Question about removing PIN code

[ajlennon]

Hi everybody,

I have a Dangerous Things Apex Flex (P71) in my hand running their version of the SmartPGP applet - which is all looking awesome!

My use case is to sign git commits and authenticate ssh. I don't want the PIN dialog box popping up every time as my right hand is on the reader at this time and it's hard to type.

I can't see any way to disable the PIN though. Can anybody help?

Thanks!

Alex

[af-anssi]

With a contact card you can enter the PIN only once if the card remains connected (for the signature see the Signature PIN attribute with gpg2 --card-status and you can change it with gpg2 --card-edit, for the authentication there is nothing special to do). It will also work with a contactless device as long as the device remains powered (in the vincinity of the reader) after the PIN code is entered. With a chip in your hand it seems somehow difficult... Without maintaining the device powered it will not be possible without patching the applet to completely remove the PIN code (which I strongly discourage) or implementing a kind of "logout" operation to invalidate the verified status of the PIN code.

[ajlennon]

So I've been playing around with this a little and have a hack which works but which I am not happy with.

It looks like I should be able to get pinentry-gnome3 to lookup a cached PIN but I'm not able to do that as the KeyID it checks is cleared by gpg-agent. Not sure if there's a way to configure this behaviour somehow.

In the meantime I can at least hardcode the returned pin into my pinentry utility but it's all a bit nasty.

Details here:

https://github.com/gpg/pinentry/compare/master...DynamicDevices:pinentry:ajl/hardcode-pin

[af-anssi]

If you want to rely on cache mechanism from the GnuPG stack I may suggest to you to have a look at gpg-agent instead of pinentry as gpg-agent can invalidate its cache (see the no-allow-external-cache option of gpg-agent). You can set many cache-related options (depicted in the man of gpg-agent) in ~/.gnupg/gpg-agent.conf; you must gpgconf --reload gpg-agent to reload the agent after you modify this file.

[ajlennon]

I think the problem is that there isn't caching for PINs ? I am quite confused about this atm though to be fair.

I wanted to use something like gpg-preset-passphrase

[af-anssi]

You are right, only passphrases are cached, not PINs. I don't see any trivial solution at the applet level without implementing a kind of dangerous "persistent unlock" (and its corresponding re-lock). You should ask to GnuPG if a client-side caching mechanism for PIN codes exist or could be developed. Or maybe open an issue on the Flex-SmartPGP fork.

[ajlennon]

You should ask to GnuPG if a client-side caching mechanism for PIN codes exist or could be developed. Or maybe open an issue on the Flex-SmartPGP fork.

Will do thanks