[csw-maintainers] GPG, agent, pinentry and keychain

[Maciej (Matchek) Blizinski]

I'd like to tell you about the packaging work I've done with relation
to cryptographic key management.  There are 3 main packages that are
related to it:

- gnupg_agent
- pinentry
- keychain

The idea is to hold an unlocked key in the memory, using gpg-agent.
When you need to use your private key, gpg talks to gpg-agent, which
provides it with an unlocked key.  In this way, you can browse e-mail
encrypted to you without typing in your password each time you want to
open an encrypted e-mail.

Pinentry is a small utility which allows entering passwords to
gpg-agent.  I've compiled two backends, gtk2 and curses.

The way to use the agent-pinentry-keychain combo:

- install the three packages
- put the following lines in your shell configuration (e.g. ~/.bash_profile)

keychain 1234ABCD
. ~/.keychain/$HOSTNAME-sh-gpg

...where 1234ABCD is your gpg key's shortened fingerprint.

If you also want to do the same thing (unlock a key) with ssh keys, you can do:

keychain id_dsa id_rsa 1234ABCD
. ~/.keychain/$HOSTNAME-sh
. ~/.keychain/$HOSTNAME-sh-gpg

Use id_dsa and/or id_rsa depending on which keys you have.  This is a
more secure way to provide paswordless ssh logins, compared to
unprotected private ssh keys.

After putting the configuration into your shell run control file /
config file, you'll be asked to unlock your keys during login.  Your
unlocked key will be preserved between shell sessions and will expire
with time.

The gnupg_agent can be used with both gpg 1.x and 2.x.  It's available
as part of gpg 2.x source distribution, so I've packaged it
separately. gnupg_agent is in testing/.

Maciej