alonbl
commented
6 months ago Hello, Please test latest release and not a random point in time. Please provide debug log after you have done so. Thanks,
Open pyllyukko opened 6 months ago
alonbl
commented
6 months ago Hello, Please test latest release and not a random point in time. Please provide debug log after you have done so. Thanks,
pyllyukko
commented
6 months ago Got it. You probably want the logs with debug-all & verbose. If it's ok, I'll send it via email.
pyllyukko
commented
6 months ago I've narrowed this down a bit. So something has changed between GnuPG versions 2.2 and 2.3 that makes this happen. With GnuPG version 2.2.42 everything works perfectly. I started to go back from version 2.3.0 and got as far as 2.3.0-beta1109 (3c4ab53) where this is already happening and was unable to compile earlier versions/commits.
Here are some log extracts from a decryption operation:
==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:31:38 gpg-agent[26041] gpg-agent (GnuPG) 2.2.42 started
==> /home/pyllyukko/.gnupg/gpgsm.log <==
2024-01-16 21:31:38 gpgsm[26038] encrypted to rsa3072 key ...
==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26047.1563801920]: Listening to socket '/tmp/gnupg-pkcs11-scd.1FaTNv/agent.S'
gnupg-pkcs11-scd[26047.1563801920]: accepting connection
gnupg-pkcs11-scd[26047]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[26047.1563801920]: processing connection
gnupg-pkcs11-scd[26047]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[26047]: chan_0 -> D /tmp/gnupg-pkcs11-scd.1FaTNv/agent.S
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- OPTION event-signal=12
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- SERIALNO --demand=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
gnupg-pkcs11-scd[26047]: chan_0 -> S SERIALNO YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY 0
gnupg-pkcs11-scd[26047]: chan_0 -> OK
==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:31:39 gpg-agent[26041] detected card with S/N YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26047]: chan_0 <- SETDATA ...
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- PKDECRYPT ...
gnupg-pkcs11-scd[26047]: chan_0 -> S PADDING 0
gnupg-pkcs11-scd[26047]: chan_0 -> [ xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ...(2 byte(s) skipped) ]
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- RESTART
gnupg-pkcs11-scd[26047]: chan_0 -> OK==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:48:38 gpg-agent[26925] gpg-agent (GnuPG) 2.3.0-beta1109 started
==> /home/pyllyukko/.gnupg/gpgsm.log <==
2024-01-16 21:48:38 gpgsm[26923] Note: non-critical certificate policy not allowed
2024-01-16 21:48:39 gpgsm[26923] Note: non-critical certificate policy not allowed
2024-01-16 21:48:39 gpgsm[26923] DBG: recp 0 - issuer: '...'
2024-01-16 21:48:39 gpgsm[26923] DBG: recp 0 - serial: XXXXXXXX
==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26930.3407657280]: Listening to socket '/tmp/gnupg-pkcs11-scd.Jyjbtk/agent.S'
gnupg-pkcs11-scd[26930.3407657280]: accepting connection
gnupg-pkcs11-scd[26930]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[26930.3407657280]: processing connection
gnupg-pkcs11-scd[26930]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[26930]: chan_0 -> D /tmp/gnupg-pkcs11-scd.Jyjbtk/agent.S
gnupg-pkcs11-scd[26930]: chan_0 -> OK
gnupg-pkcs11-scd[26930]: chan_0 <- OPTION event-signal=12
gnupg-pkcs11-scd[26930]: chan_0 -> OK
gnupg-pkcs11-scd[26930]: chan_0 <- SERIALNO --all
gnupg-pkcs11-scd[26930]: chan_0 -> S SERIALNO XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0
gnupg-pkcs11-scd[26930]: chan_0 -> OK
gnupg-pkcs11-scd[26930]: chan_0 <- KEYINFO XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
gnupg-pkcs11-scd[26930]: chan_0 -> ERR 41 Wrong public key algorithm <Unspecified source>At this point GnuPG asks me to insert a smart card, even though it's already inserted.
==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:48:58 gpg-agent[26925] smartcard decryption failed: Operation cancelled
2024-01-16 21:48:58 gpg-agent[26925] command 'PKDECRYPT' failed: Operation cancelled <Pinentry>
==> /home/pyllyukko/.gnupg/gpgsm.log <==
2024-01-16 21:48:58 gpgsm[26923] error decrypting session key: Operation cancelled
2024-01-16 21:48:58 gpgsm[26923] decrypting session key failed: Operation cancelled
2024-01-16 21:48:58 gpgsm[26923] message decryption failed: Operation cancelled <Pinentry>
==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26930]: chan_0 <- RESTART
gnupg-pkcs11-scd[26930]: chan_0 -> OKI would really appreciate if we can first confirm gpg is working before we go to gpgsm. But maybe this is a hint:
non-critical certificate policy not allowed
pyllyukko
commented
6 months ago But maybe this is a hint: non-critical certificate policy not allowed
There is a commit in GnuPG which implies it's nothing critical:
commit 4f1b9e3abb337470e5e4809b3a7f2df33f5a63a4 Author: Werner Koch wk@gnupg.org Date: Mon Dec 5 14:31:45 2022 +0100
gpgsm: Silence the "non-critical certificate policy not allowed". * sm/certchain.c (check_cert_policy): Print non-critical policy warning only in verbose mode.
alonbl
commented
3 months ago Please send me your certificate.
Ehlo.
I'm getting the following error in my logs and my attempts to use my smart card fails:
I'm using
libcryptoki.soprovider as described here, so there are quite a lot of variables in this setup.The error seems to happen with all the
KEYINFOcommands. My setup was working previously, but clearly some underlying component has updated down the road and now it's broken.Any advice on where to look to get this sorted out? I'm happy to provide any additional information.
Versions