Summary: | Keys cannot be signed if smartcard is used | ||
---|---|---|---|
Product: | [Applications] kgpg | Reporter: | Stanislav Sidorenko <stanislav> |
Component: | general | Assignee: | Rolf Eike Beer <kde> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | stanislav |
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | Ubuntu | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | 4.5.1 | |
Sentry Crash Report: | |||
Attachments: |
Ignore CARDCTRL and add debugging
Debug log Fix signing keys with multiple UIDs Fix signing keys with multiple UIDs |
Description
Stanislav Sidorenko
2010-08-21 15:06:56 UTC
If you can tell me how you do that signing using GnuPG command line I can try to get that working. Since I don't have such smartcard stuff around I can't test myself. See also bug 139965. Command line is exactly the same in both cases, but status messages are different. Here is the list of statuses I found in documentation and reproduced myself: NEED_PASSPHRASE_PIN <card_type> <chvno> [<serialno>] Issued whenever a PIN is requested to unlock a card. I think it should be processed exactly as NEED_PASSPHRASE status. GET_HIDDEN passphrase.pin.ask Asks for PIN. Processing should be mostly the same as for "GET_HIDDEN passphrase.enter" status. Occured only if gpg-agent is not used. CARDCTRL 1 [<serialno>] Requests for insertion of card with a given serialno. Occured only if gpg-agent is not used, otherwise this operation is done by pinentry. gpg waits pressing enter before trying one more time of "c" input for cancel. CARDCTRL 2 [<serialno>] Requests for removal of card with a given serialno. Occured only if gpg-agent is not used, otherwise this operation is done by pinentry. I've never seen it. CARDCTRL 3 [<serialno>] Means that gpg found an appropriate card, should be just skipped. CARDCTRL 4 [<serialno>] or CARDCTRL 5 [<serialno>] Means that gpg cannot find an appropriate card and fails. Should be processed as an error. SC_OP_FAILURE [number] Documentation says the following: An operation on a smartcard definitely failed. Currently there is no indication of the actual error code, but application should be prepared to later accept more arguments. Defined values for CODE are: 0 - unspecified error (identically to a missing CODE) 1 - canceled 2 - bad PIN I really never saw error codes here, just "SC_OP_FAILURE". I think approach may be as follows: "SC_OP_FAILURE 1" is to be processed simulary to MISSING_PASSPHRASE "SC_OP_FAILURE 2" is to be processed simulary to BAD_PASSPHRASE "SC_OP_FAILURE 0" is to be processed as some general error. I did some debugging and found that current KGPG send "quit" to gpg after it meets "CARDCTRL 3" status. Was this information helpful? I you need I can reproduce any use case with smartcards. Created attachment 50837 [details]
Ignore CARDCTRL and add debugging
Yes, this was extremely helpful. I have the GnuPG source here so I can look at the doc/DETAILS anytime so no need to further quote that.
Please try the attached patch. It is against trunk but should work against 4.5 also.
This will
-ignore all CARDCTRL messages
-prints the communication with gnupg processes
You need only turn on the debugging for KGpg (number 2100) in kdebugdialog.
Created attachment 50840 [details]
Debug log
KGPG <-> GPG communication log file of different smartcard use cases.
Thanks. I've made a trunk-based build with this patch and checked key signing and also other operations. Key signing works correctly for single-UID keys, but not for keys with two ore more UID. However it does look to be smartcard-specific issue. Also I've found that adding new UID fails and it is smartcard-specific. I've attached debug messages file for all use cases I tried. Created attachment 50850 [details]
Fix signing keys with multiple UIDs
Signing keys with multiple UIDs seems generally broken because I missed an internal conversion here. Please try this patch on top of the other one.
Latest patch contains changes to transactions/kgpgimport.cpp file. It seems that it is not related to signing feature. In all cases it does fix the issue :) I've also created bug 248833 - that's about broken adding UID feature, also smartcard-sprecific. Created attachment 50870 [details]
Fix signing keys with multiple UIDs
Right patch this time.
Checked on trunk-based build. Works OK now. SVN commit 1167159 by dakon: fix signing keys with multiple uids CCBUG:248598 M +3 -5 kgpgsignkey.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=1167159 SVN commit 1167161 by dakon: ignore smartcard status messages CCBUG:248598 M +2 -0 kgpgtransaction.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=1167161 SVN commit 1167162 by dakon: backport the fixes to allow KGpg working with keys stored on smartcards backport of 1167158, 1167159 and 1167161 BUGS:139965,248598,248833 M +2 -0 kgpgadduid.cpp M +3 -5 kgpgsignkey.cpp M +2 -0 kgpgtransaction.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=1167162 |