Bug#889751: [pkg-gnupg-maint] Bug#889751: scdaemon: BAD PIN since 2.2.4-2 upgrade
On Fri, 2018-02-09 at 10:10 +0100, Yves-Alexis Perez wrote: > On Thu, 2018-02-08 at 19:47 -0500, Daniel Kahn Gillmor wrote: > I'm adding Arnaud to the loop because he's the main developer, and I can > actually see that the last commit (https://github.com/ANSSI-FR/SmartPGP/comm > it > /78d769b671e429b6e3e7b2454b869a66f269741f) seems very relevant. > > So maybe the bug actually lies here rather than in scdaemon. > > > > can you try rebuilding with that patch removed and testing that? If > > you'd prefer i upload something to experimental for you to try without > > having to rebuild, let me know and i'll do that. > > Yes, I can try a rebuild and report back, but I'll first investigate > SmartPGP. > After a quick chat with Arnaud, it seems that even though there might be fixes to be done at the applet level, the GnuPG patch doesn't seem ready for prime time and reverting it might be a good idea. See that thread on gnupg-devel: https://lists.gnupg.org/pipermail/gnupg-devel/2018-February/033424.html I did a rebuild with the patch disabled and I can confirm it fixes the issue for me. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#889751: [pkg-gnupg-maint] Bug#889751: scdaemon: BAD PIN since 2.2.4-2 upgrade
On Thu, 2018-02-08 at 19:47 -0500, Daniel Kahn Gillmor wrote: > Control: severity 889751 serious > > Hi Corsac-- > > On Wed 2018-02-07 11:28:42 +0100, Yves-Alexis Perez wrote: > > On Tue, 2018-02-06 at 20:42 +0100, Yves-Alexis Perez wrote: > > > > > since the recent 2.2.4-2 upgrade, when trying to use my smartcard (auth > > > key for SSH for example), I get: > > > > > > févr. 06 20:37:35 scapa gpg-agent[1793]: scdaemon[26257]: verify CHV2 > > > failed: Bad PIN > > > févr. 06 20:37:35 scapa gpg-agent[1793]: scdaemon[26257]: app_auth > > > failed: Bad PIN > > > févr. 06 20:37:35 scapa gpg-agent[1793]: smartcard signing failed: Bad > > > PIN > > > > > > even though I'm sure it's the right PIN. > > ugh, i'm sorry to hear this. > > > > At that point I'm a little reluctant in doing another try because it's > > > the last one before I need to get my admin PIN. > > > > Downgrading scdaemon, gpg-agent and gpgconf to 2.2.4-1 fixes the problem. > > If > > you need more information, please ask. > > I think the main likely culprit is > debian/patches/scd-Support-KDF-Data-Object-of-OpenPGPcard-V3.3.patch, > which was cherry-picked from upstream. > > Can you give more detail about what specific smartcard you have? It's the setup described on https://www.corsac.net/?rub=blog&post=1588 so a JavaCard running the SmartPGP applet from https://github.com/ANSSI-FR/smartPGP I'm adding Arnaud to the loop because he's the main developer, and I can actually see that the last commit (https://github.com/ANSSI-FR/SmartPGP/commit /78d769b671e429b6e3e7b2454b869a66f269741f) seems very relevant. So maybe the bug actually lies here rather than in scdaemon. > > can you try rebuilding with that patch removed and testing that? If > you'd prefer i upload something to experimental for you to try without > having to rebuild, let me know and i'll do that. Yes, I can try a rebuild and report back, but I'll first investigate SmartPGP. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#889751: [pkg-gnupg-maint] Bug#889751: scdaemon: BAD PIN since 2.2.4-2 upgrade
Control: severity 889751 serious Hi Corsac-- On Wed 2018-02-07 11:28:42 +0100, Yves-Alexis Perez wrote: > On Tue, 2018-02-06 at 20:42 +0100, Yves-Alexis Perez wrote: > >> since the recent 2.2.4-2 upgrade, when trying to use my smartcard (auth >> key for SSH for example), I get: >> >> févr. 06 20:37:35 scapa gpg-agent[1793]: scdaemon[26257]: verify CHV2 >> failed: Bad PIN >> févr. 06 20:37:35 scapa gpg-agent[1793]: scdaemon[26257]: app_auth failed: >> Bad PIN >> févr. 06 20:37:35 scapa gpg-agent[1793]: smartcard signing failed: Bad PIN >> >> even though I'm sure it's the right PIN. ugh, i'm sorry to hear this. >> At that point I'm a little reluctant in doing another try because it's >> the last one before I need to get my admin PIN. > > Downgrading scdaemon, gpg-agent and gpgconf to 2.2.4-1 fixes the problem. If > you need more information, please ask. I think the main likely culprit is debian/patches/scd-Support-KDF-Data-Object-of-OpenPGPcard-V3.3.patch, which was cherry-picked from upstream. Can you give more detail about what specific smartcard you have? can you try rebuilding with that patch removed and testing that? If you'd prefer i upload something to experimental for you to try without having to rebuild, let me know and i'll do that. > I've raised the severity to important, but actually I don't think scdaemon > should migrate to testing as-is, so I'd be inclined to raise again to RC > severity. This e-mail raises the severity to serious, so it should prevent migration until we've got this sorted out. --dkg signature.asc Description: PGP signature
