Re: OpenGPG Smart Card v2.1 - unable to create key - card error
On Sat, 18 Jun 2016 15:51, ck+gnupgus...@bl4ckb0x.de said: > I've bought an OpenGPG Smart Card v2.1 and trying now to generate a > 4096 bit key for me. > Using it with my ThinkPad X260 and a Alcor Smart Card Reader. I guess that AU9540 Smartcard Reader does not work probably. I have never seen one of their readers to work with modern smartcards. But Gniibe has more experience, maybe he can help. As a test try to create a 1024 bit key. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Old gnupg version by gpg4win is not overwritten
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I just downloaded and installed GnuPG 2.1.13 using the Windows installer provided at ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.13_20160616.exe . Before I had gnupg 2.0.30 installed by the gpg4win-vanilla-2.3.1 installer. The GnuPG 2.1.13 installer told me that there was already a GnuPG version installed (interestingly it stated the version number as 2.3.1) and I choose that this version should be replaced. But after the installation the old gnupg version was still there. I'm not sure but maybe it is because GnuPG 2.1.13 uses C:\Program Files\GnuPG\bin for the executable but the ones of the gpg4win installer were placed in C:\Program Files\GnuPG\ (I would consider a bin subfolder in windows not common). After uninstalling the gpg4win and reinstalling gnupg-w32-2.1.13_20160616.exe it works. As not everybody might check gpg --version it might be worth making the installer more robust by really checking where the old exe files are located or (if one does not want to overwrite/remove gnupg installed by an other installer) print a warning. Kind regards, Hauke -BEGIN PGP SIGNATURE- Version: GnuPG v2 iF8EARECAB8FAldlM6wYHGhhdWtlX3dlc3RlbWVpZXJAd2ViLmRlAAoJEI8/I36K vfPXDdMAn0XM7RGLeFG9tpThguj/4Kfv3cpHAJ0eIWTo2/F2p+SSvBgDcBk0UfAB Tg== =zySu -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Pinetry: window to small + make arrow keys cancel dialog + change number of allowed wrong passphrases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm using gnupg 2.1.13 under Windows 8.1. The pinetry window does not display the complete text, see here http://pasteboard.co/1M2I56mG.png for a screenshot where you can only see the top pixels of the missing last text line. Before I was using the pinetry that came with gnupg 2.0.30 and there I didn't had this issue (but I'm not sure if the window content was the same). Would it be possible to make the arrow keys (left, right, top, bottom) cancel the pinetry dialog? I use these keys to navigate through my Thunderbird mails and every time I come across an encrypted e-mail the pinetry dialog pops up, even if I'm not interested in this particular e-mail and as Thunderbird is not longer in focus I can not just navigate to the next mail. Of course I could cash the passphrases ore disable that Enigmail automatically tries to decrypt the message or get out of the pinetry dialoge by tab, tab enter... but just pressing the arrow key again to close the pinetry window and get back to Thunderbird would really be convenient. As the arrow keys can not be used in a passphrase I don't see any negative side effects. By default pinetry quits after the passphrase is entered wrongly 3 times. Is there a way to change this number (by gpg-agent.conf)? I searched in the manual for "3", "bad" and "wrong" but didn't find something useful and I don't know how such a parameter could be called. Kind regards, Hauke -BEGIN PGP SIGNATURE- Version: GnuPG v2 iF8EARECAB8FAldlQn4YHGhhdWtlX3dlc3RlbWVpZXJAd2ViLmRlAAoJEI8/I36K vfPXqpsAn20tjWYiR8gTRL/CSx0He8P5zfNwAJ97cyomnYBp/R/Rujwd0e5aOe/Z Yw== =Xr9u -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpgsm 2.1.13 / libksba-1.3.4 fail to verify certificate chain
Hi, trying to set up S/MIME protectecd communication via mutt, but gpgsm 2.1.13 / libksba 1.3.4 (built under Fedora 21) are unable to verify the certificate chain: $ gpgsm --debug-level guru --debug-all --dirmngr-program ./bin/dirmngr.sh --verify smime.p7s ~/gnupg-2.1.13:0 gpgsm: reading options from '/home/scd/.gnupg/gpgsm.conf' gpgsm: enabled debug flags: x509 mpi crypto memory cache memstat hashing ipc gpgsm: detached signature gpgsm: DBG: enabling hash algorithm 2 (1.3.14.3.2.26) gpgsm: detached signature w/o data - assuming certs-only gpgsm: DBG: signer 0 - issuer: gpgsm: DBG: signer 0 - serial: gpgsm: DBG: signer 0 - digest algo: 2 gpgsm: DBG: signer 0 - content-type attribute: 1.2.840.113549.1.7.1 gpgsm: DBG: signer 0 - signature available (sigval hash=0) gpgsm: Signature made 2016-06-14 15:39:52 using certificate ID 0x gpgsm: invalid signature: message digest attribute does not match computed one gpgsm: DBG: message: 9B BB CE DF 97 53 23 1A 8A 2D 82 16 D7 32 74 D0 C7 4D A5 B3 gpgsm: DBG: computed: DA 39 A3 EE 5E 6B 4B 0D 32 55 BF EF 95 60 18 90 AF D8 07 09 Tried to get more information by letting gnupg parse the mail, but got only "Not implmented" messages for CRL checking / invalid certification chain (see end of output below). Is there anything I can do configuration-wise, or is verificating this chain just not -- hopefully yet :)? -- supported by gpgsm? Thanks, Stefan $ ./tools/gpgparsemail --verbose --crypto mailmsg.txt gpgparsemail: non canonical ended line detected (line 2) . h media: multipart signed h signed.protocol: application/x-pkcs7-signature b down b part :-- c begin_hash .Content-Type: multipart/related; . boundary="_004_3D4F30E57ECFD443966400DFA1FDC090787B3C04S1001gagde_"; . type="multipart/alternative" h media: multipart related b down b part :--_004__ .Content-Type: multipart/alternative; . boundary="_000_3D4F30E57ECFD443966400DFA1FDC090787B3C04S1001gagde_" h media: multipart alternative b down b part :--_000__ .Content-Type: text/plain; charset="utf-8" .Content-Transfer-Encoding: base64 h media: text plain b part :--_000__ .Content-Type: text/html; charset="utf-8" .Content-Transfer-Encoding: base64 h media: text html b last b up :--_000__ b part :--_004__ . h media: image gif b last b up :--_004__ b part c end_hash :--F461B893FB2CA2F661FD798058E2475B .Content-Type: application/x-pkcs7-signature; name="smime.p7s" .Content-Transfer-Encoding: base64 .Content-Disposition: attachment; filename="smime.p7s" h media: application x-pkcs7-signature c begin_signature b last c end_signature b up c [GNUPG:] NEWSIG # gpgsm: Signature made 2016-06-14 15:39:52 using certificate ID 0x # gpgsm: Note: non-critical certificate policy not allowed # gpgsm: certificate # # gpgsm: checking the CRL failed: Not implemented c [GNUPG:] GOODSIG c [GNUPG:] VALIDSIG # gpgsm: invalid certification chain: Not implemented c [GNUPG:] TRUST_UNDEFINED 69 :--F461B893FB2CA2F661FD798058E2475B-- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenGPG Smart Card v2.1 - unable to create key - card error
On 06/20/2016 04:02 AM, Werner Koch wrote: > I guess that AU9540 Smartcard Reader does not work probably. I have > never seen one of their readers to work with modern smartcards. But > Gniibe has more experience, maybe he can help. I fixed a problem of internal ccid-reader fo this specific reader. The problem was that decryption didn't work (for RSA-2048 key, I guess). FYI, please see: https://bugs.g10code.com/gnupg/issue1947 > As a test try to create a 1024 bit key. I think that it should work with RSA-1024 and RSA-2048. I'm afraid the reader doesn't work for RSA-4096. I suggest try using with PC/SC service. It's pcscd and libccid on GNU/Linux. There is a little possibility it works fine. If it works, please let us know. Let me explain the situation. The problem is the buffer size of the card reader. The descriptor says: dwFeatures 000404BE Auto configuration based on ATR Auto activation on insert Auto voltage selection Auto clock change Auto baud rate change Auto PPS made by CCID Auto IFSD exchange Short and extended APDU level exchange dwMaxCCIDMsgLen 272 It supports extended APDU level exchange, good. However, the size of message is limited by dwMaxCCIDMsgLen=272. So, larger message has to be divided into multiple packets. GnuPG/scdaemon will use larger message for receiving decrypted result, and/or sending private key to card. Please note that sending private key to card occurs for decryption key when "generate" command. The internal CCID-reader didn't support that multiple packets until last year. It was implemented when I handled the issue1947. I think that it works now for RSA-2048. I don't know for RSA-4096. Please note that I only fixed the driver part. Still, there is a fundamental (the card reader's) firmware limitation of the buffer size of APDU. In the original CCID class specification, there is no way to know the buffer size of APDU of the card reader. So, all that a user can do is try if it works or not. It is likely that the supported APDU size is not so large. Well, RSA-4096 is considered "huge" from the view point of smartcard. -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
