Does gpgsm support ECDSA-with-sha256 signature?

Borden borden_c at tutanota.com
Sun Feb 6 08:07:21 CET 2022 

Good morning,

According to dev.gnupg.org <https://dev.gnupg.org/T4092>, EC support has been in gpgsm for a while now. However, I cannot import an EC certificate/key pair (generated by CPanel via COMODO) into gpgsm . This is a bummer because Kleopatra is basically a gpgsm frontend.

The output I get is:

gpgsm: 1240 bytes of RC2 encrypted text 
gpgsm: processing certBag 
gpgsm: unknown digest algorithm '1.2.840.10045.4.3.2' used certificate 
gpgsm: certificate has a BAD signature: General error 
gpgsm: basic certificate checks failed - not imported 
gpgsm: 192 bytes of 3DES encrypted text 
gpgsm: data error at "decrypted-text", offset 1071903942 
gpgsm: error at "bag-sequence", offset 1364 
gpgsm: error parsing or decrypting the PKCS#12 file 
gpgsm: total number processed: 1 
gpgsm:           not imported: 1
 
... when I import the CA bundle into gpgsm first. However, if I import the certificate/key pair first, the import works with warnings:

gpgsm: 1240 bytes of RC2 encrypted text 
gpgsm: processing certBag 
gpgsm: dirmngr cache-only key lookup failed: Not found 
gpgsm: external URL lookup failed: Connection refused 
gpgsm: issuer certificate {FE198899934848D2C2A56715955F3501318E738B} not found using authorityKeyIdentifier 
gpgsm: dirmngr cache-only key lookup failed: Not found 
gpgsm: external URL lookup failed: Connection refused 
gpgsm: issuer certificate (#/CN=cPanel\, Inc. ECC Certification Authority,O=cPanel\, Inc.,L=Houston,ST=TX,C=US) not found 
gpgsm: dirmngr cache-only key lookup failed: Not found 
gpgsm: external URL lookup failed: Connection refused 
gpgsm: issuer certificate {FE198899934848D2C2A56715955F3501318E738B} not found using authorityKeyIdentifier 
gpgsm: dirmngr cache-only key lookup failed: Not found 
gpgsm: external URL lookup failed: Connection refused 
gpgsm: 192 bytes of 3DES encrypted text 
gpgsm: data error at "decrypted-text", offset 3705267398 
gpgsm: error at "bag-sequence", offset 1364 
gpgsm: error parsing or decrypting the PKCS#12 file 
gpgsm: total number processed: 1 
gpgsm:               imported: 1
 
However, when I subsequently import the CA bundle, gpgsm does not mark my certfiicate as certified, implying that there's some breakage in the trust chain.

If  anybody wants to play with this, I've uploaded the CA bundle to https://paste.debian.net/1229750/ and my certificate to https://paste.debian.net/1229751/ . Both links will expire on 9 February 2022.

With thanks,

More information about the Gnupg-users mailing list