scute / firefox: cannot connect to GPG agent

Damien Goutte-Gattat dgouttegattat at
Mon Jun 5 20:29:30 CEST 2017

On 06/05/2017 07:54 PM, Fabian Peter Hammerle wrote:
> Ah, I didn't know I had to write the certificate onto the Yubikey.

You do not *have* to; Scute can fetch the certificate both from the 
token itself, or from the gpgsm store. But it will try first to fetch it 
from the token.

Storing the certificate on the token itself instead on relying on the 
gpgsm store allows you to use your token on a machine that is not your 
usual machine.

>> Could you extract the certificate from the smartcard and have a look at it?
>>    $ gpg --card-edit
>>    gpg/card> readcert 3 > file.der
>>    gpg/card> quit
> $ od -x file.der
>> 0000000 217f 0082 ffff ffff ffff ffff ffff ffff
>> 0000020 ffff ffff ffff ffff ffff ffff ffff ffff
>> *
>> 0000400 ffff 00ff
>> 0000403

I don't pretend to be a X.509 or ASN1 expert (far from it!), but this 
does not look like a X.509 certificate at all.

> gpg: error writing certificate to card: Provided object is too large
> Do I have to choose a smaller key size?

Check the maximal size supported by the Yubikey:

   $ gpg-connect-agent 'SCD GETATTR EXTCAP' /bye

The output should be a line like the following:

   S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=0

The maximal size for the certificate to be stored on the token is 
indicated by the "mcl3" value (so, 2048 bytes in this example). Your 
DER-encoded certificate should not be bigger than that.

But if it happens that your Yubikey does not support 4096-bit 
certificates, and you still want such a certificate, then you could 
simply erase the (corrupted) certificate on the Yubikey. As I said 
above, Scute will fetch the certificate from the gpgsm store if it 
cannot find it on the token.

As far as I know there is no command in the gpg card editor to erase the 
certificate, but I *think* using the writecert command with /dev/null as 
input should do the trick (I have not tested).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170605/ad5e96ef/attachment.sig>

More information about the Gnupg-users mailing list