Security Encryption – gpg: Cancelled by User

encryptiongpgkey-authenticationSecurity

Trying to create GPG keys which will be used for an apt repository hosted on my Centos7 box. I created a new user "apt", and then tried to create the keys, but at the very end, it states that I need a pass phrase, but then instantly closes stating cancelled by user. No it wasn't!

I have since successfully repeated these same steps root and as my standard username which happens to be in the wheels group.

Two questions:

Is it a good idea to use different gpg keys for different uses such as this apt repository, and should keys ever be created as root?
Why am I not able to create a gpg key for this user? Do I need to first create some other key for this user?

Thanks

[apt@devserver ~]$ gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Thu 12 Jul 2018 04:32:05 PM UTC
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: somename
Email address: example@gmail.com
Comment:
You selected this USER-ID:
    "somename <example@gmail.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

gpg: cancelled by user
gpg: Key generation canceled.
[apt@devserver ~]$

Best Answer

As to the "cancelled by user" error: GnuPG tries to make sure it's reading the passphrase directly from the terminal, not (e.g.) piped from stdin. To do so, it tries to open the tty directly. Unfortunately, file permissions get in the way — the tty device is owned by the user you log in as. So only that user and root can open it. GnuPG appears to report the error incorrectly, saying you canceled (when in fact it got a permission denied).

As to if you should have a separate key for the repository: yes. There are a couple of reasons that come to mind:

A repository can be maintained by more than one person. All of them will need access to the key. You obviously don't want to give them access to your personal key.
The software processing new packages will need access to the key. For many repositories, that means you have to keep the key available on an Internet-connected machine. This necessitates a lower level of security than you'd ideally have on your personal key.
If you're processing uploads automatically, you may even need to store the key with no passphrase. Obviously lowers security.
In case of compromise of your personal key, it's nice to only have to revoke that. Same with compromise of the repository key. It makes revoking a compromised key cheaper.

It's pretty normal to use your personal key to sign the repository key.

As to running key generation as root: not ideal (don't run things as root without good reason), but likely not really an issue.

Related Solutions

RSA 2048 keypair generation: via openssl 0.5s via gpg 30s, why the difference

GnuPG consumes several bytes from /dev/random for each random byte it actually uses. You can easily check that with this command:

start cmd:> strace -e trace=open,read gpg --armor --gen-random 2 16 2>&1 | tail
open("/etc/gcrypt/rngseed", O_RDONLY)   = -1 ENOENT (No such file or directory)
open("/dev/urandom", O_RDONLY)          = 3
read(3, "\\\224F\33p\314j\235\7\200F9\306V\3108", 16) = 16
open("/dev/random", O_RDONLY)           = 4
read(4, "/\311\342\377...265\213I"..., 300) = 128
read(4, "\325\3\2161+1...302@\202"..., 172) = 128
read(4, "\5[\372l\16?\...6iY\363z"..., 44) = 44
open("/home/hl/.gnupg/random_seed", O_WRONLY|O_CREAT, 0600) = 5
cCVg2XuvdjzYiV0RE1uzGQ==
+++ exited with 0 +++

In order to output 16 bytes of high-quality entropy GnuPG reads 300 bytes from /dev/random.

This is explained here: Random-Number Subsystem Architecture

Linux stores a maximum of 4096 bytes (see cat /proc/sys/kernel/random/poolsize) of entropy. If a process needs more than available (see cat /proc/sys/kernel/random/entropy_avail) then the CPU usage becomes more or less irrelevant as the feeding speed of the kernel's entropy pool becomes the relevant factor.

How to prevent gpg from including SHA1

When it comes to DEB packages and repositories, we're talking about explicitly creating a signature. This is different to encrypting and signing a message for a known recipient key. In that case, gpg uses the receiver's key preferences, in combination with your own local preferences to work out a suitable algorithm choice

Unfortunately, there are not much options available for stand-alone signing right now. Even in GPG-2, there is only an option to disallow a cipher algo, but no option to disallow a digest (signing) algo.

Thus, the only thing you can do is explicitly to define a fixed digest (signing) algo in your preferences. Because that is what will be used, when the debian tooling invokes your local GPG installation to make the signatures. Obviously, this has the downside to interfere with the automatic choice of a signing algo; which means, after setting that option, a receiver only capable of SHA1 will no longer be able to verify your signatures.

Anyway, set the following to your ~/.gnupg/gpg.conf

digest-algo SHA256

Probably you should also place a personal preference list there, which influences the default when creating new keys (but as such does not immediately solve the problem at hand -- it won't hurt either)

personal-digest-preferences SHA512,SHA384,SHA256,SHA224
default-preference-list SHA512,SHA384,SHA256,SHA224,AES256,AES192,AES,CAST5,3DES,BZIP2,ZIP,ZLIB,Uncompressed

Regarding SHA1 and 3DES, these are the lowest common denominator for the PGP protocol, and thus hardwired into the software. They are automatically added at the end of your preference list, in order to ensure interoperability with other (weak) implementations of the protocol.

See Section 13.2 of RfC4880

Since SHA1 is the MUST-implement hash algorithm, if it is not explicitly in the list, it is tacitly at the end.

Moreover, SHA1 is still the only algorithm used/allowed to generate a V4 Fingerprint (See Section 12.2)

Well, it might be time to move on, but there is not much we (users) can do, as long as the standard is not upgraded...

Best Answer

Related Solutions

RSA 2048 keypair generation: via openssl 0.5s via gpg 30s, why the difference

How to prevent gpg from including SHA1

Related Question