Page MenuHome GnuPG

Kleopatra: Learning certificates of Signature v2.0 card fails if a Yubikey is plugged in as well
Open, NormalPublic

Description

This is an additional issue that we noticed while looking at T7378: Kleopatra: loading X.509 certificate from Signature card hangs.

  • Plug in a Yubikey and a Signature v2.0 card that Kleopatra (and gpgsm) has never seen before.
  • Open Kleopatra's smartcard view

On the tab of the Signature v2.0 card (NKS ...) you should see the progress overlay:


If it doesn't go away (which is T7378: Kleopatra: loading X.509 certificate from Signature card hangs) then kill scdaemon.

In the background Kleopatra will run gpgsm --learn-card -v as can be seen in the logs

Unfortunately, gpgsm just learns (or tries to learn) the keys of the OpenPGP app of the Yubikey. As a result the certificates of the Signature Card v2.0 will stay unknown:

After removing the signature card and inserting it again, everything worked as expected and the certificates where loaded.

Event Timeline

I haven't added any project tags because I'm not sure for which projects this is relevant. Since GnuPG 2.2 doesn't support multiple smartcards it's likely not relevant for VSD 3.3.

I suspect that gpgsm learns the certificates for the card app that was last made active in scdaemon. I'll try to fix this by switching to the right card app before running gpgsm --learn-card.

The whole learn-card thing is more a hack than a solid way to make cards known. We should do such things in the background when a new card has been seen.

@ikloecker Using scdaemon with multiple cards, it is a connection which holds the card.

SCD SWITCHCARD serialno can specify and change to the card with serialno for *THAT* connection.

I don't think there is a way to specify a card among multiple cards for gpgsm.

I assume by "do such things in the background" you mean that GnuPG should do this automatically in the background.

SCD SERIALNO serialno can move the first card in the list in scdaemon.

I assume by "do such things in the background" you mean that GnuPG should do this automatically in the background.

Right. But we can't do this now. I would postpone it for gnupg26

werner triaged this task as Normal priority.Mon, Nov 11, 8:46 AM
werner added a project: gnupg26.
ikloecker changed the task status from Open to Testing.Wed, Nov 27, 11:27 AM
ikloecker removed a project: gnupg26.

Kleopatra does now read the certificates from the card and import them itself instead of relying on gpgsm --learn-card.

I'll remove the gnupg26 tag because no change in GnuPG is required for now.

ikloecker changed the task status from Testing to Open.Mon, Dec 2, 10:59 AM

We have to take the list of OIDs to ignore into account that can be configured for gpgsm with ignore-cert-with-oid.