gpgme and keys on smartcards

Hendrik Jaeger gnupg-users at henk.geekmail.org
Fri Sep 21 12:50:53 CEST 2012


Hi,

I am trying to replace my "old" keypair with one stored on a smartcard.
I have a SCM SPR-332 (reader with pinpad), which seems to work fine
with gpg. I can list the cards’ contents, create signatures and I’m
asked to enter the pin on the pinpad:

% gpg -u '3352C710!' -b -a gpgsign.c.old
-- I’m asked to enter the pin on the pinpad and do that
% gpg --verify gpgsign.c.old.asc 
gpg: Signature made Fre 21 Sep 2012 12:34:52 CEST using RSA key ID
3352C710
gpg: Good signature from "Hendrik Niklas Jäger <henk at hnjs.ch>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: C899 4C00 FC3E 8048 4A06  AE7D F562 C121 DC25
6ED6
Subkey fingerprint: 2CE9 418C 8088 A1A2 0B8D  0FE6 861F B11E 3352 C710

3352C710 is the keyid of my signing subkey on the card:

% gpg --list-secret-keys
/home/henk/.gnupg/secring.gpg
-----------------------------
sec   1024D/9914042F 2004-02-27
uid                  Hendrik Jaeger <hendrik_jaeger at web.de>
uid                  Hendrik Jaeger <hank84 at googlemail.com>
uid                  Hendrik Jaeger <hank at netwichtig.de>
uid                  Hendrik Jaeger <hank at netwichtig.de>
uid                  Hendrik Jaeger <henk at hnjs.de>
uid                  Hendrik Jaeger <hendrik.jaeger at hnjs.de>
uid                  Hendrik Jaeger <henk at hnjs.ch>
uid                  Hendrik Jaeger <hendrikjaeger at fastmail.net>
ssb   1024g/F22214D5 2004-02-27

sec#  2048R/DC256ED6 2012-08-23
uid                  Hendrik Niklas Jäger <henk at hnjs.ch>
ssb>  2048R/3352C710 2012-08-29
ssb>  2048R/769C5F55 2012-08-29
ssb>  2048R/E091D806 2012-08-29

% gpg --edit-key dc256ed6
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/DC256ED6  created: 2012-08-23  expires: never       usage:
SC trust: unknown       validity: unknown sub  2048R/3352C710  created:
2012-08-29  expires: 2013-08-29  usage: S
sub  2048R/769C5F55  created: 2012-08-29  expires: 2013-08-29  usage: E
sub  2048R/E091D806  created: 2012-08-29  expires: 2013-08-29  usage: S
[ unknown] (1). Hendrik Niklas Jäger <henk at hnjs.ch>

So far everything is good.
The problems seem to start when gpgme gets involved. I noticed problems
when trying to use the new key on the card for mail-signing in
claws-mail and status-signing in psi, which both use gpgme.
I was pointed to
https://github.com/kylehuff/gpgme-snippets/blob/master/gpgsign/gpgsign.c
for a simple signing tool using gpgme. I adjusted it a little to allow
specifying the keyid to use, both versions are found on
https://gist.github.com/3709761/b4812694312b4a34748a7098eb61f2f9f73635ff.
The diff looks like this:
% diff gpgsign.c.old gpgsign.c
31a32
>     gpgme_key_t secret_key;
64a66,73
> 
>     // Find key to use
>     err = gpgme_get_key(ctx, keyID, &secret_key, 1);
>     fail_if_err (err);
> 
>     // Adding found key to signers
>     err = gpgme_signers_add(ctx, secret_key);
>     fail_if_err (err);

(I have almost no experience with C or GPGME, so I’d appreciate any
advice on how to make that any better!)
It does not seem to work for my new key though:

% ./gpgsign 9914042f 'test test test'
Signing "test test test" with key 9914042f
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

test test test
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBcRMUACgkQ5PO/ypkUBC9nPgCfeK4N4j5/jB12l0q1dxEhSmL9
HWwAn1toIdL2pVcgZ2b0j7oAx1hzXG/4
=lk6b
-----END PGP SIGNATURE-----

Signature made with Key: 50F8BC65295CF4368BC9A3BAE4F3BFCA9914042F
Created: 1348224197; Expires 0
Validity: unknown; Signature Status: GOOD

% ./gpgsign dc256ed6 'test test test'
Signing "test test test" with key dc256ed6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

test test test

gpgsign.c:153: GPGME: No data


I have absolutely no idea why that is happening or how to get it
working properly. Am I doing something obvious wrong?
What other information should I provide?
Has anyone experienced similar problems and got them solved?

Thank you for reading and any comments!

Best regards

Hendrik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20120921/c736554f/attachment-0001.pgp>


More information about the Gnupg-users mailing list