GPGSM detached signature without auth attributes

Stephan Beck stebe at mailbox.org
Tue Nov 22 01:58:00 CET 2016


Hi Jerney,

Jernej Kos:
> Hello!
> 
> I would like to use GPGSM to sign a Linux kernel module with a private
> key stored on an OpenPGP smartcard.

As to the OpenPGP card 2.1 [1] specification, you can store the private
key of an X.509 certificate on card (Data Object Cardholder Certificate,
TAG 7F21) ONLY for using it for authentication purposes in a
client/server environment, not for signing.
In version 3.0 of the OpenPGP card specification the decipher and sign
capabilities for use with an PKIX/X.509 certificate have been
introduced. Unfortunately I don't know of any existing OpenPGP smart
card that implements version 3.0 [2].
So, I guess, without even discussing the possibility (and further
details) of using a "smartcard-based" X.509 certificate's private key
with gpgsm for digitally signing a file skipping/overriding/ignoring
CMS's auth attributes for signing a kernel module, it is not (yet)
feasible (in practice).

My 2 cent

Stephan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161122/f8fc2a11/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161122/f8fc2a11/attachment-0001.sig>


More information about the Gnupg-users mailing list