Public bug reported: After upgrading from wily to xenial (and at the same time having to move from gpg to gpg2) I can no longer produce signatures using gnupg- pkcs11-scd.
Debugging this I found that the algorithm prefix is now included twice in the signed data, making the signature self-test fail. Here we have the data to sign, including the algorithm prefix (3031300D0609608648016503004020): 2016-05-03 16:33:56 gpg-agent[18007] DBG: chan_6 -> SETDATA 3031300D0609608648016503040201050004207B1F9A47922DEDFA9E7A430B4191A1ED2474BE21A 48B8BCA9FE278DD586882C2 2016-05-03 16:33:56 gpg-agent[18007] DBG: chan_6 <- OK Calling PKSIGN with the hash argument will cause gnupg-pkcs11-scd to add another copy of the algorithm prefix: 2016-05-03 16:33:56 gpg-agent[18007] DBG: chan_6 -> PKSIGN --hash=sha256 SafeNet\x20Inc\x2E/eToken/0020f8ec/mb/01 The signed data, showing the duplicated algorithm prefix under rsa_verify cmp is attached. Not sure how a backward-compatible fix would look like (probably would have to check whether this prefix is already present), but forcing inject = INJECT_NONE in cmd_pksign seems to fix the issue for me. Moritz ** Affects: gnupg-pkcs11-scd (Ubuntu) Importance: Undecided Status: New ** Attachment added: "gnupg-pkcs11-scd-sign.log" https://bugs.launchpad.net/bugs/1577818/+attachment/4654591/+files/gnupg-pkcs11-scd-sign.log -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577818 Title: Invalid signatures produced using gnupg-pkcs11-scd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnupg-pkcs11-scd/+bug/1577818/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs