signatures using S-Trust smart card

Werner Koch wk at
Wed Jan 3 09:51:50 CET 2007

On Tue,  2 Jan 2007 20:03, mailbox at said:

> I am trying to perform a digital signature with a S-Trust (card issuer
> behind some german banks, "Sparkassen") signature card. This is a

Well S-Trust, one of the qualified CAs who achieved to work around the
digital signature law and still being able to create legallay binding
digital signatures.  Argh.

> the german ZKA specification which is an evolved version of the "DIN
> signature card", which finally should be supported by gpgsm through
> dinsig.c

Basically it works.  But: Quite some time ago I received a test card
and tried to make it work.  The problem at that time was that there
was no way to get the root certificate for this test card.  I had some
mail exchange with S-Trust and they send me an NDA to sign.  This NDA
had terms which would have inhibit me to do any work on qualified
signatures for any other issuer.  Obviously I didn'd signed it.  This
was before S-trust went into production.

I still hesitate to do any development with real cards as there is the
chance that I might accidently sign a document.

All other CAs issue test cards under reasonable terms - only S-trust
does not.  Thus I see no way to support/test them.

> Now I'm at loss. Of course, there is no secret key, because it is still
> on the card. Looks to ma as if gpgsm is missing the fact that this key
> must be used through the card reader.


debug 2048
debug 1024

to ~/.gnupg/scdaemon.conf and 

debug 1024 

to ~/.gnupg/gpg-agent.conf as well as an appropriate log file[1] and
restart gpg-agent[2]

> I work for the smart card vendor Giesecke & Devrient and would be
> willing to contribute with respect to APDUs and smart card file systems.
> However, it looks to me as if the problem in question here is not
> located on APDU level but somewhere around gnupg-agent itself or my
> faulty usage of gpgsm.

Possible.  You may contact me privatly for debugging purposes

> Does gpgsm know about class 3 readers? There are two certificates on my

2.0.1 has support for SPR532 and KAAN Advanced.  It is currently
limited to the OpenPGP card.  Adding support for other card
applications is not too hard, however the specs are not always that
clear and there is the risk to burn a card.

I have also a cherry keyboard with reader here, but there is a problem
with it as the Cherry echoes asterisks to the USB keyboard device and
I need to find a way to disable this.  Adding support for the Rainer
should be easy, however such a device is not in my collection of



[1] For logging it is best to add
      log-file log-file socket:///home/foo/.gnupg/S.log
    to scdaemon.conf and gpg-agent.conf.  Then use
      watchgnupg --force ~/.gnupg/S.log | tee mylog
    in another xterm to watch the debug output.

[2] To avoid restarting, I use
      gpg-agent --daemon /bin/sh
    to get a shell with the gpg-agent environemt setup properly. 
    You may then use gpgsm in this shell.  Prefixing the above line 
    is also useful if you want to use a certain debug environment
    (e.g. other config files).  Make sure that no other scdaemon is
    running as scdaemon needs exclusive access to the reader.  Using 
      gpg-connect-agent --hex --verbose
    is useful for direct interaction with the agent/scdaemon.

More information about the Gnupg-users mailing list