[Gnuk-users] gpg: signing failed: Zero prefix in S-expression

Jonathan Schleifer js-gnuk-users at webkeks.org
Mon Feb 16 09:22:00 UTC 2015 

Am 16.02.2015 um 01:59 schrieb NIIBE Yutaka <gniibe at fsij.org>:

> On 02/16/2015 12:28 AM, Jonathan Schleifer wrote:
>> Hm, after re-flashing and putting a different key on it, I get this
>> error quite often now. Interestingly, I can either replug or change
>> the PIN to make it work again.
> 
> Thank you for experiments.  Could you please do the following to debug?
> 
>  (1) generate an experimental key of EdDSA
>      (not for your actual use, but just for this debugging)
> 
>  (2) Store the experimental key into Gnuk Token with an experimental PIN
>     (PIN should be OK with a risk to disclose)
> 
>  (3) Put debug configurations in your .gnupg/gpg-agent.conf and
>     .gnupg/scdaemon.conf.
> 
> ---------- gpg-agent.conf
> enable-ssh-support
> debug-level guru
> debug-all
> log-file /var/tmp/gpg-agent.log
> ----------
> 
> ---------- scdaemon.conf
> debug-level guru
> debug-all
> log-file /var/tmp/scdaemon.log
> ----------
> 
>   (4) Try to reproduce the error of "Zero prefix in S-expression"
> 
>   (5) When you got an error, please send me the logs of gpg-agent and
>       scdaemon.
> 
> Thanks in advance.

Unfortunately, I'll be away from home for a few days starting tomorrow and won't be able to restore my key if I write a different one to the Gnuk. Unfortunately, I only have one Gnuk :(. I can, however, try this once I come back. Or I can give steps to reproduce it :).

* Generate 4096 bit RSA certification key 
* Edit the key, add Ed25519 signing key, RSA 4096 encryption key and Ed25519 authentication key
* Switch the Gnuk over to Ed25519 for signing and authentication like described in your mail I linked from my blog
* Move the signing, encryption and authentication key to Gnuk
* Do several signatures in a short timespan

For example, if I sign Git commits and rebase like 5 commits in the past, I can always trigger it.

Interestingly, to solve the problem, I can restart GnuPG and replug it. Or I can gpg2 --card-edit and then type passwd. I do *NOT* have to change the PIN. Just typing passwd and then canceling is enough.

Gnuk version is latest master (actually, 1.1.4 with the patches cherry-picked) and GnuPG is 2.1.2.

--
Jonathan

More information about the gnuk-users mailing list