Comments (6)
alonbl
commented on August 17, 2024
Hello,
Please test latest release and not a random point in time.
Please provide debug log after you have done so.
Thanks,
from gnupg-pkcs11-scd.
pyllyukko
commented on August 17, 2024
Got it. You probably want the logs with debug-all & verbose. If it's ok, I'll send it via email.
from gnupg-pkcs11-scd.
pyllyukko
commented on August 17, 2024
I've narrowed this down a bit. So something has changed between GnuPG versions 2.2 and 2.3 that makes this happen. With GnuPG version 2.2.42 everything works perfectly. I started to go back from version 2.3.0 and got as far as 2.3.0-beta1109 (3c4ab53) where this is already happening and was unable to compile earlier versions/commits.
Here are some log extracts from a decryption operation:
2.2.42 - smart card working
==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:31:38 gpg-agent[26041] gpg-agent (GnuPG) 2.2.42 started
==> /home/pyllyukko/.gnupg/gpgsm.log <==
2024-01-16 21:31:38 gpgsm[26038] encrypted to rsa3072 key ...
==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26047.1563801920]: Listening to socket '/tmp/gnupg-pkcs11-scd.1FaTNv/agent.S'
gnupg-pkcs11-scd[26047.1563801920]: accepting connection
gnupg-pkcs11-scd[26047]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[26047.1563801920]: processing connection
gnupg-pkcs11-scd[26047]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[26047]: chan_0 -> D /tmp/gnupg-pkcs11-scd.1FaTNv/agent.S
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- OPTION event-signal=12
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- SERIALNO --demand=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
gnupg-pkcs11-scd[26047]: chan_0 -> S SERIALNO YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY 0
gnupg-pkcs11-scd[26047]: chan_0 -> OK
==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:31:39 gpg-agent[26041] detected card with S/N YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26047]: chan_0 <- SETDATA ...
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- PKDECRYPT ...
gnupg-pkcs11-scd[26047]: chan_0 -> S PADDING 0
gnupg-pkcs11-scd[26047]: chan_0 -> [ xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ...(2 byte(s) skipped) ]
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- RESTART
gnupg-pkcs11-scd[26047]: chan_0 -> OK
2.3.0-beta1109 - smart card NOT working
==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:48:38 gpg-agent[26925] gpg-agent (GnuPG) 2.3.0-beta1109 started
==> /home/pyllyukko/.gnupg/gpgsm.log <==
2024-01-16 21:48:38 gpgsm[26923] Note: non-critical certificate policy not allowed
2024-01-16 21:48:39 gpgsm[26923] Note: non-critical certificate policy not allowed
2024-01-16 21:48:39 gpgsm[26923] DBG: recp 0 - issuer: '...'
2024-01-16 21:48:39 gpgsm[26923] DBG: recp 0 - serial: XXXXXXXX
==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26930.3407657280]: Listening to socket '/tmp/gnupg-pkcs11-scd.Jyjbtk/agent.S'
gnupg-pkcs11-scd[26930.3407657280]: accepting connection
gnupg-pkcs11-scd[26930]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[26930.3407657280]: processing connection
gnupg-pkcs11-scd[26930]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[26930]: chan_0 -> D /tmp/gnupg-pkcs11-scd.Jyjbtk/agent.S
gnupg-pkcs11-scd[26930]: chan_0 -> OK
gnupg-pkcs11-scd[26930]: chan_0 <- OPTION event-signal=12
gnupg-pkcs11-scd[26930]: chan_0 -> OK
gnupg-pkcs11-scd[26930]: chan_0 <- SERIALNO --all
gnupg-pkcs11-scd[26930]: chan_0 -> S SERIALNO XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0
gnupg-pkcs11-scd[26930]: chan_0 -> OK
gnupg-pkcs11-scd[26930]: chan_0 <- KEYINFO XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
gnupg-pkcs11-scd[26930]: chan_0 -> ERR 41 Wrong public key algorithm <Unspecified source>
At this point GnuPG asks me to insert a smart card, even though it's already inserted.
==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:48:58 gpg-agent[26925] smartcard decryption failed: Operation cancelled
2024-01-16 21:48:58 gpg-agent[26925] command 'PKDECRYPT' failed: Operation cancelled <Pinentry>
==> /home/pyllyukko/.gnupg/gpgsm.log <==
2024-01-16 21:48:58 gpgsm[26923] error decrypting session key: Operation cancelled
2024-01-16 21:48:58 gpgsm[26923] decrypting session key failed: Operation cancelled
2024-01-16 21:48:58 gpgsm[26923] message decryption failed: Operation cancelled <Pinentry>
==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26930]: chan_0 <- RESTART
gnupg-pkcs11-scd[26930]: chan_0 -> OK
from gnupg-pkcs11-scd.
alonbl
commented on August 17, 2024
I would really appreciate if we can first confirm gpg is working before we
go to gpgsm.
But maybe this is a hint:
non-critical certificate policy not allowed
from gnupg-pkcs11-scd.
pyllyukko
commented on August 17, 2024
But maybe this is a hint: non-critical certificate policy not allowed
There is a commit in GnuPG which implies it's nothing critical:
commit 4f1b9e3abb337470e5e4809b3a7f2df33f5a63a4
Author: Werner Koch [email protected]
Date: Mon Dec 5 14:31:45 2022 +0100gpgsm: Silence the "non-critical certificate policy not allowed". * sm/certchain.c (check_cert_policy): Print non-critical policy warning only in verbose mode.
from gnupg-pkcs11-scd.
alonbl
commented on August 17, 2024
Please send me your certificate.
from gnupg-pkcs11-scd.
Related Issues (20)
- Utimaco problem: Bad session key HOT 8
- Documentation Isuse for Yubikey with OpenSC HOT 5
- Yubikey - Multiple PIV Certs encryption/signing issue HOT 8
- Problem in loading keys to the gpg HOT 8
- 9.3 release segfaults on PKAUTH command
- 9.3 release always requires PIN for signing operation HOT 7
- gpg2 --card-status fails to list any key HOT 4
- why importing same key from same token in different machine lead to different keyids HOT 1
- Instructions on compiling for Windows HOT 3
- Cannot sign, asks PIN-code, but no success HOT 9
- Support for PKCS#11 Modules without Certificates HOT 14
- gpg --expert --full-generate-key fails to recognize card HOT 1
- Command GETATTR APPTYPE and $DISPSERIALNO is not implemented HOT 13
- Can this interface support Yubikey 5? HOT 11
- gpg --sign not triggering pin entry using a key with 'always authenticate' HOT 10
- [Nitrokey HSM2] gpg --expert --full-generate-key returns: gpg: signing failed: Card error HOT 3
- gpg --card-status shows different results when used with scdaemon and gnupg-pkcs11-scd HOT 1
- Provide Support for libassuan v3.x
- Fedora/RHEL pkcs11-helper RPMs break gnupg-pkcs11-scd integration with gnupg
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gnupg-pkcs11-scd.