"gpg: signing failed: Invalid length" when use brainpool512r1 keys to sign things

2018-09-01 Thread Yanzhe Lee 
Hello,

Recently I come across this error "gpg: signing failed: Invalid length" when 
use brainpool512r1 keys to do sign operations, such as --sign-key, --lsign-key 
or even generate a brainpool512r1 key.

All keys except Brainpool P-384 and Brainpool P-512 work fine. I tried to 
generate Brainpool P-256, it's fine.
Strange thing is that I use brainpool512r1 before, and no error occurred. The 
error just shows recently, maybe it is a configuration error?



  
- Version

gpg (GnuPG) 2.2.4/2.2.9 both tried
libgcrypt 1.8.1
Ubuntu 18.04 LTS/MacOS 10.13.6 both tried

- steps to reproduce this error:

gpg --expert --full-gen-key

gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
Your selection? 11
Possible actions for a ECDSA/EdDSA key: Sign Certify Authenticate
Current allowed actions: Sign Certify

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? a

Possible actions for a ECDSA/EdDSA key: Sign Certify Authenticate
Current allowed actions: Sign Certify Authenticate

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 8
Please specify how long the key should be valid.
 0 = key does not expire
    = key expires in n days
  w = key expires in n weeks
  m = key expires in n months
  y = key expires in n years
Key is valid for? (0) 1d
Key expires at Mon 03 Sep 2018 10:39:53 AM CST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: test2
Email address: test2
Comment:
You selected this USER-ID:
    "test2 "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: signing failed: Invalid length
gpg: make_keysig_packet failed: Invalid length
Key generation failed: Invalid length


Best regards,
Yanzhe Lee



0x3EA647C79FDA9CD1.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Cannot choose specific signing key with option --default-key

2017-06-14 Thread Yanzhe Lee 
GPG Version: gpg (GnuPG) 2.1.21 libgcrypt 1.7.6
Operate System: macOS sierra 10.12.5

I have these keys with private key

pub brainpoolP512r1/3EA647C79FDA9CD1
created: 2017-01-08 expires: 2032-01-05 usage: SCA
trust: ultimate validity: ultimate

ssb brainpoolP512r1/2D8801CE07BCC5B5
created: 2017-01-08 expires: 2032-01-05 usage: S

ssb brainpoolP512r1/C78A6E620F55
created: 2017-01-08 expires: 2032-01-05 usage: E

ssb nistp521/D97F950D0F500332
created: 2017-02-04 expires: 2027-02-02 usage: A

ssb rsa4096/5BE7F1861B56E399
created: 2017-02-09 expires: 2025-02-07 usage: S
card-no: 0006 04175643

ssb rsa4096/9149FF3E60054D0C
created: 2017-02-09 expires: 2025-02-07 usage: E
card-no: 0006 04175643

ssb rsa4096/8C31540043B61A0A
created: 2017-02-09 expires: 2025-02-07 usage: A
card-no: 0006 04175643

[ultimate] (1). TEST (Local) 
[ultimate] (2) TEST (Online) 

RSA private keys are stored in a yubikey smart card
ECC private keys are stored in keyring.

When I use the command to specify using ECC key 2D8801CE07BCC5B to sign a
file

gpg2 -v -u 2D8801CE07BCC5B5 -a -s test.jpg

It prompt me to insert my smart card. After I insert it and input my pin,
it outputs:

gpg: using subkey 5BE7F1861B56E399 instead of primary key 3EA647C79FDA9CD1
gpg: writing to 'test.jpg.asc'
gpg: RSA/SHA512 signature from: "5BE7F1861B56E399 TEST "

So when I verify the signature file, it was signed by my RSA key which was
not what I specified.
It was supposed not to prompt me to insert my smart card because the
private key of my ECC key was not in the card.
The key 2D8801CE07BCC5B5 was not my primary key, so gpg shouldn't change
the signature key with a subkey.

I tried other options as follows, and the result was same.
gpg2 -v --default-key 2D8801CE07BCC5B5 -a -s test.jpg
gpg2 -v --local-user 2D8801CE07BCC5B5 -a -s test.jpg

However, if I delete the RSA subkey, it will sign my file with correct ECC
key.

Maybe there was a priority when sign files with RSA and ECC keys? How can I
override it?


-- 

Best regards!

LI YANZHE
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users