Daniel, many thanks for thinking about this! I'm sorry I didn't respond earlier.
On 07/10/2018 03:01, Daniel Kahn Gillmor wrote: > Does this make sense? you just need to make sure you tie the version of > gpg and the keyring into the same initramfs build time. The problem is that the gpg invocation is not at the time of building the initramfs. gpg is only invoked once during setup of the smartcard-encrypted root. In the end, the --export during setup and --import during early boot is probably the best alternative; since it's an --import to an empty keyring, this shouldn't waste much time during every boot anyway. I have an idea about elegantly handling the fact that the smartcard stub is not known during boot, since there doesn't seem to be a stable interface to transferring these stubs, and invoking gpg at initramfs build time will leave a running gpg-agent, which is rather avoided. I'll work this out when I have the time. > I don't know the answer to this about using concatenated TPKs as > keyring. Maybe Werner can weigh in? Yes, I think it's useful to know what is a stable interface and what is not, so I hope he will. Thank you, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
