Provided by: scute_1.7.0+git20240826+8331f37-1_amd64 
SYNOPSIS
scute.so
DESCRIPTION
Scute is a PKCS#11 implementation for the GnuPG Agent using the GnuPG Smart Card Daemon. Currently,
OpenPGP and PIV cards are supported.
Scute enables the use of the OpenPGP smart card or a PIV smart card in applications supporting PKCS#11
compliant security tokens. The main application at this time is client authentication in Mozilla-based
web browsers. In the future, other applications will be supported.
To prepare your application for use with Scute, you have to load the Scute module as a PKCS#11 module
into the application. See below for notes on how to do that with Firefox.
OPTIONS
As a shared library, scute has no command line options but its behaviour can be modified by the use of a
global configuration file or with an environment variable (see below). The global configuration file is
expected as ‘/etc/gnupg/scute.conf’. It consists of keywords and values and some meta commands. There
is currently only one useful option for general use, the other options are used for debugging. Scute
uses the same parser as GnuPG does; thus for the meta commands please consult the GnuPG description.
Here is the short list of supported keywords:
only-marked
Scute consideres only keys having the Use-for-p11 as part of their meta data.
user name
If Scute is running with root permission and this option is used it runs the GnuPG components in
the context of the user name. name may either be a name or a numerical UID. This allows to use
the GnuPG setup of a certain user instead of running it under the root account. This is needed to
make Scute work smoothly as a PKCS#11 provider for OpenVPN. If the current user is not root, this
option has no effect.
debug flag
Useful values for flag are 1 and 3.
log-file file
This has currently no effect but will in a future version write the log to file. Writing to a
socket will be possible by prefixing the file with the string socket://.
assume-single-threaded
This is a hack to ignore a request to use native threads instead of user provided callbacks.
Should only be used with caution if there is no easy way to fix the caller or until we have fixed
Scute.
no-chain
By default, when Scute is asked for a certificate, it returns the requested certificate along with
the chain of signing certificates. This option makes Scute return only the leaf certificate.
In addition to the above configuration file, Scute also reads GnuPG´s ‘common.conf’ in the same way GnuPG
does. This way the no-autostart option is detected and Scute will not try to launch gpg-agent, which it
usually does. The important use-case here is running Scute on a server with the gpg-agent on a desktop
box.
NOTES (FIREFOX)
To use Scute with Firefox or Thunderbird, follow these instructions:
From the menu choose Edit->Preferences. In the preferences configuration dialog, you then select the
Advanced configuration section, then the Security tab, and then select Security Devices in the category
Certificates. In the devices manager dialog, you can select Load to load a new PKCS#11 device. In the
pop-up dialog that follows, you can give a module name (e.g. ``Scute'') and a module filename. The
latter should correspond to the full file name of the installed Scute module file ‘scute.so’.
The default installation path is ‘/usr/local/lib’, which would mean that you have to provide the file
name ‘/usr/local/lib/scute.so’. If you or your system administrator installed Scute in a different
location, you have to adjust the file name correspondingly.
After confirming installation of the security device, a pop-up window should confirm that the module was
successfully loaded, and an entry for the security device should appear in the device manager list of
ENVIRONMENT
The environment variable SCUTE_DEBUG gives the same debug flags as described above. This numerically
value may be followed by a colon and the name for the log file. The global options will override these
values once they have been parsed.
SEE ALSO
scdaemon(1) gpgsm(1)
Scute 1.7.1-unknown 2024-12-18 SCUTE(7)