| Summary: | Keys cannot be signed if smartcard is used | ||
|---|---|---|---|
| Product: | [Applications] kgpg | Reporter: | Stanislav Sidorenko <stanislav> |
| Component: | general | Assignee: | Rolf Eike Beer <kde> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | stanislav |
| Priority: | NOR | ||
| Version First Reported In: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | Ubuntu | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed/Implemented In: | 4.5.1 | |
| Sentry Crash Report: | |||
| Attachments: |
Ignore CARDCTRL and add debugging
Debug log Fix signing keys with multiple UIDs Fix signing keys with multiple UIDs |
||
|
Description
Stanislav Sidorenko
2010-08-21 15:06:56 UTC
If you can tell me how you do that signing using GnuPG command line I can try to get that working. Since I don't have such smartcard stuff around I can't test myself. See also bug 139965. Command line is exactly the same in both cases, but status messages are different.
Here is the list of statuses I found in documentation and reproduced myself:
NEED_PASSPHRASE_PIN <card_type> <chvno> [<serialno>]
Issued whenever a PIN is requested to unlock a card.
I think it should be processed exactly as NEED_PASSPHRASE status.
GET_HIDDEN passphrase.pin.ask
Asks for PIN. Processing should be mostly the same as for "GET_HIDDEN passphrase.enter" status. Occured only if gpg-agent is not used.
CARDCTRL 1 [<serialno>]
Requests for insertion of card with a given serialno. Occured only if gpg-agent is not used, otherwise this operation is done by pinentry. gpg waits pressing enter before trying one more time of "c" input for cancel.
CARDCTRL 2 [<serialno>]
Requests for removal of card with a given serialno. Occured only if gpg-agent is not used, otherwise this operation is done by pinentry. I've never seen it.
CARDCTRL 3 [<serialno>]
Means that gpg found an appropriate card, should be just skipped.
CARDCTRL 4 [<serialno>]
or
CARDCTRL 5 [<serialno>]
Means that gpg cannot find an appropriate card and fails. Should be processed as an error.
SC_OP_FAILURE [number]
Documentation says the following: An operation on a smartcard definitely failed. Currently
there is no indication of the actual error code, but
application should be prepared to later accept more arguments.
Defined values for CODE are:
0 - unspecified error (identically to a missing CODE)
1 - canceled
2 - bad PIN
I really never saw error codes here, just "SC_OP_FAILURE". I think approach may be as follows:
"SC_OP_FAILURE 1" is to be processed simulary to MISSING_PASSPHRASE
"SC_OP_FAILURE 2" is to be processed simulary to BAD_PASSPHRASE
"SC_OP_FAILURE 0" is to be processed as some general error.
I did some debugging and found that current KGPG send "quit" to gpg after it meets "CARDCTRL 3" status. Was this information helpful? I you need I can reproduce any use case with smartcards.
Created attachment 50837 [details]
Ignore CARDCTRL and add debugging
Yes, this was extremely helpful. I have the GnuPG source here so I can look at the doc/DETAILS anytime so no need to further quote that.
Please try the attached patch. It is against trunk but should work against 4.5 also.
This will
-ignore all CARDCTRL messages
-prints the communication with gnupg processes
You need only turn on the debugging for KGpg (number 2100) in kdebugdialog.
Created attachment 50840 [details]
Debug log
KGPG <-> GPG communication log file of different smartcard use cases.
Thanks. I've made a trunk-based build with this patch and checked key signing and also other operations. Key signing works correctly for single-UID keys, but not for keys with two ore more UID. However it does look to be smartcard-specific issue. Also I've found that adding new UID fails and it is smartcard-specific. I've attached debug messages file for all use cases I tried. Created attachment 50850 [details]
Fix signing keys with multiple UIDs
Signing keys with multiple UIDs seems generally broken because I missed an internal conversion here. Please try this patch on top of the other one.
Latest patch contains changes to transactions/kgpgimport.cpp file. It seems that it is not related to signing feature. In all cases it does fix the issue :) I've also created bug 248833 - that's about broken adding UID feature, also smartcard-sprecific. Created attachment 50870 [details]
Fix signing keys with multiple UIDs
Right patch this time.
Checked on trunk-based build. Works OK now. SVN commit 1167159 by dakon: fix signing keys with multiple uids CCBUG:248598 M +3 -5 kgpgsignkey.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=1167159 SVN commit 1167161 by dakon: ignore smartcard status messages CCBUG:248598 M +2 -0 kgpgtransaction.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=1167161 SVN commit 1167162 by dakon: backport the fixes to allow KGpg working with keys stored on smartcards backport of 1167158, 1167159 and 1167161 BUGS:139965,248598,248833 M +2 -0 kgpgadduid.cpp M +3 -5 kgpgsignkey.cpp M +2 -0 kgpgtransaction.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=1167162 |