Homebrew installs to /usr/local on x86 and /opt/homebrew on Apple
Silicon architectures, so this plist now sets PATH to cover both
(MacPGP2 as a bonus) and runs gpg-connect-agent via /usr/bin/env.
Since the release of Fedora 43, `gnupg2-scdaemon` has been split off from `gnupg2` into its own package. The `--skip-unavailable` flag for `dnf install` is added for backward compatibility with Fedora 42.
Adjusts the `gpg-agent.conf` template as follows:
1. Adds more `pinentry-program` variants likely to be found on current
Linux and macOS systems.
2. Groups entries by OS and package.
3. Makes all `pinentry-program` directives inactive (commented-out).
At present, the `pinentry-program` directive active by default is:
```
pinentry-program /usr/bin/pinentry-curses
```
This works on Linux but fails on macOS.
However, if `gpg-agent.conf` either does not exist, or exists but does
not contain **any** active `pinentry-program` directives, then my
experimentation shows current OS releases behave as follows:
* Linux invokes:
- `/usr/bin/pinentry-gnome3` (if a Desktop environment is available)
- `/usr/bin/pinentry-curses` (otherwise)
I have tested Debian, Ubuntu and Raspberry Pi OS.
* macOS invokes:
- `/usr/local/bin/pinentry-curses` (Intel)
- `/opt/homebrew/bin/pinentry-curses` (Apple)
Those are true when `gnupg` has been installed by HomeBrew. I can't
test either MacPorts or MacGPG2 directly but research suggests:
- `/opt/local/bin/pinentry` (MacPorts)
- `/usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac` (MacGPG2)
Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
- Include MIT disclaimer and add copyright
- Clarify use of tightly coupled process intended for offline package installation (bootable images already presumed to be verified through via external documentation)
- Specify appropriate use of secure imaging host (imaging purposes only)
- Provide link to Tails installation guide
- Cleanup verbiage throughout using more direct procedural language
- Rearrange paragraphs as needed to address disparities in logical flow of procedures, as in C/CD Considerations
- Clarify hardware requirements for devices elected for air-gap use (e.g. SD card)
- Reiterate verification requirements for Alpine Linux, citing both official sources and additional evidence sources
- Add callout (3b) to fetch additional packages required for offlnie work in the air-gapped environment and thus rename gpg-bundle-* to airgap-bundle-*
- Add explicit step to visually inspect and note SHA256 checksum of air-gap bundle before continuing (required for later verification)
- Parameterize device paths when referencing use of removable storage medium
- Note alternate use of repeating section 1.2.1 over current SD card (used for offline package retrieval)
- Cleanup additional post-installation setup tasks introduced elsewhere in, else considered outside the scope of this document
- Demonstrate use of `&&` for requiring SHA256 to be valid before allowing air-gap bundle to be extracted and installed
- Include sample command for listing key certifications during GPG environment verification (--list-sigs)