GPG – How to Configure GPG2 to Pass Smartcard PIN Without Pinentry Program

gpg

My configuration:

  • Centos 6.5
  • gnugp2-2.0.14-6.el6_4.x86_64
  • gnupg2-smime-2.0.14-6.el6_4.x86_64

I configured gpg2 to use my signature key in smartcard gnupg V2.0.
I imported my gpg signature key to the rpm store.

I need to sign an rpm package using rpm --addsign myApp.rpm.

It works fine, but rpm prompts once for the smartcard PIN, and gpg2 (with pinentry programm) prompts three times for the smartcard PIN.

I expected that rpm --addsign passes the PIN (get in first prompt) to gpg2 and gpg2 doesn't ask again for the PIN.

Is it possible to have only one prompt to sign the rpm package with gpg2?

Best Answer

In order for the pin to be cached you need to run gpg-agent and your card should not have the forcesig bit set.

AFAIK, by default, the cards are shipped with the forcesig bit set, which is more secure. You can see this using the gpg --card-edit command and look for the entry Signature PIN. According to the manual:

Signature PIN

When set to "forced", gpg requests the entry of a PIN for each signature operation. When set to "non forced", gpg may cache the PIN as long as the card has not been removed from the reader.

You can change the bit by using:

$ gpg --card-edit
....
gpg: detected reader `MSI StarReader SMART [Smart Card Reader Interface]'
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 0000201C
Name of cardholder: Anthony van der Neut
Language prefs ...: en
Sex ..............: please
URL of public key : http://anthon.home.xs4all.nl/publickey.asc
Login data .......: anthon
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced           <<<<< this is what should not be 'forced'
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 2
....
gpg/card > admin
gpg/card > forcesig

(Shameless plug: for more details on securely setting up a card, see my rant)

Related Question