pinentry fails for tpm protected key
Joshua Rubin
me at jawa.dev
Thu Dec 30 08:03:10 CET 2021
> Based on this, my best guess is that whatever is on the other end of
> libsecret doesn't like binary key grips. There's no harm in converting
> them all to ASCII, does this fix your problem?
That seems to get things set in the 3rd party password cache now. However, I'm now receiving this error:
Dec 29 22:49:53 balerion gpg-agent[3755873]: WARNING:esys:src/tss2-esys/api/Esys_Sign.c:311:Esys_Sign_Finish() Received TPM Error
Dec 29 22:49:53 balerion gpg-agent[3755873]: ERROR:esys:src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x000001d5)
Dec 29 22:49:53 balerion gpg-agent[3755873]: TPM2_Sign failed with 469
Dec 29 22:49:53 balerion gpg-agent[3755873]: tpm:parameter(1):structure is the wrong size
Dec 29 22:49:53 balerion gpg-agent[3755447]: smartcard signing failed: Card error
Dec 29 22:49:53 balerion gpg-agent[3755447]: command 'PKSIGN' failed: Card error
And the gpg command itself says (for a sign only op):
gpg: signing failed: Card error
-----BEGIN PGP MESSAGE-----
gpg: signing failed: Card error
And for sign+encrypt (it does output some data on stdout):
gpg: [stdin]: sign+encrypt failed: Card error
Note that encrypt and decrypt operations work fine, it's only the signing key that has the issue (I have 3 separate subkeys, one of each type).
I was able to run `keytotpm` on newly generated keys with the same result. Reverting back to the unpatched gpg did not fix things though. Not sure if this is the same problem.
Thanks
More information about the Gnupg-devel
mailing list