gpgsm: ksba_cms_parse failed: Broken pipe

Jakob Bohm jb-gnumlists at wisemo.com
Thu Dec 14 16:19:10 CET 2023 

Dear list,

I am using gpgsm in a script for its ability to efficiently process CMS
format messages larger than available memory.  However after a recent
script change, it now fails every time on previously accepted data with
error messages that are essentialy gpg implementation internals
gobbledygook.

Versions involved (distribution supplied builds, so not latest upstram 
source):

$ uname -a
Linux <hostname> 5.10.0-0.deb10.21-amd64 #1 SMP Debian 
5.10.162-1~deb10u1 (2023-02-14) x86_64 GNU/Linux

$ gpgsm --version
gpgsm (GnuPG) 2.2.27
libgcrypt 1.8.4
libksba 1.3.5-unknown
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/me/.gnupg
Supported algorithms:
Cipher: 3DES, AES128, AES192, AES256, SERPENT128, SERPENT192, 
SERPENT256, SEED, CAMELLIA128, CAMELLIA192, CAMELLIA256
Pubkey: RSA, ECC
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224, WHIRLPOOL


Command lines (from a bash script, sorry for long lines):

$ # Note: $infl is archived gzipped DER-encoded CMS SignedData of 
privacy-sensitive data
   #       $DSTAMP is the date/time when the signature is supposed to be 
valid
   #       $fprint is the fingerprint of the only allowed signer certificate
   #       $wrkdir is a unique temporary directory.
   #       faketime, gpgsm, grep, zcat, cat and false are the usual GNU 
or distribution tools
   #       shell is GNU bash
   #       non-debug environment is a cron job
   zcat ${infl} |
     faketime "${DSTAMP}" gpgsm --verify --validation-model shell 
--assume-binary --status-fd 3 --output - - 3>${wrkdir}/sigdec.status || :
   ( ( grep "^\[GNUPG:\] \(GOOD\|EXPKEY\)SIG ${fprint}" 
${wrkdir}/sigdec.status &&
       grep "^\[GNUPG:\] VALIDSIG ${fprint}" ${wrkdir}/sigdec.status ) 
 >/dev/null ||
     ( cat ${wrkdir}/sigdec.status >&2 ; false ) )

Message on stderr:

     gpgsm: ksba_cms_parse failed: Broken pipe

Message on status-fd (copied to stderr by cat command)

     [GNUPG:] ERROR verify.leave 32877


So what do these error messages mean, and why aren't they in they
described in the documentation (info and man)?

Which of the inputs was being truncated on the way to the that
parsing function?

P.S.
It would be much easier if the gpgsm code could be used standalone
like the old gpg1 could, with no entanglement to pinentry, dirmgr
status-fd protocol etc. etc.  scripted signing and verification of
computer generated data is not suited to a human-centric user
interface.


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the Gnupg-users mailing list