Page MenuHome GnuPG

gnupg fails to add ssh key to control entry in FIPS mode with libgcrypt 1.10.1
Closed, ResolvedPublic


The FIPS mode disables MD5 digest, but gpg-agent with support for ssh requires MD5 to calculate legacy digests, placing them in comment of the control file. This fails, but no reasonable error message is presented to the user.

The gnupg2 should either stop using the MD5 digests (OpenSSH does not use them for years by default), ignore failures generating these fingerprints or at least report some usable errors to users in case this happens. Currently, the user interaction looks like this:

# ssh-add testkey
Please enter a passphrase to protect the received secret key
within gpg-agent's key storage
Identity added: testkey (root@rhel-9-0-0-20220401-0.local)

# ssh-add -l
The agent has no identities.

My proposal is to ignore failures from generating the md5 fingerprints if they are not available, but I do not mind the other options.

Similarly issue is present in the tests that needs to be adjusted, probably to detect the fips mode based on the libgcrypt FIPS mode status. I have a patch for the t-ssh-utils.

There are other issues in FIPS mode mostly handling of algorithms unsupported in FIPS mode, but I did not get into the scm format yet to be able to fix them yet.


External Link
master with libgcrypt 1.10.1 in FIPS mode

Related Objects

Event Timeline

gniibe triaged this task as Normal priority.
gniibe added a subscriber: gniibe.

Patches applied and pushed. For the common/t-ssh-utils, I applied my fix for the use case with key on command line when FIPS mode is enabled (MD5 error is OK, in this case).

gniibe moved this task from Next to Done on the FIPS board.