Bug 248598

Summary: Keys cannot be signed if smartcard is used
Product: [Applications] kgpg Reporter: Stanislav Sidorenko <stanislav>
Component: generalAssignee: Rolf Eike Beer <kde>
Status: RESOLVED FIXED    
Severity: normal CC: stanislav
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In: 4.5.1
Sentry Crash Report:
Attachments: Ignore CARDCTRL and add debugging
Debug log
Fix signing keys with multiple UIDs
Fix signing keys with multiple UIDs

Description Stanislav Sidorenko 2010-08-21 15:06:56 UTC
Version:           unspecified (using KDE 4.5.0) 
OS:                Linux

I'm trying to sign a key using "Sign key" menu that appear after right-click on a ky. My secret key is stored on a smartcard. The whole procedure passes without any error messages but other key is still unsigned as a result. I use OpenPGP V2 smartcard.
If key is stored just in file, key signing works correctly.

gpg uses gpg-agent, pinentry-qt4 and scdaemon for smartcard and PIN operations.


Reproducible: Always

Steps to Reproduce:
1. Right-click on a key and choose "Sign key".
2. KGPG show warning with key ID and fingerprint, click continue.
3. KGPG asks to select a key that is to be used for signing, select a key that is stored on a smartcard. Don't enable "Don't sign all UIDs (open terminal)"  checkbox. All other inputs may have any values. Click OK.
4. A pinentry-qt4 window is shown, enter smart-card PIN and click OK.


Actual Results:  
Key is still not signed as a result.

Expected Results:  
Key key should be signed.
Comment 1 Rolf Eike Beer 2010-08-21 19:45:37 UTC
If you can tell me how you do that signing using GnuPG command line I can try to get that working. Since I don't have such smartcard stuff around I can't test myself.

See also bug 139965.
Comment 2 Stanislav Sidorenko 2010-08-22 14:41:58 UTC
Command line is exactly the same in both cases, but status messages are different.

Here is the list of statuses I found in documentation and reproduced myself:


NEED_PASSPHRASE_PIN <card_type> <chvno> [<serialno>]
 Issued whenever a PIN is requested to unlock a card.
I think it should be processed exactly as NEED_PASSPHRASE status. 


GET_HIDDEN passphrase.pin.ask
Asks for PIN. Processing should be mostly the same as for "GET_HIDDEN passphrase.enter" status. Occured only if gpg-agent is not used. 

CARDCTRL 1 [<serialno>]
Requests for insertion of card with a given serialno. Occured only if gpg-agent is not used, otherwise this operation is done by pinentry. gpg waits pressing enter before trying one more time of "c" input for cancel.

CARDCTRL 2 [<serialno>]
Requests for removal of card with a given serialno. Occured only if gpg-agent is not used, otherwise this operation is done by pinentry. I've never seen it.

CARDCTRL 3 [<serialno>]
Means that gpg found an appropriate card, should be just skipped.


CARDCTRL 4 [<serialno>]
or
CARDCTRL 5 [<serialno>]
Means that gpg cannot find an appropriate card and fails. Should be processed as an error.


SC_OP_FAILURE [number]
Documentation says the following: An operation on a smartcard definitely failed.  Currently
        there is no indication of the actual error code, but
        application should be prepared to later accept more arguments.
        Defined values for CODE are:
           0 - unspecified error (identically to a missing CODE)
           1 - canceled
           2 - bad PIN
I really never saw error codes here, just "SC_OP_FAILURE". I think approach may be as follows:
"SC_OP_FAILURE 1" is to be processed simulary to MISSING_PASSPHRASE
"SC_OP_FAILURE 2" is to be processed simulary to BAD_PASSPHRASE
"SC_OP_FAILURE 0" is to be processed as some general error.



I did some debugging and found that current KGPG send "quit" to gpg after it meets "CARDCTRL 3" status. Was this information helpful? I you need I can reproduce any use case with smartcards.
Comment 3 Rolf Eike Beer 2010-08-22 18:16:15 UTC
Created attachment 50837 [details]
Ignore CARDCTRL and add debugging

Yes, this was extremely helpful. I have the GnuPG source here so I can look at the doc/DETAILS anytime so no need to further quote that.

Please try the attached patch. It is against trunk but should work against 4.5 also.

This will
-ignore all CARDCTRL messages
-prints the communication with gnupg processes

You need only turn on the debugging for KGpg (number 2100) in kdebugdialog.
Comment 4 Stanislav Sidorenko 2010-08-22 23:49:18 UTC
Created attachment 50840 [details]
Debug log

KGPG <-> GPG communication log file of different smartcard use cases.
Comment 5 Stanislav Sidorenko 2010-08-22 23:49:43 UTC
Thanks.

I've made a trunk-based build with this patch and checked key signing and also other operations.

Key signing works correctly for single-UID keys, but not for keys with two ore more UID. However it does look to be smartcard-specific issue.

Also I've found that adding new UID fails and it is smartcard-specific.

I've attached debug messages file for all use cases I tried.
Comment 6 Rolf Eike Beer 2010-08-23 08:08:07 UTC
Created attachment 50850 [details]
Fix signing keys with multiple UIDs

Signing keys with multiple UIDs seems generally broken because I missed an internal conversion here. Please try this patch on top of the other one.
Comment 7 Stanislav Sidorenko 2010-08-23 19:35:20 UTC
Latest patch contains changes to transactions/kgpgimport.cpp file. It seems that it is not related to signing feature. In all cases it does fix the issue :)

I've also created bug 248833 - that's about broken adding UID feature, also smartcard-sprecific.
Comment 8 Rolf Eike Beer 2010-08-23 21:23:34 UTC
Created attachment 50870 [details]
Fix signing keys with multiple UIDs

Right patch this time.
Comment 9 Stanislav Sidorenko 2010-08-23 21:48:44 UTC
Checked on trunk-based build. Works OK now.
Comment 10 Rolf Eike Beer 2010-08-23 22:03:24 UTC
SVN commit 1167159 by dakon:

fix signing keys with multiple uids

CCBUG:248598

 M  +3 -5      kgpgsignkey.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1167159
Comment 11 Rolf Eike Beer 2010-08-23 22:03:28 UTC
SVN commit 1167161 by dakon:

ignore smartcard status messages

CCBUG:248598

 M  +2 -0      kgpgtransaction.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1167161
Comment 12 Rolf Eike Beer 2010-08-23 22:17:50 UTC
SVN commit 1167162 by dakon:

backport the fixes to allow KGpg working with keys stored on smartcards

backport of 1167158, 1167159 and 1167161

BUGS:139965,248598,248833


 M  +2 -0      kgpgadduid.cpp  
 M  +3 -5      kgpgsignkey.cpp  
 M  +2 -0      kgpgtransaction.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1167162