Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gnupg-pkcs11-scd: init at 0.9.2 #71266

Merged
merged 2 commits into from Nov 4, 2019
Merged

gnupg-pkcs11-scd: init at 0.9.2 #71266

merged 2 commits into from Nov 4, 2019

Conversation

philandstuff
Copy link
Contributor

Motivation for this change

This adds gnupg-pkcs11-scd, a smart card daemon for GnuPG that supports
PKCS#11 smartcards (such as the Yubikey PIV module).

You can use it by adding something like this to your
~/.gnupg/gpg-agent.conf:

scdaemon-program /home/<user>/.nix-profile/bin/gnupg-pkcs11-scd

You will also need to install opensc and have a
~/.gnupg/gnupg-pkcs11-scd.conf with something like the following:

providers opensc

provider-opensc-library /home/philandstuff/.nix-profile/lib/pkcs11/opensc-pkcs11.so

Then gpg smartcard operations will access your PKCS#11-capable
smartcard.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @

@philandstuff
gnupg-pkcs11-scd: init at 0.9.2
f7ab5d9 
This adds gnupg-pkcs11-scd, a smart card daemon for GnuPG that supports
PKCS#11 smartcards (such as the Yubikey PIV module).

You can use it by adding something like this to your
~/.gnupg/gpg-agent.conf:

    scdaemon-program /home/<user>/.nix-profile/bin/gnupg-pkcs11-scd

You will also need to install `opensc` and have a
~/.gnupg/gnupg-pkcs11-scd.conf with something like the following:

    providers opensc

    provider-opensc-library /home/philandstuff/.nix-profile/lib/pkcs11/opensc-pkcs11.so

Then `gpg` smartcard operations will access your PKCS#11-capable
smartcard.
@grahamc
Copy link
Member

grahamc commented Oct 16, 2019

How does this interact with https://nixos.org/nixos/options.html#services.pcscd.enable?

@philandstuff
Copy link
Contributor Author

@grahamc good question.

Although any given user can only use one of pcscd or gnupg-pkcs11-scd, it doesn't hurt to have both running - ie they don't conflict. This is because access is controlled via the scdaemon-program option of gpg-agent.conf - they're not fighting to listen on the same socket or anything.

So it's possible (and indeed I have verified) to use gnupg-pkcs11-scd even if services.pcscd.enable is true. But if you're using this, you probably want it to be false because you probably won't be using pcscd.

@philandstuff
Copy link
Contributor Author

By the way, I don't like how much manual config is still required to get this working - see the original post / commit message for what I mean. I'm open to suggestions about how this could be improved.

@lschuermann
Copy link
Member

lschuermann commented Oct 27, 2019
edited

I've seen this just by coincidence, as I've packaged the gnupg-pkcs11-scd myself a few weeks back and wanted to create the PR at NixCon. :)
The good thing: I came up with pretty much an identical package definition, and can confirm that it works!
I'm working on TPM support currently, so I'll just test this package with my tpm2-pkcs11 in a few hours.

Btw: I think that the amount of manual configuration is actually just fine. I prefer to not mess with a user's GnuPG configuration, and IMHO without any change it should always use the standard scdaemon, as that's the expected behavior. You'll want to configure it manually anyways.

@philandstuff
Copy link
Contributor Author

philandstuff commented Oct 27, 2019
edited

@lschuermann would you like to add yourself as a maintainer then? :)

EDIT: doh, you can’t push to my fork. Let me rephrase: would you be open to being an additional maintainer, in which case I’ll update the PR?

@lschuermann
Copy link
Member

@lschuermann would you like to add yourself as a maintainer then? :)

As I actually plan on using this for an extended period of time, this is fine with me. That way, we can just shout at each other if something breaks. ;)

@ofborg ofborg bot requested a review from lschuermann October 28, 2019 21:21
lschuermann
lschuermann approved these changes Oct 30, 2019
View reviewed changes
Copy link
Member

@lschuermann lschuermann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am yet to really try this with TPM, but the library seems to be fine so works for me.

pkgs/tools/security/gnupg-pkcs11-scd/default.nix
'';
homepage = http://gnupg-pkcs11.sourceforge.net/;
license = licenses.bsd3;
maintainers = with maintainers; [ lschuermann philandstuff ];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@globin globin merged commit fa7d7eb into NixOS:master Nov 4, 2019
dtzWill pushed a commit to dtzWill/nixpkgs that referenced this pull request Nov 4, 2019
@globin @dtzWill
Merge pull request NixOS#71266 from philandstuff/add-gnupg-pkcs11-scd
b34d4d1 
gnupg-pkcs11-scd: init at 0.9.2
(cherry picked from commit fa7d7eb)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lschuermann lschuermann lschuermann approved these changes

Assignees
No one assigned
Labels
8.has: package (new) 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@philandstuff @grahamc @lschuermann @globin