github-af / SmartPGP

SmartPGP is a JavaCard implementation of the OpenPGP card specifications
GNU General Public License v2.0
229 stars 48 forks source link

Feature Request: Provide More Information On The Releases For Newbies #37

Open EmperorArthur opened 3 years ago

EmperorArthur commented 3 years ago

Hello,

I apologize for the earlier confusion with the previous issue. This issue is a large one which I doubt is a high priority or will be tackled soon.

As someone new to the Smart Card space, I purchased a "PIVKey C980" as a learning card. Per usual, I did not know what I really needed to buy until hours into figuring out why things are not working. Loading JCAlgTest, it appears this card is running JavaCard 3.0 which, if it is not cutting off the last portion, is lower than the required 3.04.

Unfortunately, the only other OpenPGP card application is the old, unmaintained, Yubikey implementation. Which required re-writing the "build.xml" file and still crashes when attempting to install.

It is disappointing that brand new cards from seemingly reputable companies do not work with this software. Also that there are no alternatives without modifying code in what to me is an unfamiliar language, on an unfamiliar OS, running on unfamiliar hardware.

Examining in more detail, the two things keeping from going back to 3.0.3 (testing against this repository) are:

What is interesting to me about the length one is that JCAlgTest reports "ALG_ECDSA_SHA_224;yes;0.161000". Which seems to imply the variable can be hard coded to work on at least some cards.

breard-r commented 3 years ago

Hi,

There already is several branches with lower JavaCard support : https://github.com/ANSSI-FR/SmartPGP/branches

Edit: I forgot, those branches are also released: https://github.com/ANSSI-FR/SmartPGP/releases

EmperorArthur commented 3 years ago

Thanks for pointing that out. I see what happened. I was not paying attention and the "OpenPGP 3.4" standard looks like "3.0.4" when going a bit fast made me think the tags were actually some sort of OpenPGP version thing.

One way you may consider making things more newbie friendly is by commenting the releases similar to how xrdp does. A note in H1 with the "For JavaCards Running 3.0.1" would probably help people like me.

I would also implore you to release pre-compiled ".cap" files. If ant supports reproducible builds, then it would be easy for anyone else who can compile it to verify that the release has not been tampered with.

You might also consider adjusting the Readme to mention the other branches/releases.

duxsco commented 3 years ago

@EmperorArthur Hopefully, this helps :) https://github.com/duxco/gpg-smartcard/