Broken ECDSA in gnupg 2.0.23
Anatol Pomozov
anatol.pomozov at gmail.com
Sat Jun 21 06:22:26 CEST 2014
Hi,
It is a followup for Linux Arch bug https://bugs.archlinux.org/task/40552
At Linux Arch we have gnupg 2.0.23 and found that gpg-agent does not
handle private ecdsa keys correctly. rsa works fine. Here is how it
looks:
[anatol at foo ~]$ eval $(gpg-agent --daemon --enable-ssh-support)
GPG_AGENT_INFO=/tmp/gpg-i3poXG/S.gpg-agent:20508:1; export GPG_AGENT_INFO;
SSH_AUTH_SOCK=/tmp/gpg-xJfp79/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
SSH_AGENT_PID=20508; export SSH_AGENT_PID;
[anatol at foo ~]$ ssh-add ~/.ssh/id_rsa
Identity added: /home/anatol/.ssh/id_rsa (/home/anatol/.ssh/id_rsa)
[anatol at foo ~]$ ssh-add ~/.ssh/id_ecdsa
Enter passphrase for /home/anatol/.ssh/id_ecdsa:
SSH_AGENT_FAILURE
Could not add identity: /home/anatol/.ssh/id_ecdsa
Our users claim that this stated since libgcrypt 1.6.0 update. With
libgcrypt 1.5+ gpg-agent worked without a problem. Some people tried
to build gnupg from 'master' branch (i.e. 2.1-beta) and found it works
fine with libgcrypt 1.6+.
This makes us believe that the problem is in gnupg<->libgcrypt
integration. Looking at 'master' branch I see this commit
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=21dab64030c95a909767bf6d8f99e8476f9df8a2
that fixes ECC for libgcrypt 1.6. gnupg developers, do you think that
it could be the reason of the problem we see? Do you plan to backport
it to 2.0-stable branch? It would be great to have ECC back in the
stable release.
More information about the Gnupg-users
mailing list