Skip to main content

GPG smart card daemon (SCD)

DigiCert​​®​​ Software Trust Manager GPG Smart Card Daemon (SCD) is a GPG compliant SCD client-side tool that integrates with the GPG-agent (part of the GPG tool suite) for all GPG based hash signing use cases.

The GPG SCD handles secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.

What signing tools can GPG SCD integrate with?

Use the DigiCert​​®​​ Software Trust Manager GPG SCD to sign files with GPG keys using a hash-based approach while maintaining key protection, permission-based access and reporting all signing activities:

  • GPG

  • Debian package (DEB)

  • Git commit

  • Redhat Package Manager (RPM)

  • Redhat container image

What can the GPG SCD sign?

DigiCert​​®​​ Software Trust Manager GPG SCD enables secure hash-based signing of any type of file, including:

  • Executables

  • Installers

  • Files

  • Applications

  • Drivers

  • Images

  • Scripts

Download GPG Smart Card Daemon (SCD)

  1. Sign in to DigiCert ONE.

  2. Select the manager menu icon (top-right) > Software Trust.

  3. Navigate to: Resources > Client tool repository.

  4. Select your operating system.

  5. Click the download icon next to GPG Smart Card Daemon (SCD).

  6. Move the GPG SCD client (ssm-scd) to the location of your choice.

Configuration file

A configuration is required to use the GPG SCD client. The following parameters can be used in the config file.

Parameter

Description

scdaemon-program

Point this parameter to DigiCert​​®​​ Software Trust Manager GPG Smart Card Deamon Client (ssm-scd).

Command:

scdaemon-program /home/<username>/ssm-scd

verbose

An optional parameter that enables extra verbose logging by gpg-agent.

Command:

verbose

debug-all

An optional parameter that enables more in-depth debug logging by gpg-agent.

Command:

debug-all

log-file /home/someuser/.gnupg/gpg-agent.log

An optional parameter that writes logs in a specified file.

Command:

log-file /home/<username>/.gnupg/gpg-agent.log

pinentry-program

An optional parameter that points to pinentry program (a small collection of dialog programs that allow GnuPG to read passphrases and PIN numbers in a secure manner), this comes with GPG installer in most of the cases.

Command:

pinentry-program /<username>/bin/pinentry

Create a GPG configuration file

To create a GPG configuration file:

  1. Open an integrated development environment (IDE) or plain text editor.

  2. Copy the following text into the file:

    verbose 
    debug-all 
    log-file <log_file_path_for_gpg_agent> 
    scdaemon-program <path_of_the_scd_ssm> 
    pinentry-program <path_of_pinentry_installed_as_part_of_gpg> 
  3. Save the file as gpg-agent.conf.

  4. Store the file in the following location based on your operating system: