Yubikey and PIV support in 2.3 (was: Multiple readers with scdaemon)
Werner Koch
wk at gnupg.org
Thu Sep 19 10:06:45 CEST 2019
On Thu, 19 Sep 2019 00:13, uri at mit.edu said:
> Another problem is that GnuPG insists on opening the card in an
> exclusive mode - which is unacceptable for cards/tokens with multiple
> applets (OpenPGP and PIV is what I've got), as different apps require
Actually this is a another reason to have exclusive access. It allows
us to switch between the PIV and OpenPGP apps on a Yubikey as needed.
> use of both applets, sometimes running in parallel - like a browser
> session that uses PIV to authenticate to the server, an email session
> that may use both PIV and OpenPGP applets to deal with S/MIME and
> PGP/MIME emails, and occasional SSH operations during that time.
That is exactly the use case we have implemented. Needs more testing
with several cards but a single Yubikey works well enough known in 2.3.
To make testing easier we have Debian packages of gnupg master (to be
2.3) and scute (our pkcs11 provider) available:
deb [arch=amd64] https://ftp.g10code.com/apt buster gnupg-beta
deb [arch=amd64] https://ftp.g10code.com/apt stretch gnupg-beta
deb [arch=amd64] https://ftp.g10code.com/apt cosmic gnupg-beta
The version currently available do not yet include gniibe's latest
changes. I was able to use gpg for signing and encrypting with a card
while also accessing PIV key protected pages with Firefox. Earlier this
year I also did tests with Thunderbird which also worked. Yubikey 5 and
4 are supported. You may want to have a look at the new gpg-card tool
and its man page. Also gpg --full-gen-key and gpgsm --gen-key now show
a list of keys available on the current smartcard and allow to use them
for the generation of OpenPGP/X.509 certificates. --quick-gen-key has
also been enhanced to act upon the special algo parameter "card" with
the generation of a standard OpenPGP key based on the standard signing
and decryption key of the card (for OpenPGP, Netkey, and PIV cards).
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190919/7b677d14/attachment.sig>
More information about the Gnupg-devel
mailing list