1.8 KiB
marginaltool
Python script to replace MargTools. Can be used to sign documents with GovernmentConnect.
Usage
Run marginaltool -h for a synopsis of command‐line arguments. Allowed arguments are
marginaltool [-h] [-e {file,pkcs11}] [-k KEYFILE] [-c CERTFILE] [-i <KEY ID>] URL
To use a signing key and certificate stored in PEM files, install openssl and run
marginaltool -e file -k KEYFILE -c CERTFILE bc-digsign://sign?…
To sign using a PIV-II smartcard such as the Yubikey, install pkcs11-tool from OpenSC and run
marginaltool -e pkcs11 -i <KEY ID> bc-digsign://sign?…
The script will prompt for the PIN to unlock the smartcard. To find the key ID, run
pkcs11-tool -O
To use marginaltool from the web app, set it as the default program for x-scheme-handler/bc-digsign URLs, or copy the marginaltool.desktop file to ~/.local/share/applications/ and run
xdg-mime default marginaltool.desktop x-scheme-handler/bc-digsign
For this to work, the script must be configured as described below.
Configuration
Settings can be saved on a per‐site basis in ~/.marginaltool using the configparser format.
[DEFAULT]
engine = pkcs11
[https://gcsign.example.org/BCSign/]
id = 02
[https://gcsign.example.com/BCSign/]
engine = file
keyfile = <path/to/key.pem>
certfile = <path/to/cert.pem>
All settings can be specified for all sites in the default section, or for individual sites. The section name should match the percent-decoded value of baseURL in
bc-digsign://sign?…&baseUrl=https%3a%2f%2fgcsign.example.com%2fBCSign%2f&…