Merge pull request #386 from Xronophobe/docs/update-debian-12-live

add notes for installing #Required Software on Debian 12

README.md

@@ -219,6 +219,25 @@ $ sudo apt update ; sudo apt -y upgrade
 $ sudo apt -y install wget gnupg2 gnupg-agent dirmngr cryptsetup scdaemon pcscd secure-delete hopenpgp-tools yubikey-personalization
 ```
 
+**Note**
+As of 2023 June, the `hopenpgp-tools` is not part of the latest Debian 12 stable package repositories.
+
+To install it, go to [https://packages.debian.org/sid/hopenpgp-tools](https://packages.debian.org/sid/hopenpgp-tools) to select your architecture and then an ftp server.
+
+Edit `/etc/apt/sources.list` and add the ftp server:
+```
+deb http://ftp.debian.org/debian sid main
+```
+
+and then add this to `/etc/apt/preferences` (or a fragment, e.g. `/etc/apt/preferences.d/00-sid`) so that APT still prioritizes packages from the stable repository over sid.
+
+```
+Package: *
+Pin: release n=sid
+Pin-Priority: 10
+```
+
+
 **Note** Live Ubuntu images [may require modification](https://github.com/drduh/YubiKey-Guide/issues/116) to `/etc/apt/sources.list` and may need additional packages:
 
 ```console
@@ -239,11 +258,14 @@ $ sudo service pcscd start
 $ ~/.local/bin/ykman openpgp info
 ```
 
+**Note** Debian 12 doesn't recommend installing non-Debian packaged Python applications globally. But fortunately, it isn't even necessary as `yubikey-manager` is available in the stable main repository:
+`$ sudo apt install yubikey-manager`.
+
 ## Fedora
 
 ```console
 $ sudo dnf install wget
-$ wget https://github.com/rpmsphere/noarch/raw/master/r/rpmsphere-release-34-2.noarch.rpm
+$ wget https://github.com/rpmsphere/noarch/raw/master/r/rpmsphere-release-38-1.noarch.rpm
 $ sudo rpm -Uvh rpmsphere-release*rpm
 
 $ sudo dnf install gnupg2 dirmngr cryptsetup gnupg2-smime pcsc-tools opensc pcsc-lite secure-delete pgp-tools yubikey-personalization-gui
@@ -323,13 +345,43 @@ let
       };
 
     in {
-      nixpkgs.config = { allowBroken = true; };
+      nixpkgs.overlays = [
+        # hopenpgp-tools in nixpkgs 23.05 is out-of-date and has a broken build
+        (final: prev: {
+          haskellPackages = prev.haskellPackages.override {
+            overrides = hsFinal: hsPrev:
+              let
+                optparse-applicative =
+                  final.haskell.lib.overrideCabal hsPrev.optparse-applicative
+                  (oldAttrs: {
+                    version = "0.18.1.0";
+                    sha256 =
+                      "sha256-Y4EatP0m6Cm4hoNkMlqIvjrMeYGfW7UAWy3TuWHsxJE=";
+                    libraryHaskellDepends =
+                      (oldAttrs.libraryHaskellDepends or [ ])
+                      ++ (with hsFinal; [
+                        text
+                        prettyprinter
+                        prettyprinter-ansi-terminal
+                      ]);
+                  });
+                hopenpgp-tools =
+                  (final.haskell.lib.overrideCabal hsPrev.hopenpgp-tools
+                    (oldAttrs: {
+                      version = "0.23.8";
+                      sha256 =
+                        "sha256-FYvlVE0o/LOYk3a2rucAqm7tg5D/uNQRRrCu/wlDNAE=";
+                      broken = false;
+                    })).override { inherit optparse-applicative; };
+              in { inherit hopenpgp-tools; };
+          };
+        })
+      ];
 
       isoImage.isoBaseName = lib.mkForce "nixos-yubikey";
       # Uncomment this to disable compression and speed up image creation time
       #isoImage.squashfsCompression = "gzip -Xcompression-level 1";
 
-      boot.kernelPackages = linuxPackages_latest;
       # Always copytoram so that, if the image is booted from, e.g., a
       # USB stick, nothing is mistakenly written to persistent storage.
       boot.kernelParams = [ "copytoram" ];
@@ -442,7 +494,7 @@ in {
 Build the installer and copy it to a USB drive.
 
 ```console
-$ nix build -f yubikey-installer.nix -o installer nixos-yubikey
+$ nix-build yubikey-installer.nix --out-link installer --attr nixos-yubikey
 
 $ sudo cp -v installer/iso/*.iso /dev/sdb; sync
 'installer/iso/nixos-yubikey-22.05beta-248980.gfedcba-x86_64-linux.iso' -> '/dev/sdb'
@@ -2172,7 +2224,7 @@ Key is valid for? (0)
 ```
 Follow these prompts to set a new expiration date, then `save` to save your changes.
 
-Next, export the public key:
+Next, [export the public key](#export-public-keys):
 
 ```console
 $ gpg --armor --export $KEYID > gpg-$KEYID-$(date +%F).asc
@@ -2184,6 +2236,18 @@ Transfer that public key to the computer from which you use your GPG key, and th
 $ gpg --import gpg-0x*.asc
 ```
 
+Alternatively, use a public key server (it will update the key if already on the server):
+
+```console
+$ gpg --send-key $KEYID
+```
+
+and import the newly updated key on any computer where you wish to use it (it will update the key if previously imported):
+
+```console
+$ gpg --recv $KEYID
+```
+
 This will extend the validity of your GPG key and will allow you to use it for SSH authorization.  Note that you do _not_ need to update the SSH public key located on remote servers.
 
 ## Rotating keys
@@ -3214,6 +3278,7 @@ Continue with the Verify section of this guide.
 
 # Links
 
+* [Minimal key management tool written for this guide](https://gitlab.com/lsasolutions/makegpg)
 * https://alexcabal.com/creating-the-perfect-gpg-keypair/
 * https://blog.habets.se/2013/02/GPG-and-SSH-with-Yubikey-NEO
 * https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/