scute / firefox: cannot connect to GPG agent

Fabian Peter Hammerle fabian.hammerle at gmail.com
Mon Jun 5 22:37:26 CEST 2017 

> The maximal size for the certificate to be stored on the token is indicated
> by the "mcl3" value (so, 2048 bytes in this example). Your DER-encoded
> certificate should not be bigger than that.

$ gpg-connect-agent 'SCD GETATTR EXTCAP' /bye | grep -Po 'mcl3=\d+'  
mcl3=1216

My certificate is slightly larger:

$ gpgsm --export '&22BD35[...]6F89B' | wc --bytes
1432

> As far as I know there is no command in the gpg card editor to erase the
> certificate, but I *think* using the writecert command with /dev/null as
> input should do the trick (I have not tested).

Unfortunately I was not successful using /dev/null:

gpg/card> writecert 3 < /dev/null
gpg: error writing certificate to card: Invalid argument

> Scute can fetch the certificate both from the 
> token itself, or from the gpgsm store. But it will try first to fetch it 
> from the token.

To test my configuration I temporarily disabled the call to
scute_agent_get_cert():

diff --git a/src/gpgsm.c b/src/gpgsm.c
index 2a2906f..5c2674a 100644
--- a/src/gpgsm.c
+++ b/src/gpgsm.c
@@ -124,7 +124,7 @@ scute_gpgsm_get_cert (char *grip, int no, cert_get_cb_t cert_get_cb, void *hook)
 
   /* If the key is from the card, we might get the certificate from
      the card as well.  */
-  if (no >= 0)
+  if (false && no >= 0)
     {
       struct cert cert;

The Certificate Manager now shows an entry under 'Your Certificates'.

I was able to login via Client Auth using my Yubikey.
Amazing :-)

Thank you very much for your continuous help!

I'll try to find a way to erase the certificate from the Yubikey.

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: certificate_manager.png
Type: image/png
Size: 10967 bytes
Desc: not available
URL: </pipermail/attachments/20170605/160c977b/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </pipermail/attachments/20170605/160c977b/attachment-0001.sig>

More information about the Gnupg-users mailing list