Broken ECDSA in gnupg 2.0.23

Anatol Pomozov anatol.pomozov at
Sat Jun 21 06:22:26 CEST 2014


It is a followup for Linux Arch bug

At Linux Arch we have gnupg 2.0.23 and found that gpg-agent does not
handle private ecdsa keys correctly. rsa works fine. Here is how it

[anatol at foo ~]$ eval $(gpg-agent --daemon --enable-ssh-support)

GPG_AGENT_INFO=/tmp/gpg-i3poXG/S.gpg-agent:20508:1; export GPG_AGENT_INFO;
SSH_AUTH_SOCK=/tmp/gpg-xJfp79/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
[anatol at foo ~]$ ssh-add ~/.ssh/id_rsa
Identity added: /home/anatol/.ssh/id_rsa (/home/anatol/.ssh/id_rsa)
[anatol at foo ~]$ ssh-add ~/.ssh/id_ecdsa
Enter passphrase for /home/anatol/.ssh/id_ecdsa:
Could not add identity: /home/anatol/.ssh/id_ecdsa

Our users claim that this stated since libgcrypt 1.6.0 update. With
libgcrypt 1.5+ gpg-agent worked without a problem. Some people tried
to build gnupg from 'master' branch (i.e. 2.1-beta) and found it works
fine with libgcrypt 1.6+.

This makes us believe that the problem is in gnupg<->libgcrypt
integration. Looking at 'master' branch I see this commit;a=commit;h=21dab64030c95a909767bf6d8f99e8476f9df8a2
that fixes ECC for libgcrypt 1.6. gnupg developers, do you think that
it could be the reason of the problem we see? Do you plan to backport
it to 2.0-stable branch? It would be great to have ECC back in the
stable release.

More information about the Gnupg-users mailing list