pinentry fails for tpm protected key

James Bottomley James.Bottomley at
Thu Dec 30 19:23:20 CET 2021

On Thu, 2021-12-30 at 11:16 -0700, Joshua Rubin via Gnupg-devel wrote:
> > right, TPM_RC_SIZE, which means the digest is the wrong size or the
> > TPM doesn't understand the digest algorithm ... what digest are you
> > using?
> Oh, I was messing with that the other day... thanks for the reminder.
> I pretty much gave up in frustration with that effort. Is there any
> way I can check to see what digest is actually being used by a key?

Not short of adding a print of digestlen in the code.

> My config has these lines, so I'm certain it's SHA512, but finding a
> way to actually see this info would be immensely useful.
> personal-digest-preferences SHA512

Pretty much no laptop TPM will support this, so I'd cut that down to
SHA256 which is guaranteed to be supported by every TPM.

> digest-algo SHA512
> cert-digest-algo SHA512
> default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
> CAST5 BZIP2 ZLIB ZIP Uncompressed
> Any error that suggests that this is the issue would be much more
> helpful then what I found.
> Also, is there any way to find out what algos the tpm supports?

it's listed in the algorithm capabilities.  With the IBM TSS, that's

tssgetcapability -cap 0|grep ALG_SHA


More information about the Gnupg-devel mailing list