From 22bbf77707c87d18a0e9a0d73521a9616eb7eda0 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sat, 6 Nov 2021 12:36:59 +0100 Subject: [PATCH] Add examples for passing PINs via file-descriptors. Change the example card ident so that the serial number doesn't look like the default admin PIN. --- tools/README.md | 46 ++++++++++++++++++++++++++++++---------------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/tools/README.md b/tools/README.md index 80b31ff..ca2b986 100644 --- a/tools/README.md +++ b/tools/README.md @@ -55,13 +55,13 @@ $ opgpcard status Explicitly print the status information for a specific card: ``` -$ opgpcard status -c ABCD:12345678 +$ opgpcard status -c ABCD:01234567 ``` Add `-v` for more verbose card status, including the list of supported algorithms of the card (older cards may return no additional information): ``` -$ opgpcard status -c ABCD:12345678 -v +$ opgpcard status -c ABCD:01234567 -v ``` ### Import keys @@ -69,7 +69,7 @@ $ opgpcard status -c ABCD:12345678 -v Import private key onto a card. This works if at most one (sub)key per role (sign, decrypt, auth) exists in `key.priv`: ``` -$ opgpcard admin -c ABCD:12345678 -P import key.priv +$ opgpcard admin -c ABCD:01234567 -P import key.priv ``` Import private key onto a card while explicitly selecting subkeys. @@ -77,7 +77,7 @@ Explicitly specified fingerprints are necessary if more than one subkey exists in `key.priv` for any role (note: spaces in fingerprints are ignored). ``` -$ opgpcard admin -c ABCD:12345678 -P import key.priv \ +$ opgpcard admin -c ABCD:01234567 -P import key.priv \ --sig-fp "F290 DBBF 21DB 8634 3C96 157B 87BE 15B7 F548 D97C" \ --dec-fp "3C6E 08F6 7613 8935 8B8D 7666 73C7 F1A9 EEDA C360" \ --auth-fp "D6AA 48EF 39A2 6F26 C42D 5BCB AAD2 14D5 5332 C838" @@ -89,19 +89,19 @@ keys will be imported for the other roles. ### Generate Keys on the card ``` -$ opgpcard admin -c ABCD:12345678 -P generate -p -o 25519 +$ opgpcard admin -c ABCD:01234567 -P generate -p -o 25519 ``` ### Set card metadata Set cardholder name: ``` -$ opgpcard admin -c ABCD:12345678 -P name "Bar< name "Bar< url "https://keyurl.example" +$ opgpcard admin -c ABCD:01234567 -P url "https://keyurl.example" ``` ### Signing @@ -110,7 +110,7 @@ For now, this tool only supports creating detached signatures, like this (if no input file is set, stdin is read): ``` -$ opgpcard sign --detached -c ABCD:12345678 -p -s +$ opgpcard sign --detached -c ABCD:01234567 -p -s ``` ### Decrypting @@ -118,17 +118,31 @@ $ opgpcard sign --detached -c ABCD:12345678 -p -s -r +$ opgpcard decrypt -c ABCD:01234567 -p -r ``` ### Factory reset Factory reset: ``` -$ opgpcard factory-reset -c ABCD:12345678 +$ opgpcard factory-reset -c ABCD:01234567 ``` -NOTE: you do not need a PIN to reset a card +NOTE: you do not need a PIN to reset a card! + +### Using file-descriptors for PINs + +When using a shell like +[bash](https://www.gnu.org/software/bash/manual/html_node/Redirections.html#Here-Strings), +you can pass user and/or admin PINs via file-descriptors: + +``` +$ opgpcard sign --detached -c ABCD:01234567 -p /dev/fd/3 -s 3<<<123456 +``` + +``` +$ opgpcard admin -c ABCD:01234567 -P /dev/fd/3 generate -p /dev/fd/4 -o 25519 3<<<12345678 4<<<123456 +``` ## opgpcard-pin @@ -137,25 +151,25 @@ PIN on OpenPGP cards. Set the user PIN (requires admin PIN): ``` -opgpcard-pin -c ABCD:12345678 set-user-pin +opgpcard-pin -c ABCD:01234567 set-user-pin ``` Set new admin PIN (requires admin PIN): ``` -opgpcard-pin -c ABCD:12345678 set-admin-pin +opgpcard-pin -c ABCD:01234567 set-admin-pin ``` Reset user PIN after it has been blocked (requires admin PIN): ``` -opgpcard-pin -c ABCD:12345678 reset-user-pin -a +opgpcard-pin -c ABCD:01234567 reset-user-pin -a ``` Set resetting code (requires admin PIN): ``` -opgpcard-pin -c ABCD:12345678 set-reset-code +opgpcard-pin -c ABCD:01234567 set-reset-code ``` Reset user PIN (requires resetting code): ``` -opgpcard-pin -c ABCD:12345678 reset-user-pin +opgpcard-pin -c ABCD:01234567 reset-user-pin ```