[git] Scute - branch, master, updated. scute-1.3.0-76-ge6ca8e2
by Damien Goutte-Gattat
cvs at cvs.gnupg.org
Wed Jul 12 10:24:33 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "PKCS#11 token on top of gpg-agent".
The branch, master has been updated
via e6ca8e2e6ae842e9e72c9287624a77e51fe2962f (commit)
via 6a3b58fcaa00dc5f91d361e842e61e4dec0ae7f6 (commit)
via 82ff06a600a22b5ab71be0ec451b24fcd8a55eae (commit)
from 21baad873862352833fc54eb85fb490522955e6f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e6ca8e2e6ae842e9e72c9287624a77e51fe2962f
Author: Damien Goutte-Gattat <dgouttegattat at incenp.org>
Date: Wed Jul 12 09:48:43 2017 +0200
Search gpg-connect-agent in PATH at runtime.
* configure.ac: Do not hard-code full path to gpg-connect-agent.
--
By default, Scute should use the gpg-connect-agent program
present in PATH at runtime, unless the user chooses otherwise
at configure-time.
GnuPG-bug-id: 3274
Signed-off-by: Damien Goutte-Gattat <dgouttegattat at incenp.org>
diff --git a/configure.ac b/configure.ac
index d05785e..99003fd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -296,7 +296,7 @@ fi
if test "$GPGSM" = no; then
if test "$NO_OVERRIDE" = "yes"; then
if test "$cross_compiling" != "yes"; then
- AC_MSG_WARN([
+ AC_MSG_ERROR([
***
*** Could not find GpgSM, install GpgSM or use --with-gpgsm=PATH to enable it
***])
@@ -381,7 +381,7 @@ if test "$NO_OVERRIDE" = "yes" || test "$GPG_CONNECT_AGENT" = "yes"; then
GPG_CONNECT_AGENT=
NO_OVERRIDE=yes
if test "$cross_compiling" != "yes"; then
- AC_PATH_PROG(GPG_CONNECT_AGENT, gpg-connect-agent)
+ AC_CHECK_PROG(GPG_CONNECT_AGENT, gpg-connect-agent, gpg-connect-agent)
fi
if test -z "$GPG_CONNECT_AGENT"; then
GPG_CONNECT_AGENT="$GPG_CONNECT_AGENT_DEFAULT"
@@ -390,12 +390,12 @@ fi
if test "$GPG_CONNECT_AGENT" = no; then
if test "$NO_OVERRIDE" = "yes"; then
if test "$cross_compiling" != "yes"; then
- AC_MSG_WARN([
+ AC_MSG_ERROR([
***
*** Could not find gpg-connect-agent, use --with-gpg-connect-agent=PATH to enable it
***])
else
- AC_MSG_WARN([
+ AC_MSG_ERROR([
***
*** Can not determine path to gpg-connect-agent when cross-compiling, use --with-gpg-connect-agent=PATH
***])
@@ -479,4 +479,8 @@ echo "
Revision: mym4_revision (mym4_revision_dec)
Platform: $host
+
+ GpgSM: ${GPGSM}
+ Gpg-connect-agent: ${GPG_CONNECT_AGENT}
+
"
commit 6a3b58fcaa00dc5f91d361e842e61e4dec0ae7f6
Author: Damien Goutte-Gattat <dgouttegattat at incenp.org>
Date: Wed Jul 12 09:48:19 2017 +0200
Sanitize tests environment.
* tests/Makefile.am (clean-local): New target.
(TESTS_ENVIRONMENT): New variable.
(EXTRA_DIST): New variable.
* tests/clean-socketdir: New file.
--
We should avoid using the current user's GNUPGHOME directory
(and any pre-existing agent) when running the tests.
Then, since running the tests imply spawning an agent, we should
wipe out the corresponding socket directory upon 'make clean'.
This will also terminate the agent.
GnuPG-bug-id: 3274
Signed-off-by: Damien Goutte-Gattat <dgouttegattat at incenp.org>
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 6c19071..311303d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -37,5 +37,12 @@ TESTS = t-link t-getfunctionlist t-initialize t-getinfo t-getslotlist \
noinst_PROGRAMS = $(TESTS)
+EXTRA_DIST = clean-socketdir
+
+TESTS_ENVIRONMENT = GNUPGHOME=`/bin/pwd` GPG_AGENT_INFO= LC_ALL=C
+
AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/src
LDADD = ../src/scute.la
+
+clean-local:
+ $(TESTS_ENVIRONMENT) $(srcdir)/clean-socketdir
diff --git a/tests/clean-socketdir b/tests/clean-socketdir
new file mode 100755
index 0000000..32ffdc6
--- /dev/null
+++ b/tests/clean-socketdir
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# We do the clean-up only when the tests are run with GNUPGHOME
+# set to the tests directory (which is the default). If the user
+# saw fit to override TESTS_ENVIRONMENT to use another home, we
+# must assume she knows what she is doing.
+if [ "$GNUPGHOME" = "`/bin/pwd`" ]; then
+ socketdir=`gpgconf --list-dirs socketdir`
+ if [ -d "$socketdir" ]; then
+ rm -f $socketdir/S.*
+ rmdir $socketdir || true
+ fi
+
+ if [ -d private-keys-v1.d ]; then
+ rmdir private-keys-v1.d
+ fi
+fi
commit 82ff06a600a22b5ab71be0ec451b24fcd8a55eae
Author: Damien Goutte-Gattat <dgouttegattat at incenp.org>
Date: Mon Jul 10 14:27:36 2017 +0200
Add a manual section for card-stored certificates.
* doc/manual/scute.texi: Explain how to store the certificate
directly on the card.
Signed-off-by: Damien Goutte-Gattat <dgouttegattat at incenp.org>
diff --git a/doc/manual/scute.texi b/doc/manual/scute.texi
index 705935c..70c1f35 100644
--- a/doc/manual/scute.texi
+++ b/doc/manual/scute.texi
@@ -305,9 +305,19 @@ create the certificate and send it back to you. At last, the
certificate has to be imported into GPGSM. This section will explain
all of these steps in detail.
+ at menu
+* Creating a CSR:: How to create a card-based CSR.
+* Signing the CSR:: Obtain a certificate from the CSR.
+* Importing the Certificate:: How to import the certificate into GPGSM.
+* On-card Certificate:: How to store the certificate on the card.
+ at end menu
+
+ at node Creating a CSR
+ at subsection Creating a CSR
+
Before you start, make sure that the GPG Agent is running, see
- at ref{Prerequisites}. There is no need to configure GPGSM, so you can
-create a CSR with the command:
+ at ref{Prerequisites} and that your card is in the reader. There is no
+need to configure GPGSM, so you can create a CSR with the command:
@example
$ gpgsm --gen-key > floppy-head.csr
@@ -405,6 +415,9 @@ ZBYfQVeXAd7XlxI6d1wXDLwD/26lTU/rH2JU6H1+zSfZxqwVC4Iu+kiN4Y8=
$
@end example
+ at node Signing the CSR
+ at subsection Signing the CSR
+
The next step is to submit this certificate request to the CA, which can
then create a certificate and send it back to you.
@@ -422,7 +435,10 @@ snakeoil-ca-rsa.key -out floppy-head.crt}. Please see the OpenSSL
documentation for more details on how to set up and administrate a
certificate authority infrastructure.
-In any way you should end up with a certificate file
+ at node Importing the Certificate
+ at subsection Importing the Certificate into GPGSM
+
+Once the CSR has been signed, you should end up with a certificate file
@file{floppy-head.crt}, which you then have to import into GPGSM. It is
also recommended that you import the root certificate of the CA first in
the same fashion.
@@ -455,6 +471,39 @@ The option ``@code{-K}'' is used above because this will only list
certificates for which a private key is available. To see more details,
you may use ``@code{--dump-secret-keys}'' instead of ``@code{-K}''.
+ at node On-card Certificate
+ at subsection Loading the Certificate onto the Card
+
+This step is optional. You may choose to store the certificate directly
+into your OpenPGP card. The benefit of doing so is that Scute will then
+be able to fetch the certificate from the card without having to look
+into the GPGSM store.
+
+You need your certificate in the DER format. Export it from the GPGSM
+store with the following command:
+
+ at example
+$ gpgsm -o floppy-head.crt --export Floppy
+ at end example
+
+Then, fire up the GnuPG card editor to transfer the certificate to the
+card (note that the @code{writecert} command is not listed in the
+editor's online help):
+
+ at example
+$ gpg2 --card-edit
+
+Application ID ...: D27600012301020000005000012340000
+[...]
+
+gpg/card> admin
+Admin commands are allowed
+
+gpg/card> writecert 3 < floppy-head.crt
+
+gpg/card> quit
+ at end example
+
@node Client Authentication
@chapter Client Authentication
-----------------------------------------------------------------------
Summary of changes:
configure.ac | 12 +++++++----
doc/manual/scute.texi | 55 ++++++++++++++++++++++++++++++++++++++++++++++++---
tests/Makefile.am | 7 +++++++
tests/clean-socketdir | 17 ++++++++++++++++
4 files changed, 84 insertions(+), 7 deletions(-)
create mode 100755 tests/clean-socketdir
hooks/post-receive
--
PKCS#11 token on top of gpg-agent
http://git.gnupg.org
More information about the Gnupg-commits
mailing list