epass2003 tokend MacOS 10.12 about opensc.tokend HOT 4 CLOSED

Try https://github.com/mouse07410/OpenSC.tokend.git - you're likely to have better success. I'm using this tokend on 10.11.6 and 10.12.1 with 100% success. ;-)

I must add that the tokend I'm using has been extensively tested and enhanced for PIV cards, but I conjecture that it would work with epass2003.

from opensc.tokend.

wow- after fighting with openssl a bit, i did get a copy to build, and it seems to work using our tokens under 10.12.1. Very nice- thanks for the pointer! (edit removing the bit about contributing back to mainline: I see the pull request, thanks! )

from opensc.tokend.

I don't suppose there will be code committed back to this project so we can eventually go back to the mainline package?

@bmwt, this tokend is maintained as a parallel fork. It tracks the mainline fixes if and when they appear (which nowadays isn't highly likely). The owners of the mainline package decided not to merge it back then. I was disappointed at first, couldn't care less now.

(or is it dead given apple's deprecation of tokend?)

Tokend is not deprecated (unless you mean CDSA-based tokend, like these :).

Apple, starting with Sierra, returned to providing its own tokend - based on their new CTK (named pivtoken). It contains a few nice enhancements (like the ability to pair smart card with the account, e.g., to unlock FileVault and Keychains with it). But it also lacks some crucial capabilities, like visualizing the token in Keychain Access (so if there are any problems with certs on it, or with the issuing CA - good luck! You'll need it). Coincidentally, cutting off the "old" interface made it impossible for the 3rd-party apps such as MS Office, Adobe Acrobat, Firefox, etc. to utilize smart cards on Sierra. Currently (AFAIK) only Apple Mail and Safari can use hardware tokens, and you can't actually see what's on those tokens, or even what those tokens are (unless you count hash of something on the token presented in hex as a useful identifier :)). Until all those apps are re-written by their corresponding vendors to move to the CTK interface, they won't work with tokens.

Luckily, Sierra allows operations in Legacy mode: you disable pivtoken, install your working tokend in /Library/Security/tokend, and use your smart cards and apps on Sierra as on El Capitan (especially if your main need for smart cards is to use it with applications rather than for logging in). The only disadvantage I see is that you lose the pairing ability - but it's only useful at login anyway.

And of course, we never know - perhaps with 10.13 or 10.14 pivtoken would go the way SmartCardServices went in Lion? Apple giveth, and Apple taketh away. :) So it makes sense to keep this tokend for a while longer until there's more certainty. :-)

from opensc.tokend.

ahh, i thought CTK was a replacement for tokend, and that tokend was going away. This clarifies quite a bit- all the information i was looking for, but couldn't find. Much, much appreciated- we'll just continue to follow your fork until apple decides to throw something else our way.

from opensc.tokend.