SCUTE(7) Scute SCUTE(7)

scute.so

Scute is a PKCS#11 implementation for the GnuPG Agent using the GnuPG Smart Card Daemon. Currently, OpenPGP and PIV cards are supported.

Scute enables the use of the OpenPGP smart card or a PIV smart card in applications supporting PKCS#11 compliant security tokens. The main application at this time is client authentication in Mozilla-based web browsers. In the future, other applications will be supported.

To prepare your application for use with Scute, you have to load the Scute module as a PKCS#11 module into the application. See below for notes on how to do that with Firefox.

As a shared library, scute has no command line options but its behaviour can be modified by the use of a global configuration file or with an environment variable (see below). The global configuration file is expected as ‘/etc/gnupg/scute.conf’. It consists of keywords and values and some meta commands. There is currently only one useful option for general use, the other options are used for debugging. Scute uses the same parser as GnuPG does; thus for the meta commands please consult the GnuPG description.

Here is the short list of supported keywords:

Scute consideres only keys having the Use-for-p11 as part of their meta data.

If Scute is running with root permission and this option is used it runs the GnuPG components in the context of the user name. name may either be a name or a numerical UID. This allows to use the GnuPG setup of a certain user instead of running it under the root account. This is needed to make Scute work smoothly as a PKCS#11 provider for OpenVPN. If the current user is not root, this option has no effect.

Useful values for flag are 1 and 3.

This has currently no effect but will in a future version write the log to file. Writing to a socket will be possible by prefixing the file with the string socket://.

This is a hack to ignore a request to use native threads instead of user provided callbacks. Should only be used with caution if there is no easy way to fix the caller or until we have fixed Scute.

By default, when Scute is asked for a certificate, it returns the requested certificate along with the chain of signing certificates. This option makes Scute return only the leaf certificate.

In addition to the above configuration file, Scute also reads GnuPG´s ‘common.conf’ in the same way GnuPG does. This way the no-autostart option is detected and Scute will not try to launch gpg-agent, which it usually does. The important use-case here is running Scute on a server with the gpg-agent on a desktop box.

To use Scute with Firefox or Thunderbird, follow these instructions:

From the menu choose Edit->Preferences. In the preferences configuration dialog, you then select the Advanced configuration section, then the Security tab, and then select Security Devices in the category Certificates. In the devices manager dialog, you can select Load to load a new PKCS#11 device. In the pop-up dialog that follows, you can give a module name (e.g. ``Scute'') and a module filename. The latter should correspond to the full file name of the installed Scute module file ‘scute.so’.

The default installation path is ‘/usr/local/lib’, which would mean that you have to provide the file name ‘/usr/local/lib/scute.so’. If you or your system administrator installed Scute in a different location, you have to adjust the file name correspondingly.

After confirming installation of the security device, a pop-up window should confirm that the module was successfully loaded, and an entry for the security device should appear in the device manager list of

The environment variable SCUTE_DEBUG gives the same debug flags as described above. This numerically value may be followed by a colon and the name for the log file. The global options will override these values once they have been parsed.

scdaemon(1) gpgsm(1)

2024-12-18 Scute 1.7.1-unknown