Page MenuHome GnuPG

gpgsm: Can't create certificate
Closed, ResolvedPublic

Description

When I try to generate a new ceritificate gpgsm fails with an internal error:

$ gpgsm --gen-key
gpgsm (GnuPG) 2.0.28; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpgsm: enabled debug flags: x509 mpi crypto memory cache memstat hashing
assuan
Please select what kind of key you want:

(1) RSA
(2) Existing key
(3) Existing key from card

Your selection? 1
What keysize do you want? (2048)
Requested keysize is 2048 bits
Possible actions for a RSA key:

(1) sign, encrypt
(2) sign
(3) encrypt

Your selection? 1
Enter the X.509 subject name: CN=test
Enter email addresses (end with an empty line):

sdfgsdg@test.de

Enter DNS names (optional; end with an empty line):

Enter URIs (optional; end with an empty line):

Parameters to be used for the certificate request:

    Key-Type: RSA
    Key-Length: 2048
    Key-Usage: sign, encrypt
    Name-DN: CN=test
    Name-Email: sdfgsdg@test.de

Really create request? (y/N) y
Now creating certificate request. This may take a while ...
gpgsm: DBG: connection to agent established
gpgsm: about to sign CSR for key: &2B76EFEE549CFE06D606C2E239542CA06F762DCD
Ohhhh jeeee: ... this is a bug (md.c:809:md_read)
Abgebrochen

also when trying the the server mode:

$ gpgsm --server

  1. Home: ~/.gnupg
  2. Config: /home/developer/.gnupg/gpgsm.conf
  3. AgentInfo: /home/developer/.gnupg/S.gpg-agent:5197:1
  4. DirmngrInfo: [not set]

OK GNU Privacy Guard's S/M server 2.0.28 ready
INPUT FD=1
OK
OUTPUT FD=2
OK
GENKEY
key-type: RSA
key-length: 2048
name-email: test@test.de
name-dn: CN=asdf asdf,O=asdf,C=asdf
<Ctrl+D>
Ohhhh jeeee: ... this is a bug (md.c:809:md_read)
Aborted

Details

External Link
https://bugs.debian.org/796774
Version
2.0.28

Event Timeline

hefee set External Link to https://bugs.debian.org/796774.
hefee added a subscriber: hefee.

This is a regression in 2.0.28. The fix is
commit 35d3ced4fda90a5410a579850ca92ea6a356b402
which reverts to use SHA-1 for a CSR.

It works fine in 2.1 but backporting the changes is not planned.

To clarify werners comment. The revert is part of the 2.0 branch. I've
confoirmed the fix works so -> resolved) But awaiting a package / downstream
deployment.
The default for 2.0 won't be changed away from SHA-1.

This will be part of the next gpg4win release.

(Btw. Good to see you here sandro ;-) )