Add examples for passing PINs via file-descriptors.
Change the example card ident so that the serial number doesn't look like the default admin PIN.
This commit is contained in:
parent
9955c9e1be
commit
22bbf77707
1 changed files with 30 additions and 16 deletions
|
@ -55,13 +55,13 @@ $ opgpcard status
|
|||
|
||||
Explicitly print the status information for a specific card:
|
||||
```
|
||||
$ opgpcard status -c ABCD:12345678
|
||||
$ opgpcard status -c ABCD:01234567
|
||||
```
|
||||
|
||||
Add `-v` for more verbose card status, including the list of supported
|
||||
algorithms of the card (older cards may return no additional information):
|
||||
```
|
||||
$ opgpcard status -c ABCD:12345678 -v
|
||||
$ opgpcard status -c ABCD:01234567 -v
|
||||
```
|
||||
|
||||
### Import keys
|
||||
|
@ -69,7 +69,7 @@ $ opgpcard status -c ABCD:12345678 -v
|
|||
Import private key onto a card. This works if at most one (sub)key
|
||||
per role (sign, decrypt, auth) exists in `key.priv`:
|
||||
```
|
||||
$ opgpcard admin -c ABCD:12345678 -P <admin-pin-file> import key.priv
|
||||
$ opgpcard admin -c ABCD:01234567 -P <admin-pin-file> import key.priv
|
||||
```
|
||||
|
||||
Import private key onto a card while explicitly selecting subkeys.
|
||||
|
@ -77,7 +77,7 @@ Explicitly specified fingerprints are necessary if more than one subkey
|
|||
exists in `key.priv` for any role (note: spaces in fingerprints are
|
||||
ignored).
|
||||
```
|
||||
$ opgpcard admin -c ABCD:12345678 -P <admin-pin-file> import key.priv \
|
||||
$ opgpcard admin -c ABCD:01234567 -P <admin-pin-file> import key.priv \
|
||||
--sig-fp "F290 DBBF 21DB 8634 3C96 157B 87BE 15B7 F548 D97C" \
|
||||
--dec-fp "3C6E 08F6 7613 8935 8B8D 7666 73C7 F1A9 EEDA C360" \
|
||||
--auth-fp "D6AA 48EF 39A2 6F26 C42D 5BCB AAD2 14D5 5332 C838"
|
||||
|
@ -89,19 +89,19 @@ keys will be imported for the other roles.
|
|||
### Generate Keys on the card
|
||||
|
||||
```
|
||||
$ opgpcard admin -c ABCD:12345678 -P <admin-pin-file> generate -p <user-pin-file> -o <output-cert-file> 25519
|
||||
$ opgpcard admin -c ABCD:01234567 -P <admin-pin-file> generate -p <user-pin-file> -o <output-cert-file> 25519
|
||||
```
|
||||
|
||||
### Set card metadata
|
||||
|
||||
Set cardholder name:
|
||||
```
|
||||
$ opgpcard admin -c ABCD:12345678 -P <admin-pin-file> name "Bar<<Foo"
|
||||
$ opgpcard admin -c ABCD:01234567 -P <admin-pin-file> name "Bar<<Foo"
|
||||
```
|
||||
|
||||
Set cardholder URL:
|
||||
```
|
||||
$ opgpcard admin -c ABCD:12345678 -P <admin-pin-file> url "https://keyurl.example"
|
||||
$ opgpcard admin -c ABCD:01234567 -P <admin-pin-file> url "https://keyurl.example"
|
||||
```
|
||||
|
||||
### Signing
|
||||
|
@ -110,7 +110,7 @@ For now, this tool only supports creating detached signatures, like this
|
|||
(if no input file is set, stdin is read):
|
||||
|
||||
```
|
||||
$ opgpcard sign --detached -c ABCD:12345678 -p <user-pin-file> -s <cert-file> <input-file>
|
||||
$ opgpcard sign --detached -c ABCD:01234567 -p <user-pin-file> -s <cert-file> <input-file>
|
||||
```
|
||||
|
||||
### Decrypting
|
||||
|
@ -118,17 +118,31 @@ $ opgpcard sign --detached -c ABCD:12345678 -p <user-pin-file> -s <cert-file> <i
|
|||
Decryption using a card (if no input file is set, stdin is read):
|
||||
|
||||
```
|
||||
$ opgpcard decrypt -c ABCD:12345678 -p <user-pin-file> -r <cert-file> <input-file>
|
||||
$ opgpcard decrypt -c ABCD:01234567 -p <user-pin-file> -r <cert-file> <input-file>
|
||||
```
|
||||
|
||||
### Factory reset
|
||||
|
||||
Factory reset:
|
||||
```
|
||||
$ opgpcard factory-reset -c ABCD:12345678
|
||||
$ opgpcard factory-reset -c ABCD:01234567
|
||||
```
|
||||
|
||||
NOTE: you do not need a PIN to reset a card
|
||||
NOTE: you do not need a PIN to reset a card!
|
||||
|
||||
### Using file-descriptors for PINs
|
||||
|
||||
When using a shell like
|
||||
[bash](https://www.gnu.org/software/bash/manual/html_node/Redirections.html#Here-Strings),
|
||||
you can pass user and/or admin PINs via file-descriptors:
|
||||
|
||||
```
|
||||
$ opgpcard sign --detached -c ABCD:01234567 -p /dev/fd/3 -s <cert-file> 3<<<123456
|
||||
```
|
||||
|
||||
```
|
||||
$ opgpcard admin -c ABCD:01234567 -P /dev/fd/3 generate -p /dev/fd/4 -o <output-cert-file> 25519 3<<<12345678 4<<<123456
|
||||
```
|
||||
|
||||
## opgpcard-pin
|
||||
|
||||
|
@ -137,25 +151,25 @@ PIN on OpenPGP cards.
|
|||
|
||||
Set the user PIN (requires admin PIN):
|
||||
```
|
||||
opgpcard-pin -c ABCD:12345678 set-user-pin
|
||||
opgpcard-pin -c ABCD:01234567 set-user-pin
|
||||
```
|
||||
|
||||
Set new admin PIN (requires admin PIN):
|
||||
```
|
||||
opgpcard-pin -c ABCD:12345678 set-admin-pin
|
||||
opgpcard-pin -c ABCD:01234567 set-admin-pin
|
||||
```
|
||||
|
||||
Reset user PIN after it has been blocked (requires admin PIN):
|
||||
```
|
||||
opgpcard-pin -c ABCD:12345678 reset-user-pin -a
|
||||
opgpcard-pin -c ABCD:01234567 reset-user-pin -a
|
||||
```
|
||||
|
||||
Set resetting code (requires admin PIN):
|
||||
```
|
||||
opgpcard-pin -c ABCD:12345678 set-reset-code
|
||||
opgpcard-pin -c ABCD:01234567 set-reset-code
|
||||
```
|
||||
|
||||
Reset user PIN (requires resetting code):
|
||||
```
|
||||
opgpcard-pin -c ABCD:12345678 reset-user-pin
|
||||
opgpcard-pin -c ABCD:01234567 reset-user-pin
|
||||
```
|
||||
|
|
Loading…
Reference in a new issue