On Mon, 08 Nov 2010, Pierre-Emmanuel André wrote: > On Sun, Nov 07, 2010 at 10:15:54PM +1100, Olivier Mehani wrote: > > > > I just found time, over the week end, to install 4.8 on said spare machine. > > My SCM SCR335 USB reader works nicely out of the box with just > > gnupg-2-0-15. No need for pcsc-lite nor ccid. > > > > After starting the GPG agent, I could list and use the keys, both for > > signing, decryption AND remote SSH login. I jotted down some doc here > > [0]. > > > > Next step is trying to see how to do system auth as well! (; > > > > [0] > > https://www.narf.ssji.net/~shtrom/wiki/tips/openpgpsmartcard#doing_the_same_with_openbsd_48 > > Nice :) > Thanks for your report.
Wonderful news! This is exactly the same card reader I've ordered to replace my unusable Gemalto USB Shell Token. Pierre, what about the following diff? - Disable the pcscd wrapper because it's utterly broken with our current threading implementation - Backport a patch from upstream that allows using all the available hash algorithms with scdaemon - Fix license marker - Fix wrong REGRESS_DEPENDS - Swith to new-style LIB_DEPENDS/WANTLIB - Adjust spacing Ok? Ciao, David Index: Makefile =================================================================== RCS file: /cvs/ports/security/gnupg2/Makefile,v retrieving revision 1.5 diff -u -p -r1.5 Makefile --- Makefile 18 Oct 2010 21:41:45 -0000 1.5 +++ Makefile 8 Nov 2010 09:11:53 -0000 @@ -3,6 +3,7 @@ COMMENT = gnu privacy guard - a free PGP replacement DISTNAME = gnupg-2.0.16 +REVISION = 0 CATEGORIES = security MASTER_SITES = ftp://ftp.gnupg.org/gcrypt/gnupg/ \ @@ -19,41 +20,43 @@ HOMEPAGE = http://www.gnupg.org/ MAINTAINER = Pierre-Emmanuel Andre <p...@openbsd.org> -# GPLv3 +# GPLv3+ PERMIT_PACKAGE_CDROM = Yes PERMIT_PACKAGE_FTP = Yes -PERMIT_DISTFILES_CDROM= Yes +PERMIT_DISTFILES_CDROM =Yes PERMIT_DISTFILES_FTP = Yes EXTRACT_SUFX = .tar.bz2 MODULES = devel/gettext -WANTLIB = c crypto z readline ssl termcap gpg-error idn +WANTLIB += assuan bz2 c crypto curl gcrypt gpg-error +WANTLIB += idn ksba pth readline ssl termcap usb z FLAVORS = ldap FLAVOR ?= USE_GROFF = Yes +LIB_DEPENDS = ::devel/libusb \ + ::archivers/bzip2 \ + ::security/libassuan \ + ::security/libgcrypt \ + ::security/libksba \ + ::net/curl \ + ::devel/pth + .if ${FLAVOR:L:Mldap} -CONFIGURE_ARGS+= --enable-ldap -LIB_DEPENDS+= ldap.>=8::databases/openldap +CONFIGURE_ARGS += --enable-ldap +WANTLIB += ldap +LIB_DEPENDS += ::databases/openldap .else -CONFIGURE_ARGS+= --disable-ldap +CONFIGURE_ARGS += --disable-ldap .endif -LIB_DEPENDS = usb::devel/libusb \ - bz2::archivers/bzip2 \ - assuan::security/libassuan \ - gcrypt::security/libgcrypt \ - ksba.::security/libksba \ - curl.>=6::net/curl \ - pth.::devel/pth - RUN_DEPENDS = ::security/pinentry # gpg-agent must be installed to run the regress tests -REGRESS_DEPENDS = ${PKGNAME}::${BUILD_PKGPATH} +REGRESS_DEPENDS = :${PKGNAME}:${BUILD_PKGPATH} USE_GMAKE = Yes Index: patches/patch-g10_call-agent_c =================================================================== RCS file: patches/patch-g10_call-agent_c diff -N patches/patch-g10_call-agent_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-g10_call-agent_c 8 Nov 2010 09:11:53 -0000 @@ -0,0 +1,42 @@ +$OpenBSD$ + +Patch from upstream: allow more hash algorithms when using scdaemon. +Needed to use SHA2-family of functions with OpenPGPv2 cards, that do +support them. + +--- g10/call-agent.c.orig Wed Feb 17 09:55:45 2010 ++++ g10/call-agent.c Wed Nov 3 14:59:39 2010 +@@ -892,6 +892,23 @@ membuf_data_cb (void *opaque, const void *buffer, size + return 0; + } + ++ ++static const char * ++hash_algo_option (int algo) ++{ ++ switch (algo) ++ { ++ case GCRY_MD_RMD160: return "--hash=rmd160 "; ++ case GCRY_MD_SHA1 : return "--hash=sha1 "; ++ case GCRY_MD_SHA224: return "--hash=sha224 "; ++ case GCRY_MD_SHA256: return "--hash=sha256 "; ++ case GCRY_MD_SHA384: return "--hash=sha384 "; ++ case GCRY_MD_SHA512: return "--hash=sha512 "; ++ case GCRY_MD_MD5 : return "--hash=md5 "; ++ default: return ""; ++ } ++} ++ + /* Send a sign command to the scdaemon via gpg-agent's pass thru + mechanism. */ + int +@@ -938,8 +955,7 @@ agent_scd_pksign (const char *serialno, int hashalgo, + else + #endif + snprintf (line, DIM(line)-1, "SCD PKSIGN %s%s", +- hashalgo == GCRY_MD_RMD160? "--hash=rmd160 " : "", +- serialno); ++ hash_algo_option (hashalgo), serialno); + line[DIM(line)-1] = 0; + rc = assuan_transact (agent_ctx, line, membuf_data_cb, &data, + default_inq_cb, NULL, NULL, NULL); Index: patches/patch-scd_apdu_c =================================================================== RCS file: patches/patch-scd_apdu_c diff -N patches/patch-scd_apdu_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-scd_apdu_c 8 Nov 2010 09:11:53 -0000 @@ -0,0 +1,17 @@ +$OpenBSD$ + +The pcscd wrapper does not work due to problems with our current +threading implementation: one has to use a card reader supported +by GnuPG's internal CCID driver. + +--- scd/apdu.c.orig Wed Mar 17 13:11:30 2010 ++++ scd/apdu.c Wed Nov 3 11:35:04 2010 +@@ -66,7 +66,7 @@ + /* Due to conflicting use of threading libraries we usually can't link + against libpcsclite. Instead we use a wrapper program. */ + #ifdef USE_GNU_PTH +-#if !defined(HAVE_W32_SYSTEM) && !defined(__CYGWIN__) ++#if !defined(HAVE_W32_SYSTEM) && !defined(__CYGWIN__) && !defined(__OpenBSD__) + #define NEED_PCSC_WRAPPER 1 + #endif + #endif Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/gnupg2/pkg/PLIST,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 PLIST --- pkg/PLIST 8 Jul 2010 16:57:54 -0000 1.1.1.1 +++ pkg/PLIST 8 Nov 2010 09:11:53 -0000 @@ -13,7 +13,7 @@ bin/gpgsm-gencert.sh @bin bin/scdaemon @bin bin/watchgnupg @info info/gnupg.info -...@bin libexec/gnupg-pcsc-wrapper +...@comment libexec/gnupg-pcsc-wrapper @bin libexec/gpg-check-pattern @bin libexec/gpg-preset-passphrase @bin libexec/gpg-protect-tool
