Skip to content

Instantly share code, notes, and snippets.

@feklee
Last active February 12, 2024 20:50
Show Gist options
  • Save feklee/92f76d2c8a7cabc477360d82b5305c19 to your computer and use it in GitHub Desktop.
Save feklee/92f76d2c8a7cabc477360d82b5305c19 to your computer and use it in GitHub Desktop.
GnuPG on Termux for accessing USB smart card reader

Prerequisites

  • smart card reader supported by GnuPG

    I use 0.332, a mod of the SCM332 V2 which is comparatively light and small. Previously, I was simply using the SCM332 V2 directly with an OTG adapter.

  • root access from Termux

  • libusb-dev available in the Termux root repo

  • a bunch of additional packages

    I didn’t keep track of which packages are needed in particular, so here’s a list of all the packages that I currently have installed:

    apt, autoconf, automake, bash, binutils, busybox, ca-certificates, clang, command-not-found, coreutils, darkhttpd, dash, diffutils, dirmngr, dpkg, emacs, findutils, gawk, gdbm, gettext, git, glib, gnupg, gnutls, golang, gpgv, grep, hunspell, hunspell-en-us, ldns, less, libandroid-glob, libandroid-support, libandroid-support-dev, libassuan, libassuan-dev, libbz2, libc++, libcroco, libcrypt, libcrypt-dev, libcurl, libedit, libffi, libgcrypt, libgcrypt-dev, libgmp, libgnutls, libgnutls-dev, libgpg-error, libgpg-error-dev, libidn, libidn2, libidn2-dev, libksba, libksba-dev, libllvm, libltdl, liblzma, libmpfr, libnettle, libnettle-dev, libnghttp2, libnpth, libnpth-dev, libsqlite, libtalloc, libtool, libunistring, libusb, libusb-dev, libutil, libxml2, lynx, m4, make, man, ncurses, ncurses-ui-libs, ndk-stl, ndk-sysroot, openssh, openssl, pcre, pcre2, perl, pinentry, proot, python, python-dev, readline, readline-dev, resolv-conf, screen, sed, termux-am, termux-api, termux-exec, termux-tools, texinfo, tsu, vim, vim-runtime

Build instructions

$ cd
$ mkdir -p src
$ cd src
$ git clone git://git.gnupg.org/gnupg.git
$ cd gnupg
$ git checkout gnupg-2.2.12 # matches GnuPG in Termux
$ export C_INCLUDE_PATH="$PREFIX/include/:$PREFIX/include/libusb-1.0/:$PREFIX/include/libandroid-support"
$ ./autogen.sh
$ ./configure --enable-maintainer-mode --disable-doc --with-pinentry-pgm="$PREFIX/bin/pinentry-curses" --with-scdaemon-pgm="$PWD/scd/scdaemon" --host=aarch64-unknown-linux-android
$ make -j 4

Specifying the host to configure is necessary because otherwise Android is not detected:

$ ./build–aux/config.guess
aarch64-unknown-linux-gnu

Detection test

  1. If connected, disconnect the card reader from your phone.

  2. Stop any running instances of the GnuPG Agent:

    $ tsu
    $ gpgconf --kill all
    
  3. As root, start the agent after killing any running instances:

    $ "$HOME/src/gnupg/agent/gpg-agent" --homedir "$HOME/.gnupg/" --daemon
    

    Then give the ordinary user access to the socket created by the agent:

    $ chown -R u0_a88.u0_a88 ~/.gnupg
    

    And end your session as root:

    $ exit
    
  4. From now on, you can continue with the GnuPG that comes with Termux. It is compatible with the GnuPG that was just installed.

  5. Connect reader to phone and insert card.

  6. Check the card’s status:

    $ gpg --card-status
    […]
    gpg: WARNING: unsafe ownership on homedir '/data/data/com.termux/files/home/.gnupg'
    gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
    gpg: It is only intended for test purposes and should NOT be
    gpg: used in a production environment or with production keys!
    Reader ...........: XXXX:XXXX:XXXXXXXXXXXXXX:X
    Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Version ..........: 2.1
    Manufacturer .....: ZeitControl
    Serial number ....: XXXXXXXX
    […]
    

Note: It could be interesting trying to update the permissions of the USB device files so that the agent doesn’t need to be started as root user. However, so far I didn’t succeed, see also my post on serverfault.com.

@DDoSolitary
Copy link

I found out that we can build libpcsclite and libccid to achieve the same thing.
The advantages are:

  • make install won't get messed with existing packages e.g. gpgv, dirmngr
  • No need to run gpg as root. We can run pcscd as root, which does the actual USB stuff and use gpg as a regular user

@DDoSolitary
Copy link

DDoSolitary commented Apr 20, 2019

Now the packages are available in the official repo:

pkg install root-repo
pkg install pcscd libccid tsu
echo tsu -s pcscd >> ~/.bashrc

@feklee
Copy link
Author

feklee commented Aug 15, 2019

Thanks for your comments! That looks much simpler, although I didn't get the card reader recognized on a first quick try. Note that my solution does not require gpg to run as root either. It's only gpg-agent that needs superuser rights. Furthermore, running make install is not necessary.

@levinuss
Copy link

Hey, I tried to do this with a USB GPG smartcard (a Nitrokey) because I want to work with it in Termux. The key is recognized by OpenKeychain but not by Termux. I tried your instructions and also the packages from the official repo. Nothing did work. Is this because this is a USB smartcard? Or what else could be the issue? (Couldn't find libusb-dev in the root repo)

@feklee
Copy link
Author

feklee commented Sep 17, 2019

@levinuss Unfortunately I don't have a solution. It doesn't work for me anymore as well. I didn't use my smartcard reader with Termux in a while. In the meantime, I have changed my phone from a Xiaomi Mi A2 to a OnePlus 6T. Termux has evolved as well. While I can build the current version 2.2.17 of gpg-agent with smartcard support, the reader is not detected anymore:

gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

I may try again with my old phone. About libusb-dev: Apparently that has been included in the libusb package. The reader does work fine with gnupg 2.2.17 on my PC / Arch Linux.

@levinuss
Copy link

@feklee Okay, so this is probably just because of the changed prerequisites with Termux / Android? I'm on a Oneplus 5T :). I could build 2.2.17 too.

@feklee
Copy link
Author

feklee commented Sep 19, 2019

@feklee Okay, so this is probably just because of the changed prerequisites with Termux / Android?

Don’t think so. After all, GnuPG Agent compiles fine with smartcard support. For helping with investigation, one can turn on logging for gpg, gpg-agent, and the included scdaemon. I did that a while ago, there was a lot of data, and I couldn’t find anything useful.

@feklee
Copy link
Author

feklee commented Sep 25, 2019

@levinuss OK, so I just reactivated my old half-broken Xiaomi Mi A2. That’s the device on which I successfully tested the instructions in this gist. After rooting the A2, I copied over the Termux installation from my OnePlus 6T. Result: Same as on the 6T, the smartcard reader is not detected anymore. So the issue doesn’t seem to be related to hardware. If it’s not caused by Termux, then it could be an issue with Android Pie. Next step could be looking at the logs.

@feklee
Copy link
Author

feklee commented Sep 29, 2019

pcsc_scan does not find the reader on my OnePlus 6T, which I just reported in pcsc-tools issue 28.

@levinuss
Copy link

I found the new tool by @DDoSolitary which makes OpenKeychain available in Termux (e.g. to use for ssh auth). Thats more than enough for my aims. https://github.com/DDoSolitary/OkcAgent

@feklee
Copy link
Author

feklee commented Sep 30, 2019

Thanks for the link! Too bad OpenKeychain still doesn't support external pin pads. I'm certainly not going to enter my pin on my Android device.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment