gnupg-pkcs11-scd: init at 0.9.2 #71266

philandstuff · 2019-10-16T21:27:20Z

Motivation for this change

This adds gnupg-pkcs11-scd, a smart card daemon for GnuPG that supports
PKCS#11 smartcards (such as the Yubikey PIV module).

You can use it by adding something like this to your
~/.gnupg/gpg-agent.conf:

scdaemon-program /home/<user>/.nix-profile/bin/gnupg-pkcs11-scd

You will also need to install opensc and have a
~/.gnupg/gnupg-pkcs11-scd.conf with something like the following:

providers opensc

provider-opensc-library /home/philandstuff/.nix-profile/lib/pkcs11/opensc-pkcs11.so

Then gpg smartcard operations will access your PKCS#11-capable
smartcard.

Things done

Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
Built on platform(s)
- NixOS
- macOS
- other Linux distributions
Tested execution of all binary files (usually in ./result/bin/)
Determined the impact on package closure size (by running nix path-info -S before and after)
Ensured that relevant documentation is up to date
Fits CONTRIBUTING.md.

Notify maintainers

cc @

This adds gnupg-pkcs11-scd, a smart card daemon for GnuPG that supports PKCS#11 smartcards (such as the Yubikey PIV module). You can use it by adding something like this to your ~/.gnupg/gpg-agent.conf: scdaemon-program /home/<user>/.nix-profile/bin/gnupg-pkcs11-scd You will also need to install `opensc` and have a ~/.gnupg/gnupg-pkcs11-scd.conf with something like the following: providers opensc provider-opensc-library /home/philandstuff/.nix-profile/lib/pkcs11/opensc-pkcs11.so Then `gpg` smartcard operations will access your PKCS#11-capable smartcard.

grahamc · 2019-10-16T21:35:58Z

How does this interact with https://nixos.org/nixos/options.html#services.pcscd.enable?

philandstuff · 2019-10-16T21:41:17Z

@grahamc good question.

Although any given user can only use one of pcscd or gnupg-pkcs11-scd, it doesn't hurt to have both running - ie they don't conflict. This is because access is controlled via the scdaemon-program option of gpg-agent.conf - they're not fighting to listen on the same socket or anything.

So it's possible (and indeed I have verified) to use gnupg-pkcs11-scd even if services.pcscd.enable is true. But if you're using this, you probably want it to be false because you probably won't be using pcscd.

philandstuff · 2019-10-16T21:42:38Z

By the way, I don't like how much manual config is still required to get this working - see the original post / commit message for what I mean. I'm open to suggestions about how this could be improved.

lschuermann · 2019-10-27T10:48:06Z

I've seen this just by coincidence, as I've packaged the gnupg-pkcs11-scd myself a few weeks back and wanted to create the PR at NixCon. :)
The good thing: I came up with pretty much an identical package definition, and can confirm that it works!
I'm working on TPM support currently, so I'll just test this package with my tpm2-pkcs11 in a few hours.

Btw: I think that the amount of manual configuration is actually just fine. I prefer to not mess with a user's GnuPG configuration, and IMHO without any change it should always use the standard scdaemon, as that's the expected behavior. You'll want to configure it manually anyways.

philandstuff · 2019-10-27T16:34:05Z

@lschuermann would you like to add yourself as a maintainer then? :)

EDIT: doh, you can’t push to my fork. Let me rephrase: would you be open to being an additional maintainer, in which case I’ll update the PR?

lschuermann · 2019-10-27T21:09:17Z

@lschuermann would you like to add yourself as a maintainer then? :)

As I actually plan on using this for an extended period of time, this is fine with me. That way, we can just shout at each other if something breaks. ;)

lschuermann

I am yet to really try this with TPM, but the library seems to be fine so works for me.

lschuermann · 2019-10-30T13:28:18Z

pkgs/tools/security/gnupg-pkcs11-scd/default.nix

+    '';
+    homepage = http://gnupg-pkcs11.sourceforge.net/;
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ lschuermann philandstuff ];


Looks good!

gnupg-pkcs11-scd: init at 0.9.2 (cherry picked from commit fa7d7eb)

ofborg bot added 8.has: package (new) 11.by: package-maintainer 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10 labels Oct 16, 2019

lschuermann approved these changes Oct 27, 2019

View reviewed changes

gnupg-pkcs11-scd: add @lschuermann as maintainer

10d7313

ofborg bot requested a review from lschuermann October 28, 2019 21:21

lschuermann approved these changes Oct 30, 2019

View reviewed changes

globin merged commit fa7d7eb into NixOS:master Nov 4, 2019

dtzWill pushed a commit to dtzWill/nixpkgs that referenced this pull request Nov 4, 2019

Merge pull request NixOS#71266 from philandstuff/add-gnupg-pkcs11-scd

b34d4d1

gnupg-pkcs11-scd: init at 0.9.2 (cherry picked from commit fa7d7eb)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

gnupg-pkcs11-scd: init at 0.9.2 #71266

gnupg-pkcs11-scd: init at 0.9.2 #71266

philandstuff commented Oct 16, 2019

grahamc commented Oct 16, 2019

philandstuff commented Oct 16, 2019

philandstuff commented Oct 16, 2019

lschuermann commented Oct 27, 2019 •

edited

Loading

philandstuff commented Oct 27, 2019 •

edited

Loading

lschuermann commented Oct 27, 2019

lschuermann left a comment

lschuermann Oct 30, 2019

gnupg-pkcs11-scd: init at 0.9.2 #71266

gnupg-pkcs11-scd: init at 0.9.2 #71266

Conversation

philandstuff commented Oct 16, 2019

Motivation for this change

Things done

Notify maintainers

grahamc commented Oct 16, 2019

philandstuff commented Oct 16, 2019

philandstuff commented Oct 16, 2019

lschuermann commented Oct 27, 2019 • edited Loading

philandstuff commented Oct 27, 2019 • edited Loading

lschuermann commented Oct 27, 2019

lschuermann left a comment

Choose a reason for hiding this comment

lschuermann Oct 30, 2019

Choose a reason for hiding this comment

lschuermann commented Oct 27, 2019 •

edited

Loading

philandstuff commented Oct 27, 2019 •

edited

Loading