PIN entry requires GUI

[hid-jcdhellemmes]

Hello,

When using a PIV smart card on Catalina for code signing using ‘codesign’ and ‘productsign’, the system asks for PIN entry in a modal GUI window. The problem is that I need to be able to build and sign through SSH, i.e. without a GUI.

Is there a setting in macOS or OpenSCToken to ask for the PIN in the terminal instead? If this feature requires a change in OpenSCToken, I will be happy to contribute with some guidance as I am not (yet) familiar with the architecture and APIs.

[frankmorgner]

I've missed your question, sorry for the late response.

Sure this is possible in multiple different ways, but every one of them would require patching OpenSC/OpenSCToken. For example, you could delegate the PIN entry to a seperate program. Look at the DNIe driver for inspiration: https://github.com/OpenSC/OpenSC/blob/223a0949e88612eb8e441031e62206aaff7e7b48/src/libopensc/card-dnie.c#L187-L198

OpenSCToken could then detect this configuration and propagate a differen PIN verification mechanism, which is currently also done for smart card readers with a seperate PIN pad. If attached, the user is asked to input the PIN on the reader rather than showing a modal dialog: https://github.com/frankmorgner/OpenSCToken/blob/5359efaad81f2593526b7b30c3d423b840b21aa4/OpenSCToken/TokenSession.m#L124-L150

As you can see, OpenSCPINPadAuthOperation calls OpenSCAuthOperationFinishWithError with nil for the PIN, which means that the OpenSC core library will ask on the reader instead of using a seperate Window.

[frankmorgner]

CTK is supported on macos 10.15 by SSH, according to the documentation. I tested sudo in the terminal on Big Sur, which prompts for the PIN in CLI.