Scute returning a full chain is confusing signing applications

Werner Koch wk at
Thu Sep 15 09:46:45 CEST 2022


I am currently using the t6002 branch which has a couple of small fixes.
For example commit ca9b9a4d9eed avoids hangs due to broken certificate
chains (it happens that I have some on my keyring).  I am in general
satisfied wit the current state of things and that branch will soon be
merged.  In particular osslsigncode works now every well with that
version.  I could not fully test PDF signing because NSS does not
support Brainpool (which are used in Germany for qualified signatures).
Gniibe is working on getting a fix to NSS into Debian's version of NSS,

On Thu, 15 Sep 2022 00:25, Damien Goutte-Gattat said:

> In fact, of the applications I tested, pdfsig is the only one who works
> correctly (it generates a valid signature).

Interesting because it seems to use NSS as well.

> is on the token, then Scute returns only that certificate; if not, Scute
> returns the full chain obtained from GpgSM. What is the rationale for
> this difference of behaviour?

I can't tell anymore; its too long ago:

    2008-09-29  Marcus Brinkmann  <marcus at>
            * src/gpgsm.c (struct search): New member WITH_CHAIN.
            (search_cb): Only load chain if WITH_CHAIN is true.
            (scute_gpgsm_get_cert): Call search_cb in the agent code path.

I would suggest that for now we use a new option (/etc/gnupg/scute.conf)
to either enable or disable chain lookups.



The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-devel mailing list