYID gpg --keyserver pgp.mit.edu --send-key $KEYID gpg --keyserver keys.gnupg.net --send-key $KEYID gpg --keyserver hkps://keyserver.ubuntu.com:443 --send-key $KEYID Add GPG key to keyring.git repo gpg: add OpenWrt 21.02 signing key Update package/system/openwrt-keyring/Makefile package openwrt-keyring: add OpenWrt 21.02 GPG/usign keys Add new GPG key information to the release signatures page Add new key info to signatures page This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2023/05/18 08:33by ynezz