> You may also try the patch below.
> [...]
> * src/agent.c (scute_agent_get_cert): Reject card certificate if
> it does not start with an ASN.1 sequence tag.
The batch works for me using Yubikey 4.
Thanks,
Fabian
signature.asc
Description: PGP signature
> I'll try to find a way to erase the certificate from the Yubikey.
You may also try the patch below. It should allow Scute to ignore the
data read from the token if it does not look like a proper DER-encoded
certificate. It's not a fool-proof check, but it should already catch
a lot of cases
> Can you check that after starting Firefox, you still have
> only one GPG-Agent and one Scdaemon running?
Before launching Firefox:
$ ps aux | grep -P '(scdaemon|gpg-agent)'
> fabianp+ 3242 [...] gpg-agent --homedir /home/fabianpeter/.gnupg
> --use-standard-socket --daemon
> fabianp+ 3518
> The maximal size for the certificate to be stored on the token is indicated
> by the "mcl3" value (so, 2048 bytes in this example). Your DER-encoded
> certificate should not be bigger than that.
$ gpg-connect-agent 'SCD GETATTR EXTCAP' /bye | grep -Po 'mcl3=\d+'
mcl3=1216
My certificate is
On 06/05/2017 07:54 PM, Fabian Peter Hammerle wrote:
Ah, I didn't know I had to write the certificate onto the Yubikey.
You do not *have* to; Scute can fetch the certificate both from the
token itself, or from the gpgsm store. But it will try first to fetch it
from the token.
Storing the
> Did you import your new certificate onto the Yubikey? Because independently
> of what your gpgsm store may contain, Scute will always try to fetch the
> certificate from the token itself.
Ah, I didn't know I had to write the certificate onto the Yubikey.
I only imported it into gpgsm following
On 06/05/2017 07:04 PM, Fabian Peter Hammerle wrote:
scute: scute_agent_get_cert: got certificate from card with length 259
OK, this is weird. 259 bytes seems too short for a X.509 certificate,
especially one based on 4096-bit public key (for comparison, my own
2048-bit certificate is 1587
> Could you perform your tests again with Scute debugging turned on?
Scute log when launching Firefox with Yubikey unplugged:
> scute debug init: flags=0xff
> scute: scute_agent_initialize: Establishing connection to gpg-agent
After plugging in the Yubikey:
> scute: scute_agent_get_cert: got
On 06/05/2017 10:20 AM, Fabian Peter Hammerle wrote:
Does anyone know what might cause the 'sharing violation' error?
I am not sure. Can you check that after starting Firefox, you still have
only one GPG-Agent and one Scdaemon running?
If you run the following command:
$
I just cloned Scute from git://git.gnupg.org/scute.git
(commit 10a19467bc2a95b4aa91176924a91be427d3157a)
The error messages changed (compared to my initial mail):
$ GPG_AGENT_INFO=$(gpgconf --list-dir agent-socket):0:1 firefox
> scdaemon[2999]: detected reader 'Yubico Yubikey 4 OTP+U2F+CCID 00
(gpgconf --list-dir agent-socket)
> srwx-- 1 fabianpeter fabianpeter 0 Jun 4 14:09
> /run/user/1000/gnupg/S.gpg-agent
$ GPG_AGENT_INFO=$(gpgconf --list-dir agent-socket):0:1 firefox
> scute: agent_connect: cannot connect to GPG agent: IPC connect call failed
> scute: scute_gpg_err_
Hi,
On 06/03/2017 12:48 AM, Fabian Peter Hammerle wrote:
As far as I understand gpg-agent is running.
Can you please check whether it is really the case? E.g., check that the
socket indicated by "gpgconf --list-dir agent-socket" does exist?
After reading
whenever I launch
Firefox:
> scute: agent_connect: cannot connect to GPG agent: IPC connect call failed
> scute: scute_gpg_err_to_ck: Error occurred: No agent running (Unspecified
> source)
As far as I understand gpg-agent is running.
After reading http://scute.org/scute.html/Troubleshooti
13 matches
Mail list logo