Public bug reported:
After upgrading from wily to xenial (and at the same time having to move
from gpg to gpg2) I can no longer produce signatures using gnupg-
pkcs11-scd.
Debugging this I found that the algorithm prefix is now included twice
in the signed data, making the signature self-test fail.
Here we have the data to sign, including the algorithm prefix
(3031300D0609608648016503004020):
2016-05-03 16:33:56 gpg-agent[18007] DBG: chan_6 -> SETDATA
3031300D0609608648016503040201050004207B1F9A47922DEDFA9E7A430B4191A1ED2474BE21A
48B8BCA9FE278DD586882C2
2016-05-03 16:33:56 gpg-agent[18007] DBG: chan_6 <- OK
Calling PKSIGN with the hash argument will cause gnupg-pkcs11-scd to add
another copy of the algorithm prefix:
2016-05-03 16:33:56 gpg-agent[18007] DBG: chan_6 -> PKSIGN --hash=sha256
SafeNet\x20Inc\x2E/eToken/0020f8ec/mb/01
The signed data, showing the duplicated algorithm prefix under
rsa_verify cmp is attached.
Not sure how a backward-compatible fix would look like (probably would
have to check whether this prefix is already present), but forcing
inject = INJECT_NONE in cmd_pksign seems to fix the issue for me.
Moritz
** Affects: gnupg-pkcs11-scd (Ubuntu)
Importance: Undecided
Status: New
** Attachment added: "gnupg-pkcs11-scd-sign.log"
https://bugs.launchpad.net/bugs/1577818/+attachment/4654591/+files/gnupg-pkcs11-scd-sign.log
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1577818
Title:
Invalid signatures produced using gnupg-pkcs11-scd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg-pkcs11-scd/+bug/1577818/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
