Arch Linux User Repository

Try again with hkps://.

GnuPG internally remaps keys.gnupg.net to keyserver.ubuntu.com (which should usually be a reliable server), so try directly using hkps://keyserver.ubuntu.com or visiting https://keyserver.ubuntu.com.

Hello,

I am not familiar with internals of arch linux package installations and keys, I am receiving following error while trying to install sac-core with yay.

yay -S sac-core
:: Checking for conflicts...
:: Checking for inner conflicts...
[Repo:1]  ccid-1.5.2-1
[Aur:1]  sac-core-10.8.1050-1

:: PKGBUILD up to date, Skipping (1/0): sac-core
:: (1/1) Parsing SRCINFO: sac-core

:: PGP keys need importing:
 -> B37EBA84D2EB0C786F91EEF77F8AA801285DEE57, required by: sac-core
:: Import? [Y/n] Y
:: Importing keys with gpg...
gpg: keyserver receive failed: Server indicated a failure
 -> problem importing keys

I tried

gpg --verbose --keyserver hkp://keys.gnupg.net --recv B37EBA84D2EB0C786F91EEF77F8AA801285DEE57
gpg: enabled compatibility flags:
gpg: keyserver receive failed: Server indicated a failure

Yes, that was the problem and now it works! Thank you very much.

You need access to the pcscd service that talks to card readers. Recent builds of the pcsclite package enable polkit authorization and the default settings have a "local session" requirement – a lot like many other GUI features like mounting external disks (since USB smartcard access is a lot like USB stick access after all).

So if you're working in X11 try following the general instructions for getting polkit working per archwiki (loginctl session check, polkit agent running).

If you're working remotely via SSH or some other reason, create a custom polkit rule that gives you access by traditional group membership (or just make it free-for-all if you want):

# cat 90-local-pcsc.rules
/* 2023-03-09 grawity: Allow SSH clients to access eToken, as pcscd now uses
 * polkit authorization. (Use the same "pkcs11" group that OpenCryptoki uses.) 
 */
polkit.addRule(function(action, subject) {            
    if (action.id == "org.debian.pcsc-lite.access_pcsc" ||
        action.id == "org.debian.pcsc-lite.access_card")
    {
        if (subject.isInGroup("pkcs11")) {
            return polkit.Result.YES;
        }
    }
});

Hi! I have installed correctly sac-core and p11tool in my system but I can only use it as a root user - I mean getting certificate URLs via p11tool or loading keys to ssh-agent via provider library (libeToken.so). What can I do to use it also as a normal user without root permissions?

A new version is out (10.8.1050). This version fixes my issues with SafeNet eToken 5100.

I've made a patch, and there is the link to download the Thales package.

From e254d36236a814f8d64fbc12977ef700212694ee Mon Sep 17 00:00:00 2001
From: Erwan LE DISEZ <arch@groond.net>
Date: Mon, 2 Jan 2023 14:36:03 +0100
Subject: [PATCH] release 10.8.105 R1

---
 PKGBUILD | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/PKGBUILD b/PKGBUILD
index 90e4a54..62860ee 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,30 +1,30 @@
 pkgbase=sac-core
 pkgname=(sac-core sac-gui)
-pkgver=10.8.28
-pkgrel=5
+pkgver=10.8.1050
+pkgrel=1
 pkgdesc='Thales/Gemalto SafeNet Authentication Client for eToken 5110/5300 & IDPrime'
 url='https://cpl.thalesgroup.com/access-management/security-applications/authentication-client-token-management'
 arch=(x86_64)
 depends=(ccid pcsclite)
 optdepends=('sac-core-legacy: Support for eToken 32K/64K (CardOS 4.2)')
 license=(custom)
-source=('https://installer.id.ee/media/etoken/Linux_SAC%2010.8.28%20GA%20Build.zip'
+source=('https://www.dropbox.com/s/q66bhnjoq0xzuas/SAC_Linux_10.8.105_R1_GA.zip?dl=0'
         eToken.conf
         safenetauthenticationclient.service)
-sha256sums=('6e1f9307b6460cc87d1b895c3edbfb99cd1778686609f30caab96ab7218821a0'
+sha256sums=('18ecac33e8a1ddb894c23423074592ffd77a272a7255b519d20992662a5c699e'
             '85b850b820610e029428e577ca0e48f6fb7b4148ae8d702ca20b191963046c6c'
             'eb8b4e105d8b75f11e4b83ca6c4a605f781f50cc0f0405a5d1deccb5580fd055')
 #validpgpkeys=('B37EBA84D2EB0C786F91EEF77F8AA801285DEE57')

-_dir="SAC 10.8.28 GA Build"
-_rn_pdf="007-013841-003-SafeNet Authentication Client_ 10.8_Linux_GA_Release Notes_Rev A.pdf"
-_ag_pdf="007-013842-002_SafeNet Authentication Client_10.8_Linux_GA_Administrator_Guide_Rev A.pdf"
-_ug_pdf="007-013843-002_SafeNet Authentication Client_10.8_Linux_GA_User_Guide_Rev A.pdf"
+_dir="SAC Linux 10.8.1050 R1 GA"
+_rn_pdf="007-013841-004-SafeNet Authentication Client_10.8_R1_Linux_GA_Release_Notes.pdf"
+_ag_pdf="007-013842-002_SafeNet Authentication Client_10.8_R1_Linux_GA_Administrator_Guide_Rev C.pdf"
+_ug_pdf="007-013843-002_SafeNet Authentication Client_10.8_R1_Linux_GA_User_Guide_Rev C.pdf"

 prepare() {
   #ar x "$_dir/Installation/withoutUI/Ubuntu-2004/safenetauthenticationclient-core_${pkgver}_amd64.deb"
-  ar x "$_dir/Installation/Standard/Ubuntu-2004/safenetauthenticationclient_${pkgver}_amd64.deb"
-  bsdtar -xf data.tar.xz
+  ar x "$_dir/Installation/Standard/Ubuntu-2204/safenetauthenticationclient_${pkgver}_amd64.deb"
+  bsdtar -xf data.tar.gz
 }

 _pick() {
-- 
2.39.0

@pirofti: Well, after seeing some updates to pcscd, I just realized that the reason AKS ifdh is no longer bundled with SAC is because all remaining supported USB tokens can be handled by the standard ccid driver. So try that instead of sac-core-legacy.

Yes, pcscd needs to be restarted to reload its IFD drivers. I'm really not sure why they are not included with SAC 10.8 even though it's supposed to support the 5110.

Once pcscd sees the device, either the 10.8 or legacy 10.0 PKCS#11 modules should work identically, even without the SACSrv daemon (I think that's only used by the GUI components).