Arch Linux User Repository

Hello, I'm having some issues with this despite it working fine some time ago. SACTools fails to launch for me with the error "Another SACTools is already running" (it certainly isn't running). That happens regardless of whether SACMonitor is running. In addition, if I terminate the SACMonitor process that automatically starts after logging in, I can't start it manually. The SACMonitor commands exits cleanly but nothing happens. My smartcard reader works fine though and I can use it for digital signing.

Do you need SACMonitor? I've packaged it but I don't think I've ever had a need to use it. Generally the token should work fine without.

I am getting "stack smashing detected: terminated" immediately when trying to launch SACMonitor. My org has other auth methods so I can manage without it but wanted to write in case others see the same error.

Note that a new version is available 10.9.6747 (not expecting it to fix my issue).

Thank you very much for these superb packages @grawity!

Try again with hkps://.

GnuPG internally remaps keys.gnupg.net to keyserver.ubuntu.com (which should usually be a reliable server), so try directly using hkps://keyserver.ubuntu.com or visiting https://keyserver.ubuntu.com.

Hello,

I am not familiar with internals of arch linux package installations and keys, I am receiving following error while trying to install sac-core with yay.

yay -S sac-core
:: Checking for conflicts...
:: Checking for inner conflicts...
[Repo:1]  ccid-1.5.2-1
[Aur:1]  sac-core-10.8.1050-1

:: PKGBUILD up to date, Skipping (1/0): sac-core
:: (1/1) Parsing SRCINFO: sac-core

:: PGP keys need importing:
 -> B37EBA84D2EB0C786F91EEF77F8AA801285DEE57, required by: sac-core
:: Import? [Y/n] Y
:: Importing keys with gpg...
gpg: keyserver receive failed: Server indicated a failure
 -> problem importing keys

I tried

gpg --verbose --keyserver hkp://keys.gnupg.net --recv B37EBA84D2EB0C786F91EEF77F8AA801285DEE57
gpg: enabled compatibility flags:
gpg: keyserver receive failed: Server indicated a failure

Yes, that was the problem and now it works! Thank you very much.

You need access to the pcscd service that talks to card readers. Recent builds of the pcsclite package enable polkit authorization and the default settings have a "local session" requirement – a lot like many other GUI features like mounting external disks (since USB smartcard access is a lot like USB stick access after all).

So if you're working in X11 try following the general instructions for getting polkit working per archwiki (loginctl session check, polkit agent running).

If you're working remotely via SSH or some other reason, create a custom polkit rule that gives you access by traditional group membership (or just make it free-for-all if you want):

# cat 90-local-pcsc.rules
/* 2023-03-09 grawity: Allow SSH clients to access eToken, as pcscd now uses
 * polkit authorization. (Use the same "pkcs11" group that OpenCryptoki uses.) 
 */
polkit.addRule(function(action, subject) {            
    if (action.id == "org.debian.pcsc-lite.access_pcsc" ||
        action.id == "org.debian.pcsc-lite.access_card")
    {
        if (subject.isInGroup("pkcs11")) {
            return polkit.Result.YES;
        }
    }
});

Hi! I have installed correctly sac-core and p11tool in my system but I can only use it as a root user - I mean getting certificate URLs via p11tool or loading keys to ssh-agent via provider library (libeToken.so). What can I do to use it also as a normal user without root permissions?