Seeking Assistance with GnuPG for Signing Arbitrary Data Using a Smart Card

Wed Apr 5 22:17:00 CEST 2023

Hello,

I am using a Yubikey 5C NFC with OpenPGP Version 3.4 Applet and an
`ed25519` curve signing key. I'm attempting to create `EdDSA`
Algorithm JWTs using GnuPG tooling, but I've encountered some
difficulties. I've used `gpg-connect-agent` to interact with my Smart
Card through a low-level API, as shown in the following commands:
```
RESET
SCD READKEY OPENPGP.1
SCD SETDATA $MY_ARBITRARY_DATA
SCD PKSIGN --hash=sha512 OPENPGP.1
```

I can sign arbitrary data with some limitations, and the successful
output looks like:
```
OK
D (10:public-key(3:ecc(5:curve7:Ed25519)(5:flags5:eddsa)(1:q33:@?m�7;��5%0A�A�2v��o�s��ρ��pE�g9)))
OK
OK
D @�����୅�;�\���T�t�%25���kǇ
                            �Ku�Q[��~���L��#V%0D;Gp/@�J�

OK
```

I have a few questions about this process:

1. Is it feasible to use `gpg-connect-agent` and the `SCD *`
operations for my goal? Are there any alternative approaches?
2. In the output, are the public key and signature encoded with
S-Expression and MPI? How should I parse this output?
3. I receive an error when trying to `SCD PKSIGN` with data above 64
bytes: "ERR 100663351 Invalid value <SCD>". Is this a tooling
limitation, or is there a way to sign arbitrary data? I can sign
arbitrary data using `COMPUTE DIGITAL SIGNATURE` with direct APDU
communication to the Smart Card.

Thank you for your help!

Kind regards,
Yigitcan