Discussion:
Way to use existing scdaemon
Daurnimator
2017-02-19 07:17:14 UTC
Permalink
Hi,

I was looking for a way to use an existing scdaemon instance from gpg-agent.
Could we make socket_name[1] a command line option?

Thanks,
Daurnimator.

[1] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/call-scd.c;h=71e0f581ca42a5fdaf4cb7472e144ffe988a0246;hb=HEAD#l100
Werner Koch
2017-02-20 07:59:55 UTC
Permalink
Post by Daurnimator
I was looking for a way to use an existing scdaemon instance from gpg-agent.
Could we make socket_name[1] a command line option?
Sorry, I don't understand your question. scdaemon is managed by
gpg-agent and started as needed. You could use scdaemon on your own but
that is not suggested because it would conflict with gpg-agent's use of
scdaemon.

You can use all scdaemon commands via gpg-agent by prefixing the command
with "SCD ", like this

$ gpg-connect-agent
Post by Daurnimator
scd apdu --atr
S CARD-ATR 3BDA11FF81B1FE551F0300318473800180009000E4
OK


Salam-Shalom,

Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Daurnimator
2017-02-21 02:53:40 UTC
Permalink
Post by Werner Koch
Post by Daurnimator
I was looking for a way to use an existing scdaemon instance from gpg-agent.
Could we make socket_name[1] a command line option?
Sorry, I don't understand your question. scdaemon is managed by
gpg-agent and started as needed. You could use scdaemon on your own but
that is not suggested because it would conflict with gpg-agent's use of
scdaemon.
I want to be able to run scdaemon as my own user daemon (without
running gpg-agent).
This isn't a problem, except that you can't really run more than one
scdaemon at once.
So if some misc program starts gpg-agent, then gpg-agent starts it's
*own* scdaemon, which doesn't work as intended.due to the first one
already having e.g. my smart card open.
==> I'd like an option to put in my gpg-agent.conf to tell it to try
to find a 'scdaemon --multi-server' socket ready and waiting
somewhere.
Post by Werner Koch
You can use all scdaemon commands via gpg-agent by prefixing the command
with "SCD ", like this
$ gpg-connect-agent
Post by Daurnimator
scd apdu --atr
S CARD-ATR 3BDA11FF81B1FE551F0300318473800180009000E4
OK
I'm hoping to not run gpg-agent.
Daniel Kahn Gillmor
2017-02-21 04:08:33 UTC
Permalink
Post by Daurnimator
I want to be able to run scdaemon as my own user daemon (without
running gpg-agent).
This isn't a problem, except that you can't really run more than one
scdaemon at once.
So if some misc program starts gpg-agent, then gpg-agent starts it's
*own* scdaemon, which doesn't work as intended.due to the first one
already having e.g. my smart card open.
==> I'd like an option to put in my gpg-agent.conf to tell it to try
to find a 'scdaemon --multi-server' socket ready and waiting
somewhere.
Post by Werner Koch
You can use all scdaemon commands via gpg-agent by prefixing the command
with "SCD ", like this
$ gpg-connect-agent
Post by Daurnimator
scd apdu --atr
S CARD-ATR 3BDA11FF81B1FE551F0300318473800180009000E4
OK
I'm hoping to not run gpg-agent.
you've said twice in here that you don't want to run gpg-agent, but
people here have already told you that scdaemon is really designed to be
supervised by gpg-agent. And it sounds like you're likely to have an
instance of gpg-agent running anyway, so it's not like you are trying to
build a machine that doesn't have gpg-agent installed at all, either.

So it kind of sounds like the old routine where the patient says "doc,
it hurts when i do this," and the doctor says "well, don't do that then"
:P

Maybe you've got a good reason to want to run scdaemon without running
gpg-agent, but we don't know what it is. Can you explain a bit more why
running gpg-agent to supervise scdaemon is a problem for you?

--dkg
Daurnimator
2017-02-22 23:00:34 UTC
Permalink
Post by Daniel Kahn Gillmor
Post by Daurnimator
I want to be able to run scdaemon as my own user daemon (without
running gpg-agent).
This isn't a problem, except that you can't really run more than one
scdaemon at once.
So if some misc program starts gpg-agent, then gpg-agent starts it's
*own* scdaemon, which doesn't work as intended.due to the first one
already having e.g. my smart card open.
==> I'd like an option to put in my gpg-agent.conf to tell it to try
to find a 'scdaemon --multi-server' socket ready and waiting
somewhere.
Post by Werner Koch
You can use all scdaemon commands via gpg-agent by prefixing the command
with "SCD ", like this
$ gpg-connect-agent
Post by Daurnimator
scd apdu --atr
S CARD-ATR 3BDA11FF81B1FE551F0300318473800180009000E4
OK
I'm hoping to not run gpg-agent.
you've said twice in here that you don't want to run gpg-agent, but
people here have already told you that scdaemon is really designed to be
supervised by gpg-agent. And it sounds like you're likely to have an
instance of gpg-agent running anyway, so it's not like you are trying to
build a machine that doesn't have gpg-agent installed at all, either.
So it kind of sounds like the old routine where the patient says "doc,
it hurts when i do this," and the doctor says "well, don't do that then"
:P
Maybe you've got a good reason to want to run scdaemon without running
gpg-agent, but we don't know what it is. Can you explain a bit more why
running gpg-agent to supervise scdaemon is a problem for you?
I'm playing around with writing my own replacement for gpg-agent
(which has it's whole own set of reasons).
Having it require gpg-agent running seems superbly redundant: however
at the same time I don't want to conflict with it.

scdaemon seems like a useful piece of software standalone: I can see
myself wanting to run it outside of a single gpg-agent anyway e.g. to
have multiple gpg-agents running; or starting it on demand via a
systemd unit.

Daurnimator
2017-02-22 22:56:20 UTC
Permalink
Post by Werner Koch
You can use all scdaemon commands via gpg-agent by prefixing the command
with "SCD ", like this
$ gpg-connect-agent
Post by Daurnimator
scd apdu --atr
S CARD-ATR 3BDA11FF81B1FE551F0300318473800180009000E4
OK
Does this provide the necessary locking/transactions?
e.g. if I run 'scd setdata aabbcc' 'scd pksign openpgp.1' from two
programs at once, is there a race?

Going through gpg-connect-agent also doesn't allow responding to scdaemon.
e.g. 'scd learn' without --force doesn't let me reply to the 'inquire'
Loading...