Is there a blogpost or similar where the use of several smartcards following this improvement is explained to n00bs like me? :) For now all I find is this thread and some SE answers saying it does not work yet (https://security.stackexchange.com/questions/154702/gpg-encryption-subkey-on-multiple-smart-cards-issue) . If somebody could post a new answer on SE / write a small blog post or similar that would be great. Useful would be to have 1) from which versions and over is that available 2) how this works / how to use.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
May 28 2020
May 28 2020
PWRzTOtacorTPq7KNW4oFec8F added a comment to T2291: Smartcard interaction improvement (was: Shadowed private key design (for smartcard)).
May 21 2020
May 21 2020
• gniibe changed the status of T4934: Returning automatic variable buffer from a function from Open to Testing.
Fixed in master and applied to 2.2 branch too.
May 19 2020
May 19 2020
• werner changed the status of T4104: gpgsm/ksba removes leading zeros from signature byte array from Open to Testing.
Seems to be fixed now.
Finished if an existing key is used. See rG6dc3846d78192e393be73c16c72750734a9174d1 for examples.
May 14 2020
May 14 2020
Apr 28 2020
Apr 28 2020
I tested with this patch (which changes use of constant-time routine when it's secure memory):
lg-bench-invm.diff4 KBDownload
Apr 14 2020
Apr 14 2020
• gniibe updated the task description for T4914: libgcrypt ECC regression for the use case in GNUNET.
• gniibe changed the status of T4914: libgcrypt ECC regression for the use case in GNUNET from Open to Testing.
Apr 9 2020
Apr 9 2020
There are no betas; either you apply the patch mentioned above ( rG2f08a4f25df7) to a stock 2.2.20 or you build from the Git repo (STABLE-BRANCH-2-2, see https://gnupg.org/download/git.html).
Could you guide me to where I find the beta or snapshot, so I could test it and give you feedback? I seem to be unable to find it on my own.
Push the change to master.
Apr 8 2020
Apr 8 2020
That's odd. :-)
FWIW, the code was written by the author of the specs and he note in his original patch (rGe0972d3d96) :
• gniibe changed the status of T4908: ECDH with AES-128 decryption failure when fully padded from Open to Testing.
Thanks for your report. The problem of GnuPG was that it mandated padding length < 16 bytes, which is wrong.
Apr 7 2020
Apr 7 2020
Apr 6 2020
Apr 6 2020
• gniibe changed the status of T4888: GpgSM: Support ECC key generation by gpgsm_genkey from Open to Testing.
Apr 3 2020
Apr 3 2020
Pushed the changes.
Apr 2 2020
Apr 2 2020
It runs like:
$ gpg-connect-agent "scd devinfo --watch" /bye S DEVINFO_START S DEVINFO_END S DEVINFO_STATUS new S DEVINFO_START S DEVICE generic D276000124010200F517000000010000 openpgp S DEVINFO_END S DEVINFO_STATUS removal S DEVINFO_START S DEVINFO_END OK $
• gniibe changed the status of T4864: New scdaemon command to watch device removal from Open to Testing.
Push the change to master.
Mar 24 2020
Mar 24 2020
• gniibe changed the status of T4013: Certificate requests generated from Ed25519 keys are not compliant with draft-ietf-curdle-pkix from Open to Testing.
This should work well with libksba master and gnupg/sm master.
• gniibe changed the status of T4092: Certificate requests generated from card-based ECDSA keys are incorrectly marked as RSA-signed from Open to Testing.
The commits in 2019 (for libksba and gnupg/sm) handles the problem (of key generation using card).
Mar 20 2020
Mar 20 2020
• werner closed T4810: A key with only "C" capability cannot be selected as default key. as Resolved.
• werner closed T4832: card: when KDF is enabled, use of pinpad input should be disabled as Resolved.
Mar 19 2020
Mar 19 2020
• gniibe added a subtask for T4293: Add dedicated X25519 function to Libcgrypt : T4294: Release Libgcrypt 1.9.0.
• gniibe removed a parent task for T4293: Add dedicated X25519 function to Libcgrypt : T4294: Release Libgcrypt 1.9.0.
• gniibe removed a parent task for T4274: Fail selftests when checksum file is missing in FIPS mode only: T4294: Release Libgcrypt 1.9.0.
• gniibe added a parent task for T4293: Add dedicated X25519 function to Libcgrypt : T4294: Release Libgcrypt 1.9.0.
Mar 18 2020
Mar 18 2020
• werner moved T4810: A key with only "C" capability cannot be selected as default key. from Backlog to For next release on the gnupg (gpg22) board.
• werner moved T4832: card: when KDF is enabled, use of pinpad input should be disabled from Backlog to For next release on the gnupg (gpg22) board.
• werner added a comment to T4832: card: when KDF is enabled, use of pinpad input should be disabled.
Backported to 2.2
Mar 13 2020
Mar 13 2020
I am not sure whether this is related but when using Libgcrypt master and verifying a signature created with an ed25519 key, I get the error below with valgrind. Both with 2.2. current and 2.3. It does not happen with the current Libgcrypt 1.8.
Mar 12 2020
Mar 12 2020
• gniibe added a project to T4624: libassuan-config and libassuan.pc both put -lws2_32 before -lgpg-error, which fails during static linking: Restricted Project.
• gniibe changed the status of T4810: A key with only "C" capability cannot be selected as default key. from Open to Testing.
• gniibe changed the status of T4244: Better enum_secret_keys by asking gpg-agent KEYINFO --list from Open to Testing.
• gniibe added a project to T4491: Compile error in nPth's t-fork.c on Solaris 11.3 i86pc: Restricted Project.
• gniibe added projects to T4583: pinentry-tty should accept backspace, delete, and ctrl-U: Restricted Project, pinentry.
• gniibe changed the status of T3300: scd: Support multiple readers by PC/SC driver from Open to Testing.
• gniibe changed the status of T4641: Libassuan: enable the environment to set compiler and linker flags for helper tools from Open to Testing.
• gniibe changed the status of T4673: 2.3-only: Don't fallback to PC/SC on failure by the internal CCID driver, only use PC/SC when --disable-ccid is specified from Open to Testing.
• gniibe added a project to T4678: libassuan.pc missing include dir directive in cflags: Restricted Project.
Mar 11 2020
Mar 11 2020
Fixed in master.
Feb 28 2020
Feb 28 2020
• gniibe added a project to T4832: card: when KDF is enabled, use of pinpad input should be disabled: Restricted Project.
• gniibe changed the status of T3891: kdf-setup does not set admin and user PIN codes from Open to Testing.
I pushed the change to master.
Feb 19 2020
Feb 19 2020
sanmai added a comment to T4850: GnuPG fails to find default key to sign when using a smart card, but recovers once card is removed.
I can confirm that the problem is gone from a build from the master branch. It indeed retries the search.
• gniibe changed the status of T4850: GnuPG fails to find default key to sign when using a smart card, but recovers once card is removed from Open to Testing.
Jan 17 2020
Jan 17 2020
• gniibe changed the status of T3416: gpg should select available signing key on card (even with -u option), a subtask of T2291: Smartcard interaction improvement (was: Shadowed private key design (for smartcard)), from Open to Testing.
• gniibe changed the status of T3416: gpg should select available signing key on card (even with -u option) from Open to Testing.
Implemented in master.
Jan 16 2020
Jan 16 2020
• werner added a comment to T2291: Smartcard interaction improvement (was: Shadowed private key design (for smartcard)).
BTW, I just pushed some new features to maste for the gpg-card tool. You can now do
• gniibe added a project to T2291: Smartcard interaction improvement (was: Shadowed private key design (for smartcard)): Restricted Project.
• gniibe changed the status of T4695: Remove SERIALNO as an identifier to select keys from Open to Testing.
The first "SCD SERIALNO" command let scdaemon re-scan smartcards/tokens.
With new "KEYINFO" command in scdaemon, a list of card keys can be retrieved by:
• gniibe closed T4784: Remove referring a key by $AUTHKEYID, $ENCRKEYID, and $SIGNKEYID, a subtask of T4695: Remove SERIALNO as an identifier to select keys, as Resolved.
Dec 23 2019
Dec 23 2019
• werner removed a subtask for T4695: Remove SERIALNO as an identifier to select keys: Restricted Maniphest Task.
Dec 18 2019
Dec 18 2019
• gniibe added a subtask for T4695: Remove SERIALNO as an identifier to select keys: Restricted Maniphest Task.
Dec 17 2019
Dec 17 2019
Many cards have some printed information and I consider them important to avoid testing one by one all the cards from my pocket.
This I am really in favor of beeing asked to insert the respective card. The new text format private key files make it much easier to maintain this info
Dec 6 2019
Dec 6 2019
• gniibe added a subtask for T4293: Add dedicated X25519 function to Libcgrypt : T4294: Release Libgcrypt 1.9.0.
• gniibe removed a parent task for T4293: Add dedicated X25519 function to Libcgrypt : T4294: Release Libgcrypt 1.9.0.
• gniibe added a subtask for T4293: Add dedicated X25519 function to Libcgrypt : T4702: Deadline for the GnuPG 2.3.0 release.
• gniibe added a subtask for T4713: Bug in get_best_pubkey_byname: T4702: Deadline for the GnuPG 2.3.0 release.
• gniibe removed a parent task for T4713: Bug in get_best_pubkey_byname: T4702: Deadline for the GnuPG 2.3.0 release.
In 2.2.18, this fix is not included. (partial fix was reverted)
• gniibe added a parent task for T4713: Bug in get_best_pubkey_byname: T4702: Deadline for the GnuPG 2.3.0 release.
Nov 25 2019
Nov 25 2019
Nov 18 2019
Nov 18 2019
• gniibe closed T4654: Gemalto Ezio Shield (CT710): CCID command failed: Parameter error at offset 7 as Resolved.
This will be in 2.2.18, closing.
Oct 29 2019
Oct 29 2019
• gniibe added a comment to T4654: Gemalto Ezio Shield (CT710): CCID command failed: Parameter error at offset 7.
Sorry, it was simply my confusion (between GEMPC_PINPAD and GEMPC_EZIO).
Fixed now.
Oct 28 2019
Oct 28 2019
martin.von.wittich added a comment to T4654: Gemalto Ezio Shield (CT710): CCID command failed: Parameter error at offset 7.
Please test. When I can confirm that it is stable, I'll backport it to 2.2.
Oct 18 2019
Oct 18 2019
Or... it could be a feature, not bug, so that failure of -e -r someone can be examined by --locate-keys someone.
Let me clarify the point.
Oct 17 2019
Oct 17 2019
I think that we should apply further change:
diff --git a/g10/getkey.c b/g10/getkey.c index 077209415..1c337149c 100644 --- a/g10/getkey.c +++ b/g10/getkey.c @@ -1369,7 +1369,7 @@ get_best_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode, *retctx = NULL;
I found more wrong cases of get_best_pubkey_byname.
For ranking results,
(1) It may return non-encryption primary key as the most relevant key, when its validity is higher.
(2) It may not select encryption primary key even if its creation time is newer.
Oct 16 2019
Oct 16 2019
I also think this makes the most sense.
In my opinion, --locate-key should locate encryption key.
Oct 15 2019
Oct 15 2019
pow added a comment to T4654: Gemalto Ezio Shield (CT710): CCID command failed: Parameter error at offset 7.
@gniibe oh, I see thanks for pointing out precisely main the problem. I will check the hardware supply chain RoHS 2002/95/EC
There are some problems with the definition of --locate-key. Further discussion required.
• gniibe added projects to T4654: Gemalto Ezio Shield (CT710): CCID command failed: Parameter error at offset 7: Restricted Project, scd.
@pow, thanks for a reference. But problem here is that there are multiple products with same name.
Oct 9 2019
Oct 9 2019
• gniibe added a project to T4633: gpg argument "--passphrase=" yields 'missing argument for option "--passphrase="': Restricted Project.
• gniibe added a project to T4695: Remove SERIALNO as an identifier to select keys: Restricted Project.
Oct 2 2019
Oct 2 2019
I modified _gcry_ecc_fill_in_curve so that g_y has new value in eid4730.