Adjusts the `gpg-agent.conf` template as follows:
1. Adds more `pinentry-program` variants likely to be found on current
Linux and macOS systems.
2. Groups entries by OS and package.
3. Makes all `pinentry-program` directives inactive (commented-out).
At present, the `pinentry-program` directive active by default is:
```
pinentry-program /usr/bin/pinentry-curses
```
This works on Linux but fails on macOS.
However, if `gpg-agent.conf` either does not exist, or exists but does
not contain **any** active `pinentry-program` directives, then my
experimentation shows current OS releases behave as follows:
* Linux invokes:
- `/usr/bin/pinentry-gnome3` (if a Desktop environment is available)
- `/usr/bin/pinentry-curses` (otherwise)
I have tested Debian, Ubuntu and Raspberry Pi OS.
* macOS invokes:
- `/usr/local/bin/pinentry-curses` (Intel)
- `/opt/homebrew/bin/pinentry-curses` (Apple)
Those are true when `gnupg` has been installed by HomeBrew. I can't
test either MacPorts or MacGPG2 directly but research suggests:
- `/opt/local/bin/pinentry` (MacPorts)
- `/usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac` (MacGPG2)
Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
- Include MIT disclaimer and add copyright
- Clarify use of tightly coupled process intended for offline package installation (bootable images already presumed to be verified through via external documentation)
- Specify appropriate use of secure imaging host (imaging purposes only)
- Provide link to Tails installation guide
- Cleanup verbiage throughout using more direct procedural language
- Rearrange paragraphs as needed to address disparities in logical flow of procedures, as in C/CD Considerations
- Clarify hardware requirements for devices elected for air-gap use (e.g. SD card)
- Reiterate verification requirements for Alpine Linux, citing both official sources and additional evidence sources
- Add callout (3b) to fetch additional packages required for offlnie work in the air-gapped environment and thus rename gpg-bundle-* to airgap-bundle-*
- Add explicit step to visually inspect and note SHA256 checksum of air-gap bundle before continuing (required for later verification)
- Parameterize device paths when referencing use of removable storage medium
- Note alternate use of repeating section 1.2.1 over current SD card (used for offline package retrieval)
- Cleanup additional post-installation setup tasks introduced elsewhere in, else considered outside the scope of this document
- Demonstrate use of `&&` for requiring SHA256 to be valid before allowing air-gap bundle to be extracted and installed
- Include sample command for listing key certifications during GPG environment verification (--list-sigs)
Begin reworking user stories as more procedural for brevity and procedural specificity (clarity)
- Establishing a Secure Image Host
- Use Tails OS as an Intermediary
- Use the target OS to download packages
- Acquire the target image
- Boot the target image and download OS packages
The "clean plate" analogy is becoming more prominent (recurring), potentially indicating an accessible codename suitable for this document.
Begin reworking user stories as more procedural for brevity and procedural specificity (clarity)
- Establishing a Secure Image Host
- Use Tails OS as an Intermediary
- Use the target OS to download packages
- Acquire the target image
- Boot the target image and download OS packages
The "clean plate" analogy is becoming more prominent (recurring), potentially indicating an accessible codename suitable for this document.
