[pkg-gnupg-maint] Bug#889751: Bug#889751: scdaemon: BAD PIN since 2.2.4-2 upgrade

Yves-Alexis Perez corsac at debian.org
Fri Feb 9 09:10:19 UTC 2018


On Thu, 2018-02-08 at 19:47 -0500, Daniel Kahn Gillmor wrote:
> Control: severity 889751 serious
> 
> Hi Corsac--
> 
> On Wed 2018-02-07 11:28:42 +0100, Yves-Alexis Perez wrote:
> > On Tue, 2018-02-06 at 20:42 +0100, Yves-Alexis Perez wrote:
> > 
> > > since the recent 2.2.4-2 upgrade, when trying to use my smartcard (auth
> > > key for SSH for example), I get:
> > > 
> > > févr. 06 20:37:35 scapa gpg-agent[1793]: scdaemon[26257]: verify CHV2
> > > failed: Bad PIN
> > > févr. 06 20:37:35 scapa gpg-agent[1793]: scdaemon[26257]: app_auth
> > > failed: Bad PIN
> > > févr. 06 20:37:35 scapa gpg-agent[1793]: smartcard signing failed: Bad
> > > PIN
> > > 
> > > even though I'm sure it's the right PIN.
> 
> ugh, i'm sorry to hear this.
> 
> > > At that point I'm a little reluctant in doing another try because it's
> > > the last one before I need to get my admin PIN.
> > 
> > Downgrading scdaemon, gpg-agent and gpgconf to 2.2.4-1 fixes the problem.
> > If
> > you need more information, please ask.
> 
> I think the main likely culprit is 
> debian/patches/scd-Support-KDF-Data-Object-of-OpenPGPcard-V3.3.patch,
> which was cherry-picked from upstream.
> 
> Can you give more detail about what specific smartcard you have?

It's the setup described on https://www.corsac.net/?rub=blog&post=1588 so a
JavaCard running the SmartPGP applet from https://github.com/ANSSI-FR/smartPGP

I'm adding Arnaud to the loop because he's the main developer, and I can
actually see that the last commit (https://github.com/ANSSI-FR/SmartPGP/commit
/78d769b671e429b6e3e7b2454b869a66f269741f) seems very relevant.

So maybe the bug actually lies here rather than in scdaemon.
> 
> can you try rebuilding with that patch removed and testing that?  If
> you'd prefer i upload something to experimental for you to try without
> having to rebuild, let me know and i'll do that.

Yes, I can try a rebuild and report back, but I'll first investigate SmartPGP.

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20180209/a15aa9c8/attachment.sig>


More information about the pkg-gnupg-maint mailing list