--dump-options option.Note: See also GnuPG-PKCS11-scd for a scdaemon replacement that uses PKCS#11 modules.
$ gpgsm --learn-card gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! gpgsm: can't connect to `/tmp/gpg-C0x9MY/S.gpg-agent': No such file or directory gpgsm: can't connect to the agent - trying fall back gpgsm: can't connect to `/home/benchoff/.gnupg/S.gpg-agent': No such file or directory scdaemon[18273]: NOTE: this is a development version! *** glibc detected *** free(): invalid pointer: 0xbfebda64 *** scdaemon[18273]: reader slot 0: active protocol: scdaemon[18273]: slot 0: ATR=3B E2 00 FF C1 10 31 FE 55 C8 02 9C scdaemon[18273.0x8081a78] DBG: -> OK GNU Privacy Guard's Smartcard server ready scdaemon[18273.0x8081a78] DBG: <- SERIALNO scdaemon[18273]: DBG: send apdu: c=00 i=A4 p0=00 p1=0C lc=2 le=-1 scdaemon[18273]: DBG: PCSC_data: 00 A4 00 0C 02 3F 00 scdaemon[18273]: error receiving PC/SC TRANSMIT response: premature EOF scdaemon[18273]: apdu_send_simple(0) failed: card I/O error scdaemon[18273]: no supported card application found: General error scdaemon[18273.0x8081a78] DBG: -> ERR 100663356 Not supported <SCD> gpg-agent[18272]: command learn failed: Not supported gpgsm: error learning card: Not supported scdaemon[18273.0x8081a78] DBG: <- RESET scdaemon[18273.0x8081a78] DBG: -> OK scdaemon[18273.0x8081a78] DBG: <- [EOF] |
gpg-agent --verbose --daemon --enable-ssh-supportDirMngr is a server for managing and downloading certificate revocation lists (CRLs) for X.509 certificates and for downloading the certificates themselves. DirMngr also handles OCSP requests as an alternative to CRLs. DirMngr is either invoked internally by gpgsm or when running as a system daemon through the dirmngr-client tool.
$HOME/gnupg/dirmngr.conf, $HOME/gnupg/dirmngr_ldapservers.conf$HOME/gnupg/trusted-cirts $HOME/gnupg/extra-certsdirmngr.conf. Create an empty one.\# mkdir /etc/dirmngr \# mkdir /var/run/dirmngr \# mkdir -p /var/lib/cache/dirmngr/crls.d \# # be sure certs are in /etc/dirmngr/trusted-certs as DER files named with .crt. \# dirmngr --daemon --verbose --allow-ocsp dirmngr[8988]: listening on socket `/var/run/dirmngr/socket' dirmngr[8989]: certificate `/etc/dirmngr/trusted-certs/vtc1sca.crt' loaded dirmngr[8989]: SHA1 fingerprint = E4:6F:B9:58:B7:85:CB:DB:93:B6:86:5B:F8:A9:83:7A:B0:B7:D0:27 dirmngr[8989]: certificate `/etc/dirmngr/trusted-certs/vtrootca.crt' loaded dirmngr[8989]: SHA1 fingerprint = AF:6F:EB:42:FA:2F:E4:A2:6E:9F:7F:B5:B5:FF:3A:BC:13:C6:0D:81 dirmngr[8989]: certificate `/etc/dirmngr/trusted-certs/vtuserca.crt' loaded dirmngr[8989]: SHA1 fingerprint = AC:01:D0:4E:23:08:93:BC:BA:F4:50:CA:15:58:2C:3A:88:40:B7:B7 dirmngr[8989]: can't access directory `/var/lib/lib/dirmngr/extra-certs': No such file or directory dirmngr[8989]: permanently loaded certificates: 3 dirmngr[8989]: runtime cached certificates: 0 DIRMNGR_INFO=/var/run/dirmngr/socket:8989:1; export DIRMNGR_INFO; \# chmod og+w /var/run/dirmngr/socket $ dirmngr-client --ping dirmngr-client: a dirmngr daemon is up and running $ dirmngr-client --verbose --pem --ocsp ~/vtc1sca.pem dirmngr-client: certificate check failed: Configuration error irmngr[8989]: handler for fd 0 started dirmngr[8989]: no default OCSP responder defined dirmngr[8989]: command CHECKOCSP failed: Configuration error dirmngr[8989]: handler for fd 0 terminated $ dirmngr-client --verbose --pem ~/vtc1sca.pem dirmngr-client: certificate is valid dirmngr[8989]: handler for fd 0 started dirmngr[8989]: no CRL available for issuer id 4BDB4546CDBC3DC883FD037FBE3E14C2E174147C dirmngr[8989]: update times of this CRL: this=20060920T163032 next=20160917T163032 dirmngr[8989]: note: non-critical certificate policy not allowed dirmngr[8989]: creating cache file `/var/lib/cache/dirmngr/crls.d/crl-4BDB4546CDBC3DC883FD037FBE3E14C2E174147C.db' dirmngr[8989]: opening cache file `/var/lib/cache/dirmngr/crls.d/crl-4BDB4546CDBC3DC883FD037FBE3E14C2E174147C.db' dirmngr[8989]: S/N 03 is valid, it is not listed in the CRL dirmngr[8989]: handler for fd 0 terminated \# # With CRL in cache dirmngr[8989]: handler for fd 0 started dirmngr[8989]: S/N 03 is valid, it is not listed in the CRL dirmngr[8989]: handler for fd 0 terminated |
gpgsm --dump-optionsgpgsm --dump-keys will provide the keygrip.noformatm-6:~/.gnupg (2)
$ gpg-agent10954: ssh handler 0x8082e80 for fd 0 started
gpg-agent10954: ssh request 20 is not supported
gpg-agent10954: ssh handler 0x8082e80 for fd 0 terminated
gpg-agent10954: ssh handler 0x8082e80 for fd 0 started
gpg-agent10954: ssh request 20 is not supported
gpg-agent10954: ssh handler 0x8082e80 for fd 0 terminated
noformat
gpgsm --base64 --disable-crl-checks --dirmngr-program /usr/bin/dirmngr --disable-ocsp --detach-sign --recipient benchoff@bev.net sshcontrol > signature
$ gpgsm --disable-crl-checks --dirmngr-program /usr/bin/dirmngr --sign --local-user benchoff@vt.edu sshcontrol > signed.asc
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
gpgsm: note: non-critical certificate policy not allowed
gpgsm: note: non-critical certificate policy not allowed
gpgsm: note: non-critical certificate policy not allowed
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: DBG: adding certificates at level 1
gpgsm: signature created
# gpg-agent log
gpg-agent[15632]: handler 0x8084e70 for fd 7 started
gpg-agent[15632.7] DBG: -> OK Pleased to meet you
gpg-agent[15632.7] DBG: <- RESET
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- OPTION display=:0.0
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- OPTION ttyname=/dev/pts/10
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- OPTION ttytype=xterm
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- OPTION lc-ctype=en_US
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- OPTION lc-messages=en_US
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- HAVEKEY 519EEA5B2BC8F0F63757DD3DF82A35D60CF1372C
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- ISTRUSTED AF6FEB42FA2FE4A26E9F7FB5B5FF3ABC13C60D81
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- RESET
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- SIGKEY 519EEA5B2BC8F0F63757DD3DF82A35D60CF1372C
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+secret+key+for:%0A"/CN=Phillip+E+Benchoff/O=Virginia+Polytechnic+Institute+and+State+University/C=US/SerialNumber=379/UID=817397/DC=vt/DC=edu"%0AS/N+017B,+ID+8639515F,+created+2006-11-16
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- SETHASH 2 29672DC132FB742B0A20A3BF5F93A09D38EC365A
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- PKSIGN
gpg-agent[15632]: new connection to SCdaemon established (reusing)
gpg-agent[15632]: DBG: detected card with S/N 504B435323313120544F4B454E
gpg-agent[15632]: DBG: encoded hash: 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 29 67 2D C1 32 FB 74 2B 0A 20 A3 BF 5F 93 A0 9D 38 EC 36 5A
gpg-agent[15632]: starting a new PIN Entry
gpg-agent[15632]: DBG: connection to PIN entry established
gpg-agent[15632.7] DBG: -> [ 44 20 28 37 3a 73 69 67 2d 76 61 6c ...(147 bytes skipped) ]
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- [EOF]
gpg-agent[15632]: handler 0x8084e70 for fd 7 terminated
$ gpgsm --disable-crl-checks --verify signed.asc
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
gpgsm: Signature made 2007-04-02 13:47:06 using certificate ID 8639515F
gpgsm: note: non-critical certificate policy not allowed
gpgsm: note: non-critical certificate policy not allowed
gpgsm: note: non-critical certificate policy not allowed
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Good signature from "/CN=Phillip E Benchoff/O=Virginia Polytechnic Institute and State University/C=US/SerialNumber=379/UID=817397/DC=vt/DC=edu"
gpgsm: aka "benchoff@vt.edu"
|
scdaemon should be able to use opensc smart cards