Smart card support - details?

[martinpaljak]

README claims: For Macs without Secure Enclaves, you can configure a Smart Card (such as a YubiKey) and use it for signing as well.

I'm a very happy user of Secretive, really appreciate the effort and UX. All my machines have the enclave, but I'm curious how I could use "roaming keys" via Secretive? I've not found much docs or examples about it.

What are the requirements for the smart card? How should it be connected (eg can I use a NFC PC/SC reader and tap-to-approve approach?) Can I just "chain" agents somehow with Secretive (so I'd build a custom agent that would do the interfacing towards a pc/sc+card implementation)?

[martinpaljak]

After some more reading of issues I gather the support is indirectly via keychain API-s and assumes the smart card has a ctk driver for it (like built-in piv on yubikey or "whatever is supported" via OpenSC). This is nice and apple-centric. The issues discussing gpg scdaemon approach like #63 luckily have led nowhere, but would be fun to have some kind of agent-stacking like described in #369, as Secretive provides the best native UI this far and could work as a gateway. Trying to stack things like the mux referenced in #369 in front of secretive will probably lose access to calling process identification.

I'd love to have a piece of software that instead of a static token/card (like a yubikey) inserted and exposed via keychain, there was a piece of software that utilized USB connected reader that waited for a card tap and issued the pending signature. For some reason I believe it would be easier and more robust to achieve this in "SSH-centric" unix ipc way than trying to convince apple ctk...