GPG smart card daemon (SCD)
DigiCert® Software Trust Manager GPG Smart Card Daemon (SCD) is a GPG compliant SCD client-side tool that integrates with the GPG-agent (part of the GPG tool suite) for all GPG based hash signing use cases.
The GPG SCD handles secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.
What signing tools can GPG SCD integrate with?
Use the DigiCert® Software Trust Manager GPG SCD to sign files with GPG keys using a hash-based approach while maintaining key protection, permission-based access and reporting all signing activities:
GPG
Debian package (DEB)
Git commit
Redhat Package Manager (RPM)
Redhat container image
What can the GPG SCD sign?
DigiCert® Software Trust Manager GPG SCD enables secure hash-based signing of any type of file, including:
Executables
Installers
Files
Applications
Drivers
Images
Scripts
Download GPG Smart Card Daemon (SCD)
Sign in to DigiCert ONE.
Select the manager menu icon (top-right) > Software Trust.
Navigate to: Resources > Client tool repository.
Select your operating system.
Click the download icon next to GPG Smart Card Daemon (SCD).
Move the GPG SCD client (ssm-scd) to the location of your choice.
Configuration file
A configuration is required to use the GPG SCD client. The following parameters can be used in the config file.
Parameter | Description |
---|---|
scdaemon-program | Point this parameter to DigiCert® Software Trust Manager GPG Smart Card Deamon Client (ssm-scd). Command: scdaemon-program /home/<username>/ssm-scd |
verbose | An optional parameter that enables extra verbose logging by gpg-agent. Command: verbose |
debug-all | An optional parameter that enables more in-depth debug logging by gpg-agent. Command: debug-all |
log-file /home/someuser/.gnupg/gpg-agent.log | An optional parameter that writes logs in a specified file. Command: log-file /home/<username>/.gnupg/gpg-agent.log |
pinentry-program | An optional parameter that points to pinentry program (a small collection of dialog programs that allow GnuPG to read passphrases and PIN numbers in a secure manner), this comes with GPG installer in most of the cases. Command: pinentry-program /<username>/bin/pinentry |
Create a GPG configuration file
To create a GPG configuration file:
Open an integrated development environment (IDE) or plain text editor.
Copy the following text into the file:
verbose debug-all log-file <log_file_path_for_gpg_agent> scdaemon-program <path_of_the_scd_ssm> pinentry-program <path_of_pinentry_installed_as_part_of_gpg>
Save the file as gpg-agent.conf.
Store the file in the following location based on your operating system: