GnuPG on Termux for accessing USB smart card reader

README.md

Prerequisites

• smart card reader supported by GnuPG

  I use 0.332, a mod of the SCM332 V2 which is comparatively light and small. Previously, I was simply using the SCM332 V2 directly with an OTG adapter.

• root access from Termux

• libusb-dev available in the Termux root repo

• a bunch of additional packages

  I didn’t keep track of which packages are needed in particular, so here’s a list of all the packages that I currently have installed:

  apt, autoconf, automake, bash, binutils, busybox, ca-certificates, clang, command-not-found, coreutils, darkhttpd, dash, diffutils, dirmngr, dpkg, emacs, findutils, gawk, gdbm, gettext, git, glib, gnupg, gnutls, golang, gpgv, grep, hunspell, hunspell-en-us, ldns, less, libandroid-glob, libandroid-support, libandroid-support-dev, libassuan, libassuan-dev, libbz2, libc++, libcroco, libcrypt, libcrypt-dev, libcurl, libedit, libffi, libgcrypt, libgcrypt-dev, libgmp, libgnutls, libgnutls-dev, libgpg-error, libgpg-error-dev, libidn, libidn2, libidn2-dev, libksba, libksba-dev, libllvm, libltdl, liblzma, libmpfr, libnettle, libnettle-dev, libnghttp2, libnpth, libnpth-dev, libsqlite, libtalloc, libtool, libunistring, libusb, libusb-dev, libutil, libxml2, lynx, m4, make, man, ncurses, ncurses-ui-libs, ndk-stl, ndk-sysroot, openssh, openssl, pcre, pcre2, perl, pinentry, proot, python, python-dev, readline, readline-dev, resolv-conf, screen, sed, termux-am, termux-api, termux-exec, termux-tools, texinfo, tsu, vim, vim-runtime

Build instructions

$ cd
$ mkdir -p src
$ cd src
$ git clone git://git.gnupg.org/gnupg.git
$ cd gnupg
$ git checkout gnupg-2.2.12 # matches GnuPG in Termux
$ export C_INCLUDE_PATH="$PREFIX/include/:$PREFIX/include/libusb-1.0/:$PREFIX/include/libandroid-support"
$ ./autogen.sh
$ ./configure --enable-maintainer-mode --disable-doc --with-pinentry-pgm="$PREFIX/bin/pinentry-curses" --with-scdaemon-pgm="$PWD/scd/scdaemon" --host=aarch64-unknown-linux-android
$ make -j 4

Specifying the host to configure is necessary because otherwise Android is not detected:

$ ./build–aux/config.guess
aarch64-unknown-linux-gnu

Detection test

1. If connected, disconnect the card reader from your phone.

2. Stop any running instances of the GnuPG Agent:

   $ tsu
   $ gpgconf --kill all
   

3. As root, start the agent after killing any running instances:

   $ "$HOME/src/gnupg/agent/gpg-agent" --homedir "$HOME/.gnupg/" --daemon
   

   Then give the ordinary user access to the socket created by the agent:

   $ chown -R u0_a88.u0_a88 ~/.gnupg
   

   And end your session as root:

   $ exit
   

4. From now on, you can continue with the GnuPG that comes with Termux. It is compatible with the GnuPG that was just installed.

5. Connect reader to phone and insert card.

6. Check the card’s status:

   $ gpg --card-status
   […]
   gpg: WARNING: unsafe ownership on homedir '/data/data/com.termux/files/home/.gnupg'
   gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
   gpg: It is only intended for test purposes and should NOT be
   gpg: used in a production environment or with production keys!
   Reader ...........: XXXX:XXXX:XXXXXXXXXXXXXX:X
   Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   Version ..........: 2.1
   Manufacturer .....: ZeitControl
   Serial number ....: XXXXXXXX
   […]
   

Note: It could be interesting trying to update the permissions of the USB device files so that the agent doesn’t need to be started as root user. However, so far I didn’t succeed, see also my post on serverfault.com.

photo.jpg

I found out that we can build libpcsclite and libccid to achieve the same thing.
The advantages are:

• make install won't get messed with existing packages e.g. gpgv, dirmngr
• No need to run gpg as root. We can run pcscd as root, which does the actual USB stuff and use gpg as a regular user

Now the packages are available in the official repo:

pkg install root-repo
pkg install pcscd libccid tsu
echo tsu -s pcscd >> ~/.bashrc

Thanks for your comments! That looks much simpler, although I didn't get the card reader recognized on a first quick try. Note that my solution does not require gpg to run as root either. It's only gpg-agent that needs superuser rights. Furthermore, running make install is not necessary.

Hey, I tried to do this with a USB GPG smartcard (a Nitrokey) because I want to work with it in Termux. The key is recognized by OpenKeychain but not by Termux. I tried your instructions and also the packages from the official repo. Nothing did work. Is this because this is a USB smartcard? Or what else could be the issue? (Couldn't find libusb-dev in the root repo)

@levinuss Unfortunately I don't have a solution. It doesn't work for me anymore as well. I didn't use my smartcard reader with Termux in a while. In the meantime, I have changed my phone from a Xiaomi Mi A2 to a OnePlus 6T. Termux has evolved as well. While I can build the current version 2.2.17 of gpg-agent with smartcard support, the reader is not detected anymore:

gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

I may try again with my old phone. About libusb-dev: Apparently that has been included in the libusb package. The reader does work fine with gnupg 2.2.17 on my PC / Arch Linux.

@feklee Okay, so this is probably just because of the changed prerequisites with Termux / Android? I'm on a Oneplus 5T :). I could build 2.2.17 too.

@feklee Okay, so this is probably just because of the changed prerequisites with Termux / Android?

Don’t think so. After all, GnuPG Agent compiles fine with smartcard support. For helping with investigation, one can turn on logging for gpg, gpg-agent, and the included scdaemon. I did that a while ago, there was a lot of data, and I couldn’t find anything useful.

@levinuss OK, so I just reactivated my old half-broken Xiaomi Mi A2. That’s the device on which I successfully tested the instructions in this gist. After rooting the A2, I copied over the Termux installation from my OnePlus 6T. Result: Same as on the 6T, the smartcard reader is not detected anymore. So the issue doesn’t seem to be related to hardware. If it’s not caused by Termux, then it could be an issue with Android Pie. Next step could be looking at the logs.

pcsc_scan does not find the reader on my OnePlus 6T, which I just reported in pcsc-tools issue 28.

I found the new tool by @DDoSolitary which makes OpenKeychain available in Termux (e.g. to use for ssh auth). Thats more than enough for my aims. https://github.com/DDoSolitary/OkcAgent

Thanks for the link! Too bad OpenKeychain still doesn't support external pin pads. I'm certainly not going to enter my pin on my Android device.