Stale references to nix + other issues

[niklash3]

Here are a couple of issues with the nix component of this guide:

1. The Build an air-gapped NixOS LiveCD image part of the guide no longer works after moving flake.nix to nix subdirectory. Similar issue with the other commands. Adding ?dir=nix argument to the flake url should solve the problem.
2. The flake lock file is outdated: it contains drduhConfig which was removed from the flake inputs.

And other issues noticed while following it:

1. sudo mkdir /mnt/encrypted-storage does not work on NixOS as /mnt is not created by default.
2. gpg-agent needs to be stopped before using ykman openpgp commands.
3. Transfer subkeys just doesn't work (gpg: KEYTOCARD failed: Invalid time error). What solved was to run the interactive command manually without --pinentry-mode=loopback
4. Running save after keytocard makes it annoying to transfer the keys to multiple yubikeys, as they are removed from gnupg. I had to delete all secret keys form my gnupg and re-import the backups.
   It seems to me like the live NixOS image support is slowly being faded out. Is there a particular reason for this?

Anyways, this was a great guide, thank you to all who contributed to it!

[mattborja]

Noticed the help wanted tag just light up and wanted to throw an idea out there.

I've recently had a lot of success establishing offline keys using Alpine Linux on ARM. Offline package management (apk) ultimately made it very efficient to bootstrap the minimal tooling needed to manage smart cards as well.

Everything fits into a nice 80 MB partition for rapid cloning purposes, and the base system is even ephemeral. Happy to share my notes if this would be of interest. Personally, I could see contributing this as a solution in part (or whole) to #495.

Let me know!

CC: @drduh

(Even more fun would be to come up with a CI build system for building the custom Alpine image that comes pre-shipped with these packages installed :D)

[drduh]

@mattborja that sounds like an excellent idea; I would very much like to try it out. can you please create a new issue to track this under the upcoming spring refresh milestone? it could fit nicely with the simplified guide idea.

@niklash3 thank you for raising the issue. unfortunately I am not a nix user and would appreciate your help addressing the obvious problems.

[mattborja]

@drduh FYI, added that issue, but it didn't let me set the milestone or assign it to myself (presumably due to insufficient permissions).

For now, I can just update that issue with details as updates become available.

[aMOPel]

Transfer subkeys just doesn't work (gpg: KEYTOCARD failed: Invalid time error). What solved was to run the interactive command manually without --pinentry-mode=loopback

+1 for this.

A hint in the guide would be helpful.

Also see
https://www.reddit.com/r/yubikey/s/FQgBc1leg0

[forbytten]

@aMOPel looks like it's fixed in GPG 2.5.1. I haven't tested it but the bug report references the same reddit link https://dev.gnupg.org/T7283

Edit: which isn't that practically useful right now because the 2.5 series is for public testing, not a stable release - https://lists.gnu.org/archive/html/info-gnu/2024-09/msg00005.html However, it's good to know the future 2.6 release should fix the issue.

[rda716]

@aMOPel looks like it's fixed in GPG 2.5.1. I haven't tested it but the bug report references the same reddit link https://dev.gnupg.org/T7283

Edit: which isn't that practically useful right now because the 2.5 series is for public testing, not a stable release - https://lists.gnu.org/archive/html/info-gnu/2024-09/msg00005.html However, it's good to know the future 2.6 release should fix the issue.

The GPG ticket seems to indicate the required fix has been backported to GPG 2.2 and 2.4:

• rG95468f531c3b: STABLE-BRANCH-2-2, bugfixes-2.2
• rG5a1bf7e5524e: STABLE-BRANCH-2-4
• rG4a4c1efac59f: master

Perhaps the Nix flake can be updated to pull in the required bug-fix when live-CD image is built. I will investigate this to see how this is done.