Application deadlock when using GnuPG, gpgsm, and Scute

[John Scott]

Hi,

I'm using Debian Bookworm (Testing) with GnuPG, gpgsm, and Scute. My motivation for using this trio of tools is a little elaborate, so allow me to explain. For just the technical stuff, skip to the end.

I use OpenPGP for a variety of reasons, including for my own email security and because I'm a Debian contributor. I do believe it is the better cryptosystem for my day-to-day needs, and I've been using it for a handful of years. I also like using my OpenPGP smartcards and the fact that I can use them for SSH too; I'm a believer in the concept of Monkeysphere and that SSH could benefit from a more powerful cryptosystem. I also digitally sign all of my Git commits.

I'm also a student at Indiana University, where we have S/MIME certificates. S/MIME is the predominant cryptosystem at IU, so it makes sense for me to use that instead there. I use it for signing and encrypting email, for digitally signing my homework PDFs, and if I need to make Git repos, might use my certificate for signing those too. Again, in the spirit of Monkeysphere, I might use my IU certificate's keypair to do SSH into IU machines; this has the benefit that IU administrators can verify the authenticity of my SSH key by noticing that it's the same raw public key as my certificate (whether anyone would appreciate that in practice, I doubt it).

IU forced upon me an RSA 4096 certificate, which OpenSC refuses to put on to my (second) Gnuk (Nitrokey Start) because of the space squeeze. Here's what I've done.
 * I've imported the certificate with private key into gpgsm.
 * Then I went to edit my personal OpenPGP key and create a subkey that uses the same keypair as the certificate.
 * Lastly, I moved that subkey over to the smartcard.
This has the benefit that, if you already trust my OpenPGP key, you can see that my certificate raw public key also happens to be an OpenPGP subkey, and thus you can consider it trustworthy.

This looks like it's supposed to be doing the right thing. When I insert my Gnuk #2 into my machine and try to sign something with my IU certificate, gpgsm is smart enough to realize that the private key is on my Gnuk.

However, when I try to use Firefox, Evolution, pdfsig from Poppler, and other applications that try talking to Scute, they hang when I have my Gnuk #2 inserted. An strace shows
read(6, "4.17=#3437343035::%0Auid:e::::::"..., 999) = 999
read(6, "::%0Agrp:::::::::B5AE798D0A57B3B"..., 999) = 999
read(6, ".5.4.5=#5A5A5A5A5A5A4131,O=Sieme"..., 999) = 999
read(6, "03355375058::%0Auid:e::::::::<mi"..., 999) = 999
read(6, "D8953E167A8902ECBC0734DF41B9B57B"..., 999) = 999
read(6, "O=Internet2,L=Ann Arbor,ST=MI,C="..., 999) = 376
read(6, "D ,C=US,O=Indiana University::%0"..., 1002) = 1002
read(6, "75107F3EF32EC5F1D2FC9EBE4F158237"..., 999) = 999
read(6, "diana,STREET=107 South Indiana A"..., 999) = 999
read(6, "8237AE459B7C:%0Afp2:::::::::A2EA"..., 999) = 999
read(6, "5::CN=InCommon RSA Standard Assu"..., 999) = 999
read(6, "10E2244B7CB31:%0Auid:e::::::::1."..., 999) = 999
read(6, "943EEAECD1775462D::CN=InCommon R"..., 999) = 999
read(6, "7031F9EF1D23E803A317801AB09B3536"..., 999) = 999
read(6, "nce Client CA,OU=InCommon,O=Inte"..., 999) = 380
read(6, "S PROGRESS tick ? 0 0\n", 1002) = 22
read(6, "S PROGRESS tick ? 0 0\n", 1002) = 22
read(6, "S PROGRESS tick ? 0 0\n", 1002) = 22
read(6, "S PROGRESS tick ? 0 0\n", 1002) = 22

where those last few lines keep repeating.

Any idea on how to approach this? Note that GnuPG 2.3 is not available in Debian, not even in Debian experimental yet, but as soon as the packagers provide it I will give it a try. Perhaps I'll install GnuPG 2.3 myself in /usr/local when I'm done sending this mail and report on whether it helps.

Thanks for taking a look
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 858 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230409/4c71d977/attachment.sig>