Version: unspecified (using KDE 4.5.0) OS: Linux I'm trying to sign a key using "Sign key" menu that appear after right-click on a ky. My secret key is stored on a smartcard. The whole procedure passes without any error messages but other key is still unsigned as a result. I use OpenPGP V2 smartcard. If key is stored just in file, key signing works correctly. gpg uses gpg-agent, pinentry-qt4 and scdaemon for smartcard and PIN operations. Reproducible: Always Steps to Reproduce: 1. Right-click on a key and choose "Sign key". 2. KGPG show warning with key ID and fingerprint, click continue. 3. KGPG asks to select a key that is to be used for signing, select a key that is stored on a smartcard. Don't enable "Don't sign all UIDs (open terminal)" checkbox. All other inputs may have any values. Click OK. 4. A pinentry-qt4 window is shown, enter smart-card PIN and click OK. Actual Results: Key is still not signed as a result. Expected Results: Key key should be signed.
If you can tell me how you do that signing using GnuPG command line I can try to get that working. Since I don't have such smartcard stuff around I can't test myself. See also bug 139965.
Command line is exactly the same in both cases, but status messages are different. Here is the list of statuses I found in documentation and reproduced myself: NEED_PASSPHRASE_PIN <card_type> <chvno> [<serialno>] Issued whenever a PIN is requested to unlock a card. I think it should be processed exactly as NEED_PASSPHRASE status. GET_HIDDEN passphrase.pin.ask Asks for PIN. Processing should be mostly the same as for "GET_HIDDEN passphrase.enter" status. Occured only if gpg-agent is not used. CARDCTRL 1 [<serialno>] Requests for insertion of card with a given serialno. Occured only if gpg-agent is not used, otherwise this operation is done by pinentry. gpg waits pressing enter before trying one more time of "c" input for cancel. CARDCTRL 2 [<serialno>] Requests for removal of card with a given serialno. Occured only if gpg-agent is not used, otherwise this operation is done by pinentry. I've never seen it. CARDCTRL 3 [<serialno>] Means that gpg found an appropriate card, should be just skipped. CARDCTRL 4 [<serialno>] or CARDCTRL 5 [<serialno>] Means that gpg cannot find an appropriate card and fails. Should be processed as an error. SC_OP_FAILURE [number] Documentation says the following: An operation on a smartcard definitely failed. Currently there is no indication of the actual error code, but application should be prepared to later accept more arguments. Defined values for CODE are: 0 - unspecified error (identically to a missing CODE) 1 - canceled 2 - bad PIN I really never saw error codes here, just "SC_OP_FAILURE". I think approach may be as follows: "SC_OP_FAILURE 1" is to be processed simulary to MISSING_PASSPHRASE "SC_OP_FAILURE 2" is to be processed simulary to BAD_PASSPHRASE "SC_OP_FAILURE 0" is to be processed as some general error. I did some debugging and found that current KGPG send "quit" to gpg after it meets "CARDCTRL 3" status. Was this information helpful? I you need I can reproduce any use case with smartcards.
Created attachment 50837 [details] Ignore CARDCTRL and add debugging Yes, this was extremely helpful. I have the GnuPG source here so I can look at the doc/DETAILS anytime so no need to further quote that. Please try the attached patch. It is against trunk but should work against 4.5 also. This will -ignore all CARDCTRL messages -prints the communication with gnupg processes You need only turn on the debugging for KGpg (number 2100) in kdebugdialog.
Created attachment 50840 [details] Debug log KGPG <-> GPG communication log file of different smartcard use cases.
Thanks. I've made a trunk-based build with this patch and checked key signing and also other operations. Key signing works correctly for single-UID keys, but not for keys with two ore more UID. However it does look to be smartcard-specific issue. Also I've found that adding new UID fails and it is smartcard-specific. I've attached debug messages file for all use cases I tried.
Created attachment 50850 [details] Fix signing keys with multiple UIDs Signing keys with multiple UIDs seems generally broken because I missed an internal conversion here. Please try this patch on top of the other one.
Latest patch contains changes to transactions/kgpgimport.cpp file. It seems that it is not related to signing feature. In all cases it does fix the issue :) I've also created bug 248833 - that's about broken adding UID feature, also smartcard-sprecific.
Created attachment 50870 [details] Fix signing keys with multiple UIDs Right patch this time.
Checked on trunk-based build. Works OK now.
SVN commit 1167159 by dakon: fix signing keys with multiple uids CCBUG:248598 M +3 -5 kgpgsignkey.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=1167159
SVN commit 1167161 by dakon: ignore smartcard status messages CCBUG:248598 M +2 -0 kgpgtransaction.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=1167161
SVN commit 1167162 by dakon: backport the fixes to allow KGpg working with keys stored on smartcards backport of 1167158, 1167159 and 1167161 BUGS:139965,248598,248833 M +2 -0 kgpgadduid.cpp M +3 -5 kgpgsignkey.cpp M +2 -0 kgpgtransaction.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=1167162