Seeking Assistance with GnuPG for Signing Arbitrary Data Using a Smart Card

vuori vuori at
Thu Apr 6 11:09:27 CEST 2023

On Wed, Apr 05, 2023 at 11:17:00PM +0300, Yiğitcan UÇUM via Gnupg-users wrote:
> 3. I receive an error when trying to `SCD PKSIGN` with data above 64
> bytes: "ERR 100663351 Invalid value <SCD>". Is this a tooling
> limitation, or is there a way to sign arbitrary data? I can sign
> arbitrary data using `COMPUTE DIGITAL SIGNATURE` with direct APDU
> communication to the Smart Card.

I'm not particularly familiar with the Assuan protocol so can't say
about the other questions, but in general with generic token cards
(such as OpenPGP cards) you'll sign precomputed hashes instead of
having the card hash the data. So you should usually calculate the
hash yourself and then sign the result. (Hash-on-card seems more
useful for cases where the card application generates the message to
be signed by itself, such as EMV.)

In this kind of use case, you might also want to use PKAUTH (or
INTERNAL AUTHENTICATE in APDU terms) instead? It seems to be intended
for use with generic signing, while PKSIGN/COMPUTE DIGITAL SIGNATURE
is documented in the context of OpenPGP message signing.

scd/app-openpgp.c:{do_sign,do_auth} in GnuPG sources have some
informative comments on the process and the code looks mostly
straightforward too.


More information about the Gnupg-users mailing list