10_prerequisites.sh

# install gpg-agent
sudo apt install gpg-agent

# install latest gopass
# TODO: change to latest version
# curl -s https://api.github.com/repos/gopasspw/gopass/releases/latest | jq -r '.assets[] | select (.name | test ("linux_amd64.deb")) | .browser_download_url'
wget https://github.com/gopasspw/gopass/releases/download/v1.15.13/gopass_1.15.13_linux_amd64.deb
sudo dpkg -i gopass_1.15.13_linux_amd64.deb
rm gopass_1.15.13_linux_amd64.deb
gopass completion bash > /usr/share/bash-completion/completions/gopass

# enable linger for user
read -p "Username: " linger_username
sudo loginctl enable-linger "${linger_username}"
# create gnupg key for gopass
# TODO: edit identity string
gpg --quick-generate-key "Surname Lastname <${USER}@kit.edu> (gopass)" ed25519 cert never

# get fingerprint (only works when there is exactly one key in the keychain)
FPR="$(gpg -K --with-colon | grep fpr | head -1 | cut -d: -f10)"
echo $FPR

# add encryption subkey (auth and sign shown for completeness)
gpg --quick-add-key "${FPR}" cv25519 encr never
#gpg --quick-add-key "${FPR}" ed25519 sign never
#gpg --quick-add-key "${FPR}" ed25519 auth never

# run gpg-agent and dirmngr in session
systemctl --user enable gpg-agent.socket
systemctl --user enable dirmngr.socket

cat <<'EOF' >> ~/.bashrc

export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null
EOF

# create sensible gnupg config
mkdir -p -m 0700 ~/.gnupg/

cat <<EOF > ~/.gnupg/gpg.conf
# TOFU + Web of Trust
trust-model tofu+pgp
# crypto preferences
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
# SHA512 as digest to sign keys
cert-digest-algo SHA512
# SHA512 as digest for symmetric ops
s2k-digest-algo SHA512
# AES256 as cipher for symmetric ops
s2k-cipher-algo AES256
# UTF-8 support for compatibility
charset utf-8
# No comments in messages
no-comments
# No version in output
no-emit-version
# Disable banner
no-greeting
# Long key id format
keyid-format 0xlong
# Display UID validity
list-options show-uid-validity
verify-options show-uid-validity
# Display all keys and their fingerprints
with-fingerprint
# Output ASCII instead of binary
armor
# Default key ID to use
default-key ${FPR}
trusted-key ${FPR}
EOF

# set up credential caching
cat <<EOF > ~/.gnupg/gpg-agent.conf
default-cache-ttl 34560000
max-cache-ttl 34560000
EOF

# initialize gopass
gopass init $FPR
# install sequoia
sudo apt install sq

# create openpgp key for gopass
# TODO: edit identity string
sq key generate \
 --cipher-suite cv25519 --can-encrypt storage \
 --export "/dev/shm/${USER}.key" \
 --rev-cert gopass_key.revocation.pgp \
 --userid "Surname Lastname <ge3242@kit.edu> (gopass)" \
 --with-password \
 --expires never

# remember the fingerprint
sq inspect "/dev/shm/${USER}.key"

# import into gpg
gpg --import "/dev/shm/${USER}.key"

# set ultimate trust
gpg --edit-key "INSERT FINGERPRINT" trust quit
  # enter 5<RETURN> (I trust ultimately)
  # enter y<RETURN> (Really set this key to ultimate trust - Yes)

# delete secret key file
rm -f "/dev/shm/${USER}.key"