SHA2 digest, V2 smartcard and gpg-agent problem

Chris Ruff jcruff at gmail.com
Tue Jul 20 23:47:14 CEST 2010 

On 05/01/2010 04:52 PM, Stanislav Sidorenko wrote:
> Hi!
> 
> I've tried to use SHA256 digest for signing using openpgp V2 smartcard and got 
> the following error:
> 
> gpg: checking created signature failed: bad signature
> gpg: signing failed: bad signature
> gpg: signing failed: bad signature
> 
> It happens only if gpg uses gpg-agent which is configured to use scdaemon for 
> accesing smartcards.
> 
> If I disable gpg-agent usage (--no-use-agent switch) and enter card PIN code 
> in the console then signing with SHA256 work perfectly. In case of enabled 
> gpg-agent only SHA1 and RIPEMD160 can be used. It looks like an issue in gpg-
> agent or scdaemon.
> 
> The issue was found on gpg 1.4.10 and gpg-agent 2.0.14.
> 
> Thanks,
> 
> Stanislav
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

Interesting, indeed.  I unfortunately had to change my prefs when I got
my openpgp v2 card since I was using gpg2 and the agent is required.  So
is this currently just an issue with gpg-agent?  If I'm reading section
7.2.8.1 [Hash Algorithms] in the OpenPGP smart application PDF correctly
it seems only OpenPGP cards <2.0 are limited to SHA1 & RIPEMD-160.

"The following hash algorithms are supported by RFC 4880 and can be used
as input in the DSI. However the card may not check the integrity of a
DSI. Cards with Version < 2.0 sup­port RIPEMD-160 and SHA-1 only and may
check it, so other hash algorithms cannot be used."

Or is this saying >=2.0 OpenPGP cards can generate SHA2 hashes but
cannot verify them?

-- 
__________________________________
Chris Ruff
email: jcruff at gmail.com
gpg key: 0x0621F585
gpg fgpr: E3C4 0E2E AD99 59A2 E4D0
          DC1B FD21 25BC 0621 F585

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 583 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100720/c7e46434/attachment.pgp>

More information about the Gnupg-users mailing list