You are not logged in.
Hello all,
I need to sign git commits, and I got pretty tired of inputting my password every hour, and wanted to try using a smartcard authenticator instead of just extending the timeout and inputting my password once.
Just using pinentry-kwallet as pinentry-program in the gpg-agent.conf used to work, but I had to change it to pinentry-qt because I removed kwallet5 and kwalletcli depended on it. Which means I now have to input my password for the keychain anyway.
So I've been messing around with this Cryptnox FIDO2 u2f smartcard I bought on amazon without much research into smartcards. (Now that I've spent many hours trying to understand how to make it work, I wouldn't recommend buying a fido2-u2f-only card for this purpose. A token2 card would work so much better.)
I have had success setting up system authentication using pam-u2f, but kwallet needs a password to be passed from pam, so apart from now not needing a password for login and sudo when the card is inserted, I haven't made much progress.
So, my list of questions:
1. Is there a (maybe even a better?) alternative to kwallet in terms of safely storing the answers to pinentry challenges? I've searched "pinentry" in AUR but couldn't find anything relevant.
2. Is there a way to have the pam-u2f module unlock the keyring/authenticate the user for this alternative, if this alternative doesn't have native support for fido2/u2f? Or if no such alternative, how do I make my kwallet act as one, considering I've removed kwallet5 from my system?
3. (kid of off-topic) firefox doesn't seem to support fido2 u2f over pcsc for webauthn. This is a known issue, and there are two solutions (one of which is on the AUR) that don't seem to work - fido2-hid-bridge seems to fail on install (missing python uhid package which is nowhere to be found) and https://github.com/StarGate01/CTAP-bridge requires me to rebuild the kernel, which I am not doing just for firefox to work with my smartcard.
TL;DR: how do I get a fido2-only smartcard to nicely, quetly, and automatically unlock my gpg keys?
P.S. : I know that "just buying a token2/yubikey/$(OTHER_BRAND_NAME)" card would solve most of my problems, but at this point this is a challenge for me. I WANT TO have THIS SPECIFIC card work with my stack. I also believe that a universal protocol such as U2F should be more implemented in security and encryption. However, I'm stuck now and I hope you people might have some more expertise into this. I've only been using arch for the past year and I have quite a limited experience in linux system administration. This is also my first post on this forum, so let me know if I need to change the subject/move the post into a different topic/etc.
Thanks for reading and pondering on this issue!
Offline