scute / firefox: cannot connect to GPG agent
dgouttegattat at incenp.org
Mon Jun 5 20:29:30 CEST 2017
On 06/05/2017 07:54 PM, Fabian Peter Hammerle wrote:
> Ah, I didn't know I had to write the certificate onto the Yubikey.
You do not *have* to; Scute can fetch the certificate both from the
token itself, or from the gpgsm store. But it will try first to fetch it
from the token.
Storing the certificate on the token itself instead on relying on the
gpgsm store allows you to use your token on a machine that is not your
>> Could you extract the certificate from the smartcard and have a look at it?
>> $ gpg --card-edit
>> gpg/card> readcert 3 > file.der
>> gpg/card> quit
> $ od -x file.der
>> 0000000 217f 0082 ffff ffff ffff ffff ffff ffff
>> 0000020 ffff ffff ffff ffff ffff ffff ffff ffff
>> 0000400 ffff 00ff
I don't pretend to be a X.509 or ASN1 expert (far from it!), but this
does not look like a X.509 certificate at all.
> gpg: error writing certificate to card: Provided object is too large
> Do I have to choose a smaller key size?
Check the maximal size supported by the Yubikey:
$ gpg-connect-agent 'SCD GETATTR EXTCAP' /bye
The output should be a line like the following:
S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=0
The maximal size for the certificate to be stored on the token is
indicated by the "mcl3" value (so, 2048 bytes in this example). Your
DER-encoded certificate should not be bigger than that.
But if it happens that your Yubikey does not support 4096-bit
certificates, and you still want such a certificate, then you could
simply erase the (corrupted) certificate on the Yubikey. As I said
above, Scute will fetch the certificate from the gpgsm store if it
cannot find it on the token.
As far as I know there is no command in the gpg card editor to erase the
certificate, but I *think* using the writecert command with /dev/null as
input should do the trick (I have not tested).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users