| ▲ | rkeene2 21 hours ago | |
We created Keeta Agent [0] to do this on macOS more easily (also works with GPG, which is important for things that don't yet support SSH Signatures, like XCode). Since it just uses PKCS#11, it also works with tpm_pkcs11. Source for the various bits that are bundled is here [1]. Here's an overview of how it works: 1. Application asks to sign with GPG Key "1ABD0F4F95D89E15C2F5364D2B523B4FDC488AC7" 2. GPG looks at its key database and sees GPG Key "1ABD...8AC7" is a smartcard, reaches out to Smartcard Daemon (SCD), launching if needed -- this launches gnupg-pkcs11-scd per configuration 3. gnupg-pkcs11-scd loads the SSH Agent PKCS#11 module into its shared memory and initializes it and asks it to List Objects 4. The SSH Agent PKCS#11 module connects to the SSH Agent socket provided by Keeta Agent and asks it to List Keys 5. Key list is converted from SSH Agent protocol to PKCS#11 response by SSH Agent PKCS#11 module 6. Key list is converted from PKCS#11 response to gnupg-scd response by gnugpg-pkcs11-scd 7. GPG Reads the response and if the key is found, asks the SCD (gnugpg-pkcs11-scd) to Sign a hash of the Material 8. gnupg-pkgcs11-scd asks the PKCS#11 module to sign using the specified object by its Object ID 9. PKCS#11 module sends a message to Secretive over the SSH Agent socket to sign the material using a specific key (identified by its Key ID) using the requested signing algorithm and raw signing (i.e., no hashing) 10. Response makes it back through all those same layers unmodified except for wrapping (illustrated at [2]) [0] https://github.com/KeetaNetwork/agent [1] https://github.com/KeetaNetwork/agent/tree/main/Agent/gnupg/... | ||
