[okular] [Bug 483678] Signing with Luxtrust's non-repudiation certificate just hangs
https://bugs.kde.org/show_bug.cgi?id=483678 Sune Vuorela changed: What|Removed |Added CC||k...@pusling.com --- Comment #9 from Sune Vuorela --- (In reply to Alain Knaff from comment #6) > I retried with okular 23.08.1 from Debian testing, and with a poppler that I > compiled myself (24.03.0), and GPG still didn't show up :-( Unfortunately you need a newer gpg than what is currently available in debian (We needed some fixes for handling of padding in signatures) You could find the gnupg appimage which should contaain a okular and a gnupg that just works together. It can be started with adding `-c okular` to the app image call. Alternatively, if you can sign a using either gpgsm on the command line, or the graphical KDE Application `Kleopatra`, with your luxtrust key then it is likely that the okular-with-gnupg-smime setup would also work. -- You are receiving this mail because: You are watching all bug changes.
[okular] [Bug 483678] Signing with Luxtrust's non-repudiation certificate just hangs
https://bugs.kde.org/show_bug.cgi?id=483678 --- Comment #8 from Alain Knaff --- (In reply to Albert Astals Cid from comment #7) > "Just called Luxtrust about this, they claimed that there was only one > certificate on the card." > > Well, NSS disagrees if firefox shows 2, not much we can do here really. Exactly, they _claimed_ ... :-) In the meantime, I got nss3 patched to get the signature working. It was a deadlock: the non-working certificate was a "non-repudiation" certificate which required 2 pin entries (same PIN, but needed to be re-entered again). While signing, NSS acquires a lock to the card slot, and then calls PK11_DoPassword to prompt for the "second" password. But unfortunately, PK11_DoPassword then tries to re-acquire the same lock a second time => which causes the block. However, even after fixing this, okular still doesn't work. Now, okular does pop up a password prompt for password re-entry, but this prompt returns control immediately to the code, even while the dialog box is still showing (as far as I can see, it returns an empty password). The password entered by the user is ignored, and the prompt keeps appearing. Commenting out the second call to PK11_DoPassword in NSS altogether allows signature to proceed. Of course, the card (or its pkcs11 module) notices that the second password was never entered, so now the pkcs11 module pops up its own password prompt via an X connection that it opened up itself. And that finally works. => I think this points to a threading issue within okular (or poppler?): SEC_SignData is not really supposed to be called from the thread handling the GUI. Indeed, this not only freezes the GUI while it does its calculation (or forever, in the case of a deadlock), but it also becomes iffy if it needs to call the GUI itself. There is no "clean" way for it to get back to the X client event loop to wait for password entry, and so has no other choice than return an empty password as soon as the box is up. Usually long operations, or operations that could potentially block, are supposed to be run from another thread than the thread handling the GUI. -- You are receiving this mail because: You are watching all bug changes.
[okular] [Bug 483678] Signing with Luxtrust's non-repudiation certificate just hangs
https://bugs.kde.org/show_bug.cgi?id=483678 --- Comment #7 from Albert Astals Cid --- "Just called Luxtrust about this, they claimed that there was only one certificate on the card." Well, NSS disagrees if firefox shows 2, not much we can do here really. -- You are receiving this mail because: You are watching all bug changes.
[okular] [Bug 483678] Signing with Luxtrust's non-repudiation certificate just hangs
https://bugs.kde.org/show_bug.cgi?id=483678 --- Comment #6 from Alain Knaff --- (In reply to Albert Astals Cid from comment #5) > (In reply to Alain Knaff from comment #4) > > I now wanted to try whether it works better with gpg, but I couldn't find > > how to switch to gpg. > > > > In Settings->ConfigureBackends->PDF, it seems to assume NSS, and there is no > > switch to use GPG > > > > Or is this in an entirely different place in settings? If so, where? > > It's there, i see you're probably using a too old version of okular/poppler > for it to show up. I retried with okular 23.08.1 from Debian testing, and with a poppler that I compiled myself (24.03.0), and GPG still didn't show up :-( > > How many certificates do you get shown in Firefox->Own certificates > preferences page? I see 3 certificates: the 2 from the smartcard, and an old expired software CA cert that I happened to have lying around -- You are receiving this mail because: You are watching all bug changes.
[okular] [Bug 483678] Signing with Luxtrust's non-repudiation certificate just hangs
https://bugs.kde.org/show_bug.cgi?id=483678 --- Comment #5 from Albert Astals Cid --- (In reply to Alain Knaff from comment #4) > I now wanted to try whether it works better with gpg, but I couldn't find > how to switch to gpg. > > In Settings->ConfigureBackends->PDF, it seems to assume NSS, and there is no > switch to use GPG > > Or is this in an entirely different place in settings? If so, where? It's there, i see you're probably using a too old version of okular/poppler for it to show up. How many certificates do you get shown in Firefox->Own certificates preferences page? -- You are receiving this mail because: You are watching all bug changes.
[okular] [Bug 483678] Signing with Luxtrust's non-repudiation certificate just hangs
https://bugs.kde.org/show_bug.cgi?id=483678 --- Comment #4 from Alain Knaff --- I now wanted to try whether it works better with gpg, but I couldn't find how to switch to gpg. In Settings->ConfigureBackends->PDF, it seems to assume NSS, and there is no switch to use GPG Or is this in an entirely different place in settings? If so, where? -- You are receiving this mail because: You are watching all bug changes.
[okular] [Bug 483678] Signing with Luxtrust's non-repudiation certificate just hangs
https://bugs.kde.org/show_bug.cgi?id=483678 --- Comment #3 from Alain Knaff --- NSS -- You are receiving this mail because: You are watching all bug changes.
[okular] [Bug 483678] Signing with Luxtrust's non-repudiation certificate just hangs
https://bugs.kde.org/show_bug.cgi?id=483678 Albert Astals Cid changed: What|Removed |Added CC||aa...@kde.org Ever confirmed|1 |0 Status|CONFIRMED |REPORTED --- Comment #2 from Albert Astals Cid --- Are you using the nss or the gpg backend? Don't confirm your own bugs. -- You are receiving this mail because: You are watching all bug changes.
[okular] [Bug 483678] Signing with Luxtrust's non-repudiation certificate just hangs
https://bugs.kde.org/show_bug.cgi?id=483678 Alain Knaff changed: What|Removed |Added Ever confirmed|0 |1 Status|REPORTED|CONFIRMED --- Comment #1 from Alain Knaff --- Just called Luxtrust about this, they claimed that there was only one certificate on the card. => so the problem seems to be that okular is listing certificates which should not be used. Remark about going into a hang, rather than popping up a clear message still stands. -- You are receiving this mail because: You are watching all bug changes.