Package: gnupg2 Version: 2.0.26-4 Severity: important With the latest gnupg2 package targeted for the Jessie, defaulting hashing algorithm has been changed to SHA256. This broke my smartcard setup using a cryptostick/nitrokey (storage version, latest 0.18 firmware) as signing now fails with:
$ gpg --armor -s pippo.txt gpg: sending command `SCD PKSIGN' to agent failed: ec=6.32817 gpg: signing failed: general error gpg: signing failed: general error After that, scdaemon and/or gpg-agent got really confused and I have to replug the dongle to get it working again. I saw that switching back the default hashing algorithm to SHA1 works, so for the time being I have to use the following line in my gpg.conf: personal-digest-preferences SHA1 I'm not sure if it is a firmware or gnupg2 bug, as such I'm also CC:ing nitrokey makers (Jan and George) here. My current setup is with 3x4096 keys on the dongle, and I'm experiencing this failure both with scdaemon and pcscd. When signing fails, I see the following in my scdaemon debug log: scdaemon[7609]: chan_10 -> OK GNU Privacy Guard's Smartcard server ready scdaemon[7609]: chan_7 <- SETDATA D4C076C2A0E30219D4631EDF85E8844C41EA950A8549D0B3A7BD4D18D550CD8A scdaemon[7609]: chan_7 -> OK scdaemon[7609]: chan_10 <- SERIALNO scdaemon[7609]: chan_10 -> S SERIALNO <MY_SERIALNO> 0 scdaemon[7609]: chan_10 -> OK scdaemon[7609]: chan_7 <- PKSIGN --hash=sha256 <MY_SERIALNO>/<MY_SIGNING_KEYID> 2015-01-17 12:21:02 scdaemon[7609] DBG: send apdu: c=00 i=CA p1=00 p2=6E lc=-1 le=256 em=0 2015-01-17 12:21:02 scdaemon[7609] DBG: response: sw=9000 datalen=217 2015-01-17 12:21:02 scdaemon[7609] DBG: send apdu: c=00 i=CA p1=00 p2=7A lc=-1 le=256 em=0 2015-01-17 12:21:02 scdaemon[7609] DBG: response: sw=9000 datalen=5 2015-01-17 12:21:02 scdaemon[7609] signatures created so far: 261 2015-01-17 12:21:02 scdaemon[7609] DBG: asking for PIN '||Please enter the PIN%0A[sigs done: 261]' scdaemon[7609]: chan_7 -> INQUIRE NEEDPIN ||Please enter the PIN%0A[sigs done: 261] scdaemon[7609]: chan_10 <- GETATTR APPTYPE scdaemon[7609]: chan_10 -> S APPTYPE OPENPGP scdaemon[7609]: chan_10 -> OK scdaemon[7609]: chan_7 <- [ XX XX XX ...(76 byte(s) skipped) ] scdaemon[7609]: chan_7 <- END 2015-01-17 12:21:07 scdaemon[7609] DBG: send apdu: c=00 i=20 p1=00 p2=81 lc=6 le=-1 em=0 2015-01-17 12:21:07 scdaemon[7609] DBG: raw apdu: 00 20 00 81 06 31 34 30 37 32 32 2015-01-17 12:21:07 scdaemon[7609] DBG: response: sw=9000 datalen=0 2015-01-17 12:21:07 scdaemon[7609] DBG: dump: 2015-01-17 12:21:07 scdaemon[7609] DBG: send apdu: c=00 i=2A p1=9E p2=9A lc=51 le=2048 em=1 2015-01-17 12:21:30 scdaemon[7609] ccid_transceive failed: (0x1000a) 2015-01-17 12:21:30 scdaemon[7609] apdu_send_simple(0) failed: card I/O error 2015-01-17 12:21:30 scdaemon[7609] operation sign result: Input/output error 2015-01-17 12:21:30 scdaemon[7609] app_sign failed: Input/output error scdaemon[7609]: chan_7 -> ERR 100696113 Input/output error <SCD> (I removed some raw apdu data dumps, as I'm not sure about leaking data). Some comments: * Looking at the timestamp, once can see a few seconds gap and then the scdaemon declaring I/O error; in that meanwhile, I see the activity led on the dongle staying "fixed on red" and turning off only few seconds after. Some timeout too short? * I see a response with datalen=0, but I don't know the protocol. Maybe something went wrong there? * Using SHA1, operation succeeds and the dongle response apdu is "response: sw=9000 datalen=511" I'm filing this here as cryptostick/nitrokey users may find it non-working out of the box in Debian Jessie, while for it was ok until the last week. Just to be clear, above workaround works and I'm not suggesting to revert the default. However, I would like to see this properly fixed. @Jan, George: can you reproduce this? If not, I'm currently based in Berlin and I'll be glad to meet to help inspecting this. Cheers, Luca -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gnupg2 depends on: ii dpkg 1.17.23 ii gnupg-agent 2.0.26-4 ii install-info 5.2.0.dfsg.1-6 ii libassuan0 2.1.2-2 ii libbz2-1.0 1.0.6-7+b2 ii libc6 2.19-13 ii libcurl3-gnutls 7.38.0-4 ii libgcrypt20 1.6.2-4+b1 ii libgpg-error0 1.17-3 ii libksba8 1.3.2-1 ii libreadline6 6.3-8+b3 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages gnupg2 recommends: ii libldap-2.4-2 2.4.40-3 Versions of packages gnupg2 suggests: pn gnupg-doc <none> pn parcimonie <none> pn xloadimage <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org