New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GnuPG: add scdaemon shared access patch #97951
base: master
Are you sure you want to change the base?
Conversation
@uosis That's great, comments thanks. Should this patch use |
For other reviewers: GPG upstream seems to find shared card access controversial because it may (apparently?) allow other apps to interact with a hardware-button security key than the one that requested the operation (GPG), see https://wiki.archlinux.org/index.php/GnuPG#Shared_access_with_pcscd (now linked in the comment). It seems a legitimate use case to me to make shared card access an optional add-in feature for people who want to trade usability for a changed threat model, so carrying this patch looks sensible to me. |
I see no reason to not use
And just to add to this, while the security concern may have had some weight in the old days of plain "dumb" smartcards, now that smartcards are actually USB tokens with physical button authorization for each operation, the whole argument is moot.
It is a user level configuration setting in |
I marked this as stale due to inactivity. → More info |
I marked this as stale due to inactivity. → More info |
Motivation for this change
GnuPG stubbornly refuses to share access to smartcards, which, among other things, makes it not work properly with Yubikey-manager.
This adds a patch maintained by MacOS GPGTools which adds an option to enable shared smartcard access.
There is no change in default behavior, and patch applies cleanly without modifications, so I see no reason why Nix should not have it as well.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)