Ship hwdb files for USB smartcards and crypto tokens
Open, WishlistPublic

Description

Currently, various distributions ship udev rules for USB smartcards and crypto tokens which can be used with gnupg. It seems like it would make sense to ship them with gnupg itself, then they’re maintained in a single place, rather than in each distribution.

There’s an example rules file here; a similar one is shipped by Fedora in its nitrokey-app package.

I believe it would be better to ship a hwdb file rather than a udev rules file, but I’m unsure of the best way to do this.

pwithnall created this object in space S1 Public.
gniibe claimed this task.EditedApr 11 2017, 10:16 AM
gniibe triaged this task as Wishlist priority.
gniibe added a project: scd.
gniibe added a subscriber: gniibe.

While I understand your request, it's complicated.

(1) It is not smartcard, but smartcard reader or token, which requires some udev rules.
(2) scdaemon has multiple ways to access smartcard reader; PC/SC or internal CCID driver (by libusb). For the latter, only, udev rules is required.
(3) We don't know which smartcard reader works fine, while we know some readers don't work well.
(4) hwdb seems systemd specific?

I'm open to any improvement.

In T3082#95636, @gniibe wrote:

(3) We don't know which smartcard reader works fine, while we know some readers don't work well.

I think it would make sense to start with a small set of rules taken from devices which ship them already (like the Nitrokey rules I linked above). The set of rules can always be grown later on.

(4) hwdb seems systemd specific?

Yes. You could do udev rules instead, but they are slower. hwdb was written because udev rule parsing is slow.

Thank you for your comment.

I think that a practical approach for us would be having a list of vendor-id:product-id in a file under gnupg/doc/ and maintain the list.
It will be up to distributions to use the list to build hwdb, udev rules, or whatever.

pwithnall added a comment.EditedApr 11 2017, 12:36 PM
In T3082#95656, @gniibe wrote:

Thank you for your comment.

I think that a practical approach for us would be having a list of vendor-id:product-id in a file under gnupg/doc/ and maintain the list.
It will be up to distributions to use the list to build hwdb, udev rules, or whatever.

That means distributions still end up doing almost as much work as before, and they’re all still doing the same work. I think it would make more sense to just ship the hwdb and udev rules with GnuPG. There’s no harm in shipping both of them (and they should need to be updated infrequently enough that maintaining them in parallel is not hard), then distributions just need to choose which of them to install.

I think a custom format would be a pointless abstraction for you to maintain.

FWIW, the syntax of "vendor-id:product-id" is used for USB for any USB tools.