Page MenuHome GnuPG

Filter APDUs in log output
Open, LowPublic


For remote debugging it is often necessary to ask a user for a logfile from scdaemon. Although we filter most sensitive information out in log files, this is not the case for --debug cardio and --debug-ccid-driver. In particular it is possible to view the PIN of a user during a VERIFY or CHANGE REFERENCE DATA.

We should filter those APDUs as well and hide the actual PIN by default.

Event Timeline

werner lowered the priority of this task from Normal to Low.Sep 14 2021, 2:00 PM

We need to do this also for CHANGE REFERENCE DATA - however, there should be an extra option so that we can debug this despite of the redacting.

The extra option --debug-allow-pin-logging was implemented with commit rGe43bd2a7a78.