Poldi, GPGME, and Auth Keys

Chandler Davis me at chandlerdavis.cc
Wed Nov 19 02:08:24 CET 2025 

Apologies for the email blunder. I have included the original content of the message below. If this happens again, I'll switch to a better email client.

---

Hello all,

I've been thinking a lot about GPG as an authentication mechanism. Of course this isn't a new idea--I've so far been able to find it being used via gpg-agent for SSH auth, as well as in the poldi project for PAM. However, I was surprised to find that not much else leveraged it.

I'm primarily interested in getting PAM working for me, but while spelunking I noticed a few potential opportunities to contribute:

1. It seems poldi has had only a few commits in the past few years, and that there's not much prose about it outside the repo. I also had some trouble getting it to build (though that may well be a skill issue). I'm considering giving it some love, but with that:

2. I wonder if poldi would benefit from using the gpgme library instead of directly going through assuan. If that seems reasonable, it follows that perhaps gpgme would benefit from being able to sign and verify challenges using the auth key on a smart card. I don't believe its currently possible to use the auth key at all via gpgme, but please correct me if I'm wrong. This would make it easier for other things outside of poldi to leverage GPG for auth (without using the signing key, which feels hacky and wrong but is probably workable?).

Maybe as a start, it could be good to hack on a reasonable addition to the gpgme interface for auth?

I'll probably end up fleshing this out to some extent for my own experimentation and learning, but wanted to share the ideas and discuss before I get too deep.

Thanks for humoring me, and wishing everyone a happy holiday season (or otherwise, a tolerable rest of the year)!

Best,
Chandler Davis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - me at chandlerdavis.cc - 0x806B3070.asc
Type: application/pgp-keys
Size: 1279 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20251119/99992bd3/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 343 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20251119/99992bd3/attachment.sig>

More information about the Gnupg-devel mailing list