OpenSCToken
OpenSCToken copied to clipboard
PIN entry requires GUI
Hello,
When using a PIV smart card on Catalina for code signing using ‘codesign’ and ‘productsign’, the system asks for PIN entry in a modal GUI window. The problem is that I need to be able to build and sign through SSH, i.e. without a GUI.
Is there a setting in macOS or OpenSCToken to ask for the PIN in the terminal instead? If this feature requires a change in OpenSCToken, I will be happy to contribute with some guidance as I am not (yet) familiar with the architecture and APIs.
I've missed your question, sorry for the late response.
Sure this is possible in multiple different ways, but every one of them would require patching OpenSC/OpenSCToken. For example, you could delegate the PIN entry to a seperate program. Look at the DNIe driver for inspiration: https://github.com/OpenSC/OpenSC/blob/223a0949e88612eb8e441031e62206aaff7e7b48/src/libopensc/card-dnie.c#L187-L198
OpenSCToken could then detect this configuration and propagate a differen PIN verification mechanism, which is currently also done for smart card readers with a seperate PIN pad. If attached, the user is asked to input the PIN on the reader rather than showing a modal dialog: https://github.com/frankmorgner/OpenSCToken/blob/5359efaad81f2593526b7b30c3d423b840b21aa4/OpenSCToken/TokenSession.m#L124-L150
As you can see, OpenSCPINPadAuthOperation
calls OpenSCAuthOperationFinishWithError
with nil
for the PIN, which means that the OpenSC core library will ask on the reader instead of using a seperate Window.
CTK is supported on macos 10.15 by SSH, according to the documentation. I tested sudo in the terminal on Big Sur, which prompts for the PIN in CLI.