CMCDragonkai · December 10, 2025 04:16
diff --git a/linux-trust-root.txt b/linux-trust-root.txt
                        +------------------------------+
                        |        Hardware / OS         |
                        | (TPM/FIDO2, kernel keyring)  |
                        +---------------+--------------+
                                        |
                                        v
                       (system services / daemons)
 +----------------------+                |                 +------------------------+
 |    systemd-credentials|               |                 |    Polykey agent      |
 |  (LoadCredential=,    |               |                 |  - JWK root keys      |
 |   /run/credstore, fds)|               |                 |  - sigchains, claims  |
 +-----------+----------+                |                 +-----------+------------+
            |                           |                             |
            | inject secrets into       | uses OS creds (TPM, files)  | exports X.509
            | unit's file descriptors   | for its own storage         | (PEM/P12) for apps
            v                           v                             v
 +----------------------+     +---------------------------+   +----------------------+
 |  system services     |     |   Filesystem key stores   |   |   X.509 artefacts    |
 |  (nginx, postgres,   |     |   - /etc/ssl/certs (CAs)  |   |   - cert.pem         |
 |   your infra)        |     |   - /etc/pki (CAs)        |   |   - key.pem          |
 +----------------------+     |   - ~/.pki, NSS DB        |   |   - x.p12            |
                             |   - ~/.gnupg (GPG+S/MIME) |   +----------+----------+
                             |   - ~/.ssh (SSH keys)     |              |
                             +---------------------------+              |
                                                                          readable via
                                                                          OpenSSL/NSS/QCA
                                                                          or PKCS#11

                     +-------------------------------------------------------------+
                     |                     Middleware / APIs                       |
                     |                                                           |
                     |  +-----------+   +-----------+   +-----------+           |
                     |  | OpenSSL   |   | GnuTLS    |   |   NSS     |           |
                     |  +-----------+   +-----------+   +-----------+           |
                     |         ^                ^                 ^             |
                     |         |                |                 |             |
                     |       (PEM/P12)       (PEM/P12)        (NSS DB)          |
                     |                                                           |
                     |  +-----------------------------------------------------+  |
                     |  |              PKCS#11 / p11-kit hub                  |  |
                     |  |  - exposes tokens: gnupg-pkcs11, GNOME keyring,     |  |
                     |  |    smartcards, HSMs                                 |  |
                     |  +--------------------+--------------------------------+  |
                     |                       |                                   |
                     +-----------------------|-----------------------------------+
                                             |
                             +---------------+-----------------+
                             |        GNOME keyring            |
                             |  (gnome-keyring-daemon)         |
                             |   - secrets, some keys/certs    |
                             |   - Secret Service (D-Bus)      |
                             |   - PKCS#11 module for p11-kit  |
                             +---------------+-----------------+
                                             ^
                                             |
                                     +-------+--------+
                                     |   Seahorse     |
                                     | (GUI: manages  |
                                     |  GNOME keyring |
                                     |  + sometimes   |
                                     |   GPG keys)    |
                                     +----------------+

          +----------------------+             +------------------------------+
          |      GnuPG           |             |             SSH              |
          |  ~/.gnupg, gpg-agent |             |  ~/.ssh, ssh-agent or        |
          |  - OpenPGP           |             |  gpg-agent w/ ssh support    |
          |  - gpgsm (X.509/S-MIME)|           +------------------------------+
          +----------+-----------+
                     |
        GPGME / assuan / pinentry
                     |
        Apps that speak GPG: git, mail, etc.

 +---------------------------------------------------------------------------------+
 |                                    Apps                                         |
 |                                                                                 |
 |  Browsers       PDF tools             Mailers              CLI tools            |
 |  - Firefox      - Okular              - Thunderbird        - curl, git, ssh     |
 |  - Chrome       - Master PDF Editor   - Evolution          - openssl, gpg       |
 |                                                                                 |
 |  They pull keys/certs via:                                                      |
 |  - direct file paths (PEM, P12)                                                 |
 |  - NSS DB (Firefox)                                                             |
 |  - PKCS#11/p11-kit (YubiKey, GNOME keyring, etc.)                               |
 |  - GPGME/gpg-agent (for OpenPGP stuff)                                         |
 +---------------------------------------------------------------------------------+


               Polykey node
           +-------------------+
           |  private.jwk      |
           |  public.jwk       |
           |  sigchain, claims |
           +---------+---------+
                     |
             "export X.509"
                     v
  cert.pem / key.pem / p12 (for PDF signing, TLS, etc.)
                     |
        imported into:
        - Master PDF Editor / Okular (PKCS#12)
        - GNOME keyring via Seahorse (PKCS#12 or cert+key)
        - systemd-credentials (as opaque secret)
        - NSS/OpenSSL-driven apps
	+------------------------------+
	\| Hardware / OS \|
	\| (TPM/FIDO2, kernel keyring) \|
	+---------------+--------------+
	\|
	v
	(system services / daemons)
	+----------------------+ \| +------------------------+
	\| systemd-credentials\| \| \| Polykey agent \|
	\| (LoadCredential=, \| \| \| - JWK root keys \|
	\| /run/credstore, fds)\| \| \| - sigchains, claims \|
	+-----------+----------+ \| +-----------+------------+
	\| \| \|
	\| inject secrets into \| uses OS creds (TPM, files) \| exports X.509
	\| unit's file descriptors \| for its own storage \| (PEM/P12) for apps
	v v v
	+----------------------+ +---------------------------+ +----------------------+
	\| system services \| \| Filesystem key stores \| \| X.509 artefacts \|
	\| (nginx, postgres, \| \| - /etc/ssl/certs (CAs) \| \| - cert.pem \|
	\| your infra) \| \| - /etc/pki (CAs) \| \| - key.pem \|
	+----------------------+ \| - ~/.pki, NSS DB \| \| - x.p12 \|
	\| - ~/.gnupg (GPG+S/MIME) \| +----------+----------+
	\| - ~/.ssh (SSH keys) \| \|
	+---------------------------+ \|
	readable via
	OpenSSL/NSS/QCA
	or PKCS#11

	+-------------------------------------------------------------+
	\| Middleware / APIs \|
	\| \|
	\| +-----------+ +-----------+ +-----------+ \|
	\| \| OpenSSL \| \| GnuTLS \| \| NSS \| \|
	\| +-----------+ +-----------+ +-----------+ \|
	\| ^ ^ ^ \|
	\| \| \| \| \|
	\| (PEM/P12) (PEM/P12) (NSS DB) \|
	\| \|
	\| +-----------------------------------------------------+ \|
	\| \| PKCS#11 / p11-kit hub \| \|
	\| \| - exposes tokens: gnupg-pkcs11, GNOME keyring, \| \|
	\| \| smartcards, HSMs \| \|
	\| +--------------------+--------------------------------+ \|
	\| \| \|
	+-----------------------\|-----------------------------------+
	\|
	+---------------+-----------------+
	\| GNOME keyring \|
	\| (gnome-keyring-daemon) \|
	\| - secrets, some keys/certs \|
	\| - Secret Service (D-Bus) \|
	\| - PKCS#11 module for p11-kit \|
	+---------------+-----------------+
	^
	\|
	+-------+--------+
	\| Seahorse \|
	\| (GUI: manages \|
	\| GNOME keyring \|
	\| + sometimes \|
	\| GPG keys) \|
	+----------------+

	+----------------------+ +------------------------------+
	\| GnuPG \| \| SSH \|
	\| ~/.gnupg, gpg-agent \| \| ~/.ssh, ssh-agent or \|
	\| - OpenPGP \| \| gpg-agent w/ ssh support \|
	\| - gpgsm (X.509/S-MIME)\| +------------------------------+
	+----------+-----------+
	\|
	GPGME / assuan / pinentry
	\|
	Apps that speak GPG: git, mail, etc.

	+---------------------------------------------------------------------------------+
	\| Apps \|
	\| \|
	\| Browsers PDF tools Mailers CLI tools \|
	\| - Firefox - Okular - Thunderbird - curl, git, ssh \|
	\| - Chrome - Master PDF Editor - Evolution - openssl, gpg \|
	\| \|
	\| They pull keys/certs via: \|
	\| - direct file paths (PEM, P12) \|
	\| - NSS DB (Firefox) \|
	\| - PKCS#11/p11-kit (YubiKey, GNOME keyring, etc.) \|
	\| - GPGME/gpg-agent (for OpenPGP stuff) \|
	+---------------------------------------------------------------------------------+


	Polykey node
	+-------------------+
	\| private.jwk \|
	\| public.jwk \|
	\| sigchain, claims \|
	+---------+---------+
	\|
	"export X.509"
	v
	cert.pem / key.pem / p12 (for PDF signing, TLS, etc.)
	\|
	imported into:
	- Master PDF Editor / Okular (PKCS#12)
	- GNOME keyring via Seahorse (PKCS#12 or cert+key)
	- systemd-credentials (as opaque secret)
	- NSS/OpenSSL-driven apps
No results found