diff --git a/debian/control b/debian/control index 89d924e..957443b 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,7 @@ Package: security-misc Architecture: all Depends: python, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, apparmor-profile-anondist, helper-scripts, ${misc:Depends} -Replaces: tcp-timestamps-disable +Replaces: tcp-timestamps-disable, anon-gpg-tweaks Description: enhances misc security settings Inspired by Kernel Self Protection Project (KSPP) . @@ -321,6 +321,10 @@ Description: enhances misc security settings * Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird to make phishing attacks more difficult. Fixing URL not showing real Domain Name (Homograph attack). + * Security and privacy enhancements for gnupg's config file + `/etc/skel/.gnupg/gpg.conf`. See also: + https://raw.github.com/ioerror/torbirdy/master/gpg.conf + https://github.com/ioerror/torbirdy/pull/11 . Want more? Look into these: . diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 11bc4c9..13e0072 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -17,6 +17,11 @@ true " case "$1" in configure) + if [ -d /etc/skel/.gnupg ]; then + ## Lintian warns against use of chmod --recursive. + chmod 700 /etc/skel/.gnupg + fi + ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override glib-compile-schemas /usr/share/glib-2.0/schemas || true ;; diff --git a/etc/skel/.gnupg/gpg.conf b/etc/skel/.gnupg/gpg.conf new file mode 100644 index 0000000..dcc90e8 --- /dev/null +++ b/etc/skel/.gnupg/gpg.conf @@ -0,0 +1,348 @@ +# Options for GnuPG +# Copyright 1998, 1999, 2000, 2001, 2002, 2003, +# 2010 Free Software Foundation, Inc. +# +# This file is free software; as a special exception the author gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# +# Unless you specify which option file to use (with the command line +# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf +# by default. +# +# An options file can contain any long options which are available in +# GnuPG. If the first non white space character of a line is a '#', +# this line is ignored. Empty lines are also ignored. +# +# See the man page for a list of options. + +# Uncomment the following option to get rid of the copyright notice + +#no-greeting + +# If you have more than 1 secret key in your keyring, you may want to +# uncomment the following option and set your preferred keyid. + +#default-key 621CC013 + +# If you do not pass a recipient to gpg, it will ask for one. Using +# this option you can encrypt to a default key. Key validation will +# not be done in this case. The second form uses the default key as +# default recipient. + +#default-recipient some-user-id +#default-recipient-self + +# Use --encrypt-to to add the specified key as a recipient to all +# messages. This is useful, for example, when sending mail through a +# mail client that does not automatically encrypt mail to your key. +# In the example, this option allows you to read your local copy of +# encrypted mail that you've sent to others. + +#encrypt-to some-key-id + +# By default GnuPG creates version 4 signatures for data files as +# specified by OpenPGP. Some earlier (PGP 6, PGP 7) versions of PGP +# require the older version 3 signatures. Setting this option forces +# GnuPG to create version 3 signatures. + +#force-v3-sigs + +# Because some mailers change lines starting with "From " to ">From " +# it is good to handle such lines in a special way when creating +# cleartext signatures; all other PGP versions do it this way too. + +#no-escape-from-lines + +# If you do not use the Latin-1 (ISO-8859-1) charset, you should tell +# GnuPG which is the native character set. Please check the man page +# for supported character sets. This character set is only used for +# metadata and not for the actual message which does not undergo any +# translation. Note that future version of GnuPG will change to UTF-8 +# as default character set. In most cases this option is not required +# as GnuPG is able to figure out the correct charset at runtime. + +#charset utf-8 + +# Group names may be defined like this: +# group mynames = paige 0x12345678 joe patti +# +# Any time "mynames" is a recipient (-r or --recipient), it will be +# expanded to the names "paige", "joe", and "patti", and the key ID +# "0x12345678". Note that there is only one level of expansion - you +# cannot make a group that points to another group. Note also that +# if there are spaces in the recipient name, this will appear as two +# recipients. In these cases it is better to use the key ID. + +#group mynames = paige 0x12345678 joe patti + +# Lock the file only once for the lifetime of a process. If you do +# not define this, the lock will be obtained and released every time +# it is needed, which is usually preferable. + +#lock-once + +# GnuPG can send and receive keys to and from a keyserver. These +# servers can be HKP, email, or LDAP (if GnuPG is built with LDAP +# support). +# +# Example HKP keyserver: +# hkp://keys.gnupg.net +# hkp://subkeys.pgp.net +# +# Example email keyserver: +# mailto:pgp-public-keys@keys.pgp.net +# +# Example LDAP keyservers: +# ldap://keyserver.pgp.com +# +# Regular URL syntax applies, and you can set an alternate port +# through the usual method: +# hkp://keyserver.example.net:22742 +# +# Most users just set the name and type of their preferred keyserver. +# Note that most servers (with the notable exception of +# ldap://keyserver.pgp.com) synchronize changes with each other. Note +# also that a single server name may actually point to multiple +# servers via DNS round-robin. hkp://keys.gnupg.net is an example of +# such a "server", which spreads the load over a number of physical +# servers. To see the IP address of the server actually used, you may use +# the "--keyserver-options debug". +# +#keyserver hkp://qdigse2yzvuglcix.onion +#keyserver hkp://2eghzlv2wwcq7u7y.onion +#keyserver mailto:pgp-public-keys@keys.nl.pgp.net +#keyserver ldap://keyserver.pgp.com + +# Common options for keyserver functions: +# +# include-disabled : when searching, include keys marked as "disabled" +# on the keyserver (not all keyservers support this). +# +# no-include-revoked : when searching, do not include keys marked as +# "revoked" on the keyserver. +# +# verbose : show more information as the keys are fetched. +# Can be used more than once to increase the amount +# of information shown. +# +# use-temp-files : use temporary files instead of a pipe to talk to the +# keyserver. Some platforms (Win32 for one) always +# have this on. +# +# keep-temp-files : do not delete temporary files after using them +# (really only useful for debugging) +# +# http-proxy="proxy" : set the proxy to use for HTTP and HKP keyservers. +# This overrides the "http_proxy" environment variable, +# if any. +# +# auto-key-retrieve : automatically fetch keys as needed from the keyserver +# when verifying signatures or when importing keys that +# have been revoked by a revocation key that is not +# present on the keyring. +# +# no-include-attributes : do not include attribute IDs (aka "photo IDs") +# when sending keys to the keyserver. + +#keyserver-options auto-key-retrieve + +# Display photo user IDs in key listings + +# list-options show-photos + +# Display photo user IDs when a signature from a key with a photo is +# verified + +# verify-options show-photos + +# Use this program to display photo user IDs +# +# %i is expanded to a temporary file that contains the photo. +# %I is the same as %i, but the file isn't deleted afterwards by GnuPG. +# %k is expanded to the key ID of the key. +# %K is expanded to the long OpenPGP key ID of the key. +# %t is expanded to the extension of the image (e.g. "jpg"). +# %T is expanded to the MIME type of the image (e.g. "image/jpeg"). +# %f is expanded to the fingerprint of the key. +# %% is %, of course. +# +# If %i or %I are not present, then the photo is supplied to the +# viewer on standard input. If your platform supports it, standard +# input is the best way to do this as it avoids the time and effort in +# generating and then cleaning up a secure temp file. +# +# If no photo-viewer is provided, GnuPG will look for xloadimage, eog, +# or display (ImageMagick). On Mac OS X and Windows, the default is +# to use your regular JPEG image viewer. +# +# Some other viewers: +# photo-viewer "qiv %i" +# photo-viewer "ee %i" +# +# This one saves a copy of the photo ID in your home directory: +# photo-viewer "cat > ~/photoid-for-key-%k.%t" +# +# Use your MIME handler to view photos: +# photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG" + +# Passphrase agent +# +# We support the old experimental passphrase agent protocol as well as +# the new Assuan based one (currently available in the "newpg" package +# at ftp.gnupg.org/gcrypt/alpha/aegypten/). To make use of the agent, +# you have to run an agent as daemon and use the option +# +# For Ubuntu we now use-agent by default to support more automatic +# use of GPG and S/MIME encryption by GUI programs. Depending on the +# program, users may still have to manually decide to install gnupg-agent. + +#use-agent + +# which tries to use the agent but will fallback to the regular mode +# if there is a problem connecting to the agent. The normal way to +# locate the agent is by looking at the environment variable +# GPG_AGENT_INFO which should have been set during gpg-agent startup. +# In certain situations the use of this variable is not possible, thus +# the option +# +# --gpg-agent-info=::1 +# +# may be used to override it. + +# Automatic key location +# +# GnuPG can automatically locate and retrieve keys as needed using the +# auto-key-locate option. This happens when encrypting to an email +# address (in the "user@example.com" form), and there are no +# user@example.com keys on the local keyring. This option takes the +# following arguments, in the order they are to be tried: +# +# cert = locate a key using DNS CERT, as specified in RFC-4398. +# GnuPG can handle both the PGP (key) and IPGP (URL + fingerprint) +# CERT methods. +# +# pka = locate a key using DNS PKA. +# +# ldap = locate a key using the PGP Universal method of checking +# "ldap://keys.(thedomain)". For example, encrypting to +# user@example.com will check ldap://keys.example.com. +# +# keyserver = locate a key using whatever keyserver is defined using +# the keyserver option. +# +# You may also list arbitrary keyservers here by URL. +# +# Try CERT, then PKA, then LDAP, then hkp://subkeys.net: +#auto-key-locate cert pka ldap hkp://subkeys.pgp.net + +## Begin Anonymity Distribution /home/user/.gnupg/gpg.conf changes. + +#### meta start +#### project Whonix +#### category networking and apps +#### description GnuPG gpg configuration +#### meta end + +## source: +## https://raw.github.com/ioerror/torbirdy/master/gpg.conf +## https://github.com/ioerror/torbirdy/commit/e6d7c9e6e103f0b3289675d04ed3f92e92d8d7b3 + +## Out commented proxy settings, because uwt wrapper keeps care of that. + +## gpg.conf optimized for privacy + +################################################################## +## BEGIN some suggestions from TorBirdy setting extensions.enigmail.agentAdditionalParam + +## Don't disclose the version +no-emit-version + +## Don't add additional comments (may leak language, etc) +no-comments + +## We want to force UTF-8 everywhere +display-charset utf-8 + +## Proxy settings +#keyserver-options http-proxy=socks5://TORIP:TORPORT + +## https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f +## https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html +## https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607 +#keyserver hkps://keys.openpgp.org + +## END some suggestions from TorBirdy TorBirdy setting extensions.enigmail.agentAdditionalParam +################################################################## + +################################################################## +## BEGIN Some suggestions from Debian http://keyring.debian.org/creating-key.html + +personal-digest-preferences SHA512 +cert-digest-algo SHA512 +default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed + +## END Some suggestions from Debian http://keyring.debian.org/creating-key.html +################################################################## + +################################################################## +## BEGIN Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices + +## When creating a key, individuals may designate a specific keyserver to use to pull their keys from. +## The above option will disregard this designation and use the pool, which is useful because (1) it +## prevents someone from designating an insecure method for pulling their key and (2) if the server +## designated uses hkps, the refresh will fail because the ca-cert will not match, so the keys will +## never be refreshed. +keyserver-options no-honor-keyserver-url + +## when outputting certificates, view user IDs distinctly from keys: +fixed-list-mode + +## long keyids are more collision-resistant than short keyids (it's trivial to make a key with any desired short keyid) +keyid-format 0xlong + +## when multiple digests are supported by all recipients, choose the strongest one: +## already defined above +#personal-digest-preferences SHA512 SHA384 SHA256 SHA224 + +## preferences chosen for new keys should prioritize stronger algorithms: +## already defined above +#default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed + +## If you use a graphical environment (and even if you don't) you should be using an agent: +## (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64) +use-agent + +## You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring: +verify-options show-uid-validity +list-options show-uid-validity + +## include an unambiguous indicator of which key made a signature: +## (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234) +sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g + +## when making an OpenPGP certification, use a stronger digest than the default SHA1: +## already defined above +#cert-digest-algo SHA256 + +## END Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices +################################################################## + +################################################################## +## BEGIN Some suggestions from TorBirdy opt-in's + +## Up to you whether you in comment it (remove the single # in front of +## it) or not. Disabled by default, because it causes too much complaints and +## confusion. + +## Don't include keyids that may disclose the sender or any other non-obvious keyids +#throw-keyids + +## END Some suggestions from TorBirdy opt-in's +################################################################## + +## End of Anonymity Distribution /home/user/.gnupg/gpg.conf changes. diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index cb24c53..f18194d 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -2,7 +2,7 @@ ## See the file COPYING for copying conditions. ## The whole point of the package. -security-misc: package-contains-file-in-etc-skel etc/skel/.config/* +security-misc: package-contains-file-in-etc-skel etc/skel/* ## Wrapper script. security-misc: binary-without-manpage usr/bin/pkexec.security-misc