YubiKey GPG Signature Pin

I recently bought a YubiKey to accelerate my personal gpg adoption rate, which was quite modest, to say the least. This turned out to be a good decision - using this dongle is fun and setting it up was not too painful. I can only recommend the tutorial by Jeff Clement.

But one thing has been starting too bother me: each email I’d sign would pop up two windows asking me to ‘unlock my card’. While this was annoying, I don’t send that many private emails anyway, and I sign even less, so I made a mental note to fix the configuration and walked on. But when I started signing git commits, I began to wonder. The same issue here, each time I do git commit -S, a wild pop-up appears.

Well, I thought, maybe the gpg-agent is misconfigured or the cache is entirely disabled. Searching the internet for variations of ‘gpg smartcard mac pinentry popup cache’ was really unhelpful, results were rare and pretty unrelated to the problem at hand. Also, I was still convinced that this was somehow related to my Mac setup, which did not make interpreting the results any easier.

Finally, it dawned to me: RTFM! The official SmartCard-HOWTO is not that rich, but turns out to hold all information to get me started. Desperately browsing through the howto, I stumbled over the little bugger in section 3.1.1. where the items in the output of gpg --card-status are explained. One entry - Signature PIN - is documented as

When set to “forced”, gpg requests the entry of a PIN for each signature operation. When set to “non forced”, gpg may cache the PIN as long as the card has not been removed from the reader.

After all, this is a goddamn feature of the pgp card spec! Feeling kind of stupid, I immediately ran gpg --card-edit and entered the magic sequence which finally enabled signature PIN caching.

gpg/card> admin
gpg/card> forcesig
gpg/card> quit


The Great Wall

I’ve been working on improving the address mapper for some weeks now, which is probably the most thorougly maintained ‘10 lines of python code would have done the job’ project I ever had. It’s real fun working in OCaml, and after I got over the Oasis frustration — I guess what I want it to do an what it is designed to do are orthogonal things — by writing a simple Makefile, it just works. Also, the build image helps a lot, if only to remember my future self how to set up the development environment.

When I just thought that things would get boring, I was contacted by a friend who’s currently visiting China for a prolonged vacation. He said that he lost his phone and needed some help in accessing the internet (you know, the part that is not comformant to CPC’s world view). Time to roll up my sleeves and fight for free speech!

The first thing was to upload some APK files that are hard to get in the People’s Republic. While feeling guilty both for hosting someone elses binaries and for visiting dodgy download sites, it (probably) serves a good cause. The more interesting part came afterwards: setting up a VPN. Of course, you can go out and register an account somewhere, but this costs money, you don’t really know whether it’s safe and it might be blocked off by the Great Firewall. What does the fearless admin do in this case? Exactly — roll your own.

Which was surprisingly easy, thanks to the work of Pieter Lange. After not more than one hour, we had the first OpenVPN listening on a public address, and after a couple of minutes more my friend was all set up with a public IP in Frankfurt (Main). The only downside: I think I’m reaching peak app on this server — running all the kubernetes services, the apps, the VPN etc. is makes it hit its very own Great Wall and I ran into problems with kubelet and docker. At least the mail server probably deserves its own pod.


Blog Moved to BlogitWeb

After trying a couple of different approaches to deploy my old wordpress blog in the new k8s environment, I finally decided to abandon PHP altogether. There are too many components involved - I don’t want to install yet another web server (that just forwards CGI), a FastCGI backend service and a MySQL database. That’s why I decided to try something new.

Having elixir on my list for quite some time now, this might be a good moment to actually start using it for something cool. I discovered the blogging engine BlogitWeb, which looks promising to say the least. My first experiments are looking good, and the only things to deploy are a Phoenix server and a git daemon (which I wanted to have anyway).

I’ll start hacking up some deployment templates for this. If this does not change my opinion - and I don’t think so, blogging in markdown is awesome - I’ll move my old posts to the new repo.


Kuberize All The Things

Quite some time has passed since I rented my first vServer (running Debian Squeeze), and over the years I dist-upgraded twice and accumulated lots of baggage. There are custom init scripts (nowadays systemd units), executables whose purpose I can’t remember and several databases (I guess at least MySQL, Redis and etcd). There are backup directories of my wife, which hold dear pictures and videos of our daughter. My web stack is a confusing combination of lighttpd, a letsencrypt cron job, wild php-cgi appearances and some obscure python scripts using http.server. I tried accessing my blog a couple of days ago and was greeted by a nice 503 error message. This was the point where I knew I need to change something.

Over the last weeks, I started to change my primary email address for many accounts to my self-hosted mail address. That makes my email address look fancy, and I’m quite positive that my correspondence is not scanned for marketing purposes. On the other hand, this opens up a lot of problems in terms of reliability. If I’m on vacation for two weeks and postfix goes down (or mysql, or some other component), emails start bouncing and make me look unprofessional. The same goes for my web presence, which has admittedly not that many visitors, but nonetheless should be up if someone stumbles across a link.

Since I’m getting better at kubernetes by the day - it’s part of my day job, and I had some spare time projects using it - it makes a lot of sense to build on that. The hope is to have a nice yaml file repository where I can see at a glance how my web services are set up. Moving postfix and friends is almost done - there’s a backup mail server on Vultr (warlock.burgerdev.de) which passes all tests I have found so far.

The hard part will probably be the web server. I could either use a similar approach as I do now, having nginx servers relay PHP to some deployment , but I’m in the mood to move away from PHP once and for all. An interesting project would be switching to Elixir/Phoenix, but since my family usually frowns upon me spending too much weekends on the PC, I might as well use ikiwiki for the blog. But having Perl in the backend makes me more than a bit uncomfortable.