1

I would like to execute gpg --card-edit; verify; quit non-interactively to unlock a gpg hardware token (i.e. smartcard or yubikey).

My usecase is:

  1. Enter a password e.g. via ssh
  2. Store it in the kernel keyring
  3. Pass it to the hardware token when needed

One solution that works is expect and I've used autoexpect to create a script for that but it would contain the user password and is quite clumsy and dependent on the output of a specific gpg version.

scdaemon could be an option but I am not sure whether it is a good idea to pass raw commands. I'm afraid to easily brick the token.

Maybe there are tools / scripts that are used for mass personalization of smartcards that could be used?

I'm open to suggestions of what to try next. Thanks!

Improve this question

1 Answer 1

Reset to default
1

While experimenting, I've found a solution using gpg-connect-agent 'SCD CHECKPIN' /bye.

By writing a custom pinentry program, I could inject a static key using the Assuan protocol.

I will have to change this pinentry program to read a key from kernel keyring using keyctl now.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .