fix: detect yubikey touches for the new gpg version #58
Conversation
Now the new detection heuristic is to check if we open the private key files. Since we're detecting only the keys that need a yubikey touch, we filter the ones that have the shadowed-private-key attribute on the S-expression inside the key file ( more information about it here: https://github.com/gpg/gnupg/blob/6737e07a9b04064947ae37abd28b845a09abee22/doc/keyformat.txt#shadowed-private-key-format ) We can have false positives if the user has a yubikey + other gpg smartcard device (since will detect it will try to open the private key file too!). This closes maximbaz#54
|
Veeery interesting, thanks for finding an approach, as you probably saw in #54 we were struggling to find an event-based way to do the check! I'll try to test tonight! |
There was a problem hiding this comment.
Thanks! Some initial feedback - I only managed to test it on the old gpg keyring format (still works!), didn't get to test on the new one, but I believe you tested it anyway, so I have no doubt. Great solution!
Could you also run go fmt on the changed files? If not, no worries I'll do it afterwards myself.
|
By the way, I'm happy to take over the PR at any point if it becomes overwhelming, you just let me know at any point of time if you'd like me to merge and cleanup later - you've already done the most important part, figuring out how to support the new gpg format 🙏 |
Co-authored-by: Maxim Baz <[email protected]>
Pablito2020
force-pushed
the
fix-keyboxd-dont-detect
branch
from
ff12f3c to
4e697eb
Compare
Co-authored-by: Maxim Baz <[email protected]>
Pablito2020
force-pushed
the
fix-keyboxd-dont-detect
branch
from
5c7d7eb to
65ee3f8
Compare
Co-authored-by: Maxim Baz <[email protected]>
Pablito2020
force-pushed
the
fix-keyboxd-dont-detect
branch
from
aa029c4 to
9e24129
Compare
|
Done! No worries, it’s not overwhelming, I understand that it was my first time programming in Go, so there was definitely room for improvement! Tell me if you see something that could be improved. |
|
It looks great, I just had very minor things that I took the liberty to do myself, I thought it would be more efficient - you can review the last two commits, please feel free to ask if something is not clear. Thanks, going to merge and cut a release! |
The new detection heuristic now checks whether the private key files are opened.
We specifically detect private keys that require a YubiKey touch by filtering out those that have the shadowed-private-key attribute in the S-expression inside the .key file. For more details, refer to the gnupg documentation that talks about .key format.
There may be false positives if the user has both a YubiKey and another GPG smartcard device, as the heuristic will detect that gpg opens a private key file. However, this approach is a significant improvement over the current situation, where no devices are detected.
I should mention that I am not an expert in Go (I read just enough to implement this pull request). I originally prototyped this idea in Python and then ported it to Go. Therefore, any feedback on the code would be greatly appreciated, especially if there are any issues with structure or potential bad practices. Let me know if refactoring is needed!
This closes #54