5 releases (3 breaking)
0.4.1 | Nov 26, 2024 |
---|---|
0.4.0 | Aug 27, 2024 |
0.3.0 | Jun 4, 2024 |
0.2.0 | May 19, 2024 |
0.1.0 | Mar 24, 2024 |
#2699 in Cryptography
1,243 downloads per month
Used in sequoia-keystore
130KB
2K
SLoC
A gpg-agent
backend for Sequoia's private key store.
The sequoia-keystore
crate implements a server that manages secret
keys. Secret key material can be stored in files, on hardware devices
like smartcards, or accessed via the network. sequoia-keystore
doesn't implement these access methods. This is taken care of by
various backends.
This crate includes a backend that exposes the secret keys managed by
a gpg-agent
process. By default, this backend uses the default
gpg-agent
, i.e., the one for $HOME/.gnupg
.
Whereas the keystore and consequently this backend make use of OpenPGP
data structures, gpg-agent
uses a lower-level representation, which
is independent of the encoding. As a first approximation, gpg-agent
works with the low-level public and private keys, and does not know
about OpenPGP metadata. A consequence of this is that it can also
work with X.509 keys.
gpg-agent
addresses keys using their so-called keygrip, which is
basically a hash of the public key material. This can usually be
derived from the OpenPGP key material (although the function is not
total). This backend finds the OpenPGP keys corresponding to the
low-level keys managed by the gpg-agent
by iterating over all
OpenPGP certificates stored in the user's default certificate store.
If the backend doesn't find a key with the corresponding keygrip, it
does not expose that key; it is unusable. If the certificate is
known, the key can be exposed by simply importing the certificate in
the usual way:
$ sq cert import cert.pgp
The backend doesn't need to be restarted, it will pick it up on its own.
Dependencies
~24–37MB
~499K SLoC