Oct 26 2022
Oct 1 2022
Sep 30 2022
Does the latest Scute require an instance of gpg-agent and/or scdaemon running to work?
Sep 29 2022
Merged the changes in t6002 branch into master.
Sep 28 2022
That sounds quite cool.
Actually we developed PIV support to allow the use of PIV X.509 certificates and OpenPGP keys with Yubikeys. In fact, GnuPG is able to switch between the Yubikey PIV and OpenPGP applications on-the-fly while keeping their PIN verification states.
I was indeed using version 1.5.0 for testing, but I wish to clarify the purpose of Scute in my setup before proceeding.
Sep 27 2022
Which version of Scute are you using?
Using Scute as a drop-in replacement doesn't currently work. Perhaps my config needs more adjustments than just:
module = /usr/lib/x86_64-linux-gnu/scute/scute.so
Sep 26 2022
Yes, I meant to use Scute as pkcsc11 module for pam_pkcs11. Thanks for explaining more verbosely what I meant.
I think Werner may have confused pam_pkcs11 with gnupg-pkcs11-scd. :)
I'm not sure what you mean with using Scute as PKCS#11 provider instead of pam_pkcs11, as pam_pkcs11 is not a provider but a user of PKCS#11
There is a reason why pcsc-shared is not the default ;-). Please try using Scute (best the t6002 branch until it has been merged) as pkcs#11 provider instead of pam_pkcs11. And you should of course use the stable version of GnuPG and not the LTS (2.2).
Sep 17 2022
A better solution could always be found later
Aug 26 2022
Aug 22 2022
I tested with a self-signed one.
Did you test with a self-signed cert? I ran into the problem that the selection only showed the root certificate, the signing works using the leaf cert, but the root cert was put into the signature. Changing Scute to only return the leaf certificate made it work but verification failed.
I can successfully sign with LibreOffice Writer (using Brainpool with Yubikey). I need to do:
- LibreOffice - Security - Certificate Path
- Select the profile of "firefox:default-esr" for NSS certificate directory
- LibreOffice - Security - Certificate Path
Aug 5 2022
Firefox nicely shows the 3 NIST certificates from my Telesec card but not the important Brainpool certificate for eIDAS. It turns out that Firefox does not support Brainpool, despite that a patch has been provided 8 years ago. See https://bugzilla.mozilla.org/show_bug.cgi?id=943639 . Thus there is currently no way to use LibreOffice or Okular to signe PDFs because they rely on NSS.
Jul 22 2022
In the repo, for all related software, it's done.
Note that versions since 2020-11-07 to 2021-07-03 have major problem with non-POSIX shell, which doesn't support $(..) construct.
Jul 18 2022
Jun 30 2022
Kleopatra uses SCD READCERT for reading certificates from the PIV app. This is used to import the certificates stored by the PIV app. I'm not sure whether this is really needed. Maybe we could/should use "learn card" for this instead.
We could change how device keys are listed. Currently, Scute does KEYINFO --list, then asking gpgsm for each certificate.
The change requires "KEYINFO --list" command. This is not available through remote access of gpg-agent (extra socket).
Jun 15 2022
In the branch https://dev.gnupg.org/source/Scute/history/t6002/ , by the commit rS123d617ebefe: Less administration of devices by scute., things has been changed.
Jun 13 2022
I realized that we need to invent a way to represent KEYGRIP (40-byte string) in the scheme of PKCS#11; PKCS#11 uses fixed-size string (space padded) for it's label (32) and serialno (16). Basically, it identifies the device by slot number.
May 24 2022
For testing, I can use these sites for client certificate authentication:
Aug 13 2021
Apr 18 2021
t-link does not do antthing useful, anyway. I don't think it is justified to add dlopen stuff. Running real test is anyway a manual action; for a full test automation we would need to emulate all supported cards.
Apr 17 2021
the t-link test should dlopen scute.so in runtime rather than link against it in build-time.
Apr 16 2021
As of slibtool commit 9c5ba5eb, scute now builds out of the box. I'd still recommend taking the above into consideration, though.
For what it's worth, scute is in violation of gnu libtool's documentation. Building with gnu libtool:
Apr 13 2021
Regarding your patch, I am personally not opposed to it, but apparently Debian’s policy says the library/module should be called scute while Gentoo’s policy says it should be called libscute… What should an upstream developer do?
Apr 12 2021
Regarding slibtool: I would actually like to have an easier to maintain tool than libtool (of which we use our own version) for GnuPG related software. However, its requirement "the compiler should support -std=c99" is currently a no-starter for libgcrypt and some other libs.
Mar 31 2021
Looks good to me: "make && make check" passes.
FWIW, in GnuPG we use
Mar 30 2021
It should be fixed with 49ad2b0e05e3fcb8c8c2e23bb1c6063b390dee02, though I don’t have a gcc-10 to check. It does work with gcc-9.3 with -fno-common.
Mar 26 2021
It's OK not supporting generation in PostScript format.
Thus, we can remove image_eps support.
Then, convert is not required any more.
Mar 25 2021
Fixed with commit 4d95b7457d62bf785a2157bb2cfa002bde7ff8f5. It turned out the test the convert was already there, but its result was not used to decide whether to build the doc or not.