#gpg #yubikey #notifications

app socket-notify

Reads (scdaemon) messages from a socket, emits notifications to remind you to touch your yubikey

2 releases

Uses old Rust 2015

0.1.1 Oct 12, 2017
0.1.0 Oct 11, 2017

#17 in #yubikey

MIT license

87 lines

Socket Notifier

Might be the most boring name for a project so far?


I use a Yubikey for GPG operations. I sign my commits. I use gpg-agent as an ssh agent. It's a very convenient way to get a reasonable level of security.

But, several times a day, I go to commit code or push a branch and instead it times out because I look away rather than touching the blinky light like I'm supposed to, and my push times out. I hate this, not the least because it means that my colleagues are left hanging on a fix that never arrives.

For a while I had pre-commit hooks and an SSH wrapper to remind me that I might need to verify a signature, but that led to problems. Also, there wasn't a way to do that for signed tags, which I also make pretty common use of.

So I started out using a bash script with netcat viz:


source /etc/profile

nc -lU /tmp/scdaemon.sock | while read line; do
  if echo $line | egrep -q 'PK(SIGN|AUTH)'; then
    notify-send "GPG activity" "A process is waiting on the Yubikey!"
    echo "Notifying" >> /tmp/scdaemon.log
  echo $line >> /tmp/scdaemon.log

but the notifications lingered after signing had occurred, which meant I needed to invest attention to close them or distinguish an old notification from a new one that meant I needed to acknowledge it.


Set up a .gnupg/scdaemon.conf like:

log-file socket:///tmp/scdaemon.sock
debug 1027
debug-assuan-log-cats 511

To get scdaemon to pick up the config, you have to gpg-agent-connect scd killscd. (or something like that - if you perfect the command, please PR the docs?)

Then cargo install socket-notify and arrange for it to run while you're logged in. For instance, I have


Description=SmartCard Daemon Notifier

ExecStart=$(which socket-notify)


...et voila! You should receive notification like "GPG Event" whenever your verification of a signing or authentication operation is required. When you approve the signature (or it times out) the notification is replaced with a short-lived update.

Future Plans

( if there's a call for it, or I feel the urge - don't assume this'll happen on its own )

In the present moment, everything is hardcoded. It'd be nice to specify a config file with the socket location, whether to log and where to log to (currently, this always goes to /tmp/scdaemon.log), patterns that trigger notifications and patterns that "answer" a notification.


~113K SLoC