[Gnuk-users] State of EdDSA in Gnuk / GnuPG

Bertrand Jacquin bertrand at jacquin.bzh
Wed Jan 21 23:03:45 UTC 2015 

On 21/01/2015 01:12, NIIBE Yutaka wrote:

>> I can see that it fail on function gnuk_token.__init__ on line 75:
>> 
>>         self.__devhandle.claimInterface(interface)
>> 
>> This happens when gpg-agent is running. After that can changing the
>> admin PIN for g.cmd_verify, it's better.
> 
> Only a single process can claim the interface of Gnuk Token.  If
> scdaemon is running, you need to stop it before running any scripts.
> I should have addressed that in the previous mail.

Right, my message was not clear enough. It could be helpful to get a 
message asking us to check if nothing is currently claiming the 
smartcard and that we may run gpg-connect-agent "SCD KILLSCD" "SCD BYE" 
/bye or equivalent, rather can getting the python stacktrace. That is 
really minor.

>>   $ gpg --card-status | grep -F attributes
>> 
>>   Key attributes ...: 2048R 4096R 255?
> 
> It seems that it works.  It seems that you have registered RSA-4096
> subkey for decryption.

Right

> I haven't decided a character for EdDSA (and Curve25519), or shall we
> change the format here (a single character is not so expressive)?
> Thus, it's '?' here.

Why not stick on GnuPG naming convention ? Is there a naming limitation 
from the smartcard itself ?

>> Then after when trying to transfer a key to the smartcard:
>> 
>>   $ gpg --edit-key ..
>>   ..
>>   sub* ed25519/0x7E28893D85B7D8D1
>>        created: 2015-01-20  expires: 2017-01-19  usage: A
>>   [ultimate] (1). esdf fwesdf <fwesdf at gesdg>
>> 
>>   gpg> keytocard
>>   Please select where to store the key:
>>      (3) Authentication key
>>   Your selection? 3
>> 
>>   gpg: WARNING: such a key has already been stored on the card!
>> 
>>   Replace existing key? (y/N) y
>>   gpg: KEYTOCARD failed: End of file
>> 
>> Is this something you already experienced ?
> 
> 'KEYTOCARD failed: End of file' is unexpected.

Right, the key on smartcard is well present and usable. That end of life 
looks strange in any case.

> Let me try to reproduce your failure.  I will be back.
> 
> P.S.  Please check your e-mail configuration (MUA).  In your reply
> message, you specified the address:
> 
>    <gnuk-users-bounces+bertrand=jacquin.bzh at lists.alioth.debian.org>
> 
> but this is a artificial (virtual) address for mailing list manager to
> detect transmission error, and it's not for use by human being.

I am using the Reply-All. This list does not define a Reply-To: header 
so in this case MUA use as an alternative the Sender: header that here 
is present. I'll drop bad recipient manually but this is something that 
can be fixed on the list itself.

-- 
Bertrand

More information about the gnuk-users mailing list