How to use gpgsm?
My goal is to use gpgsm to manually construct and parse/process S/MIME objects/files. Also, I want to use the keys (and the certs) on my smartcard. One complicating fact may be that the card is both PIV and OpenPGP-capable - it's a Yubikey.
I can do that with OpenSSL (and it works), but the process is rather cumbersome. With gpgsm it seems much easier: just type something like gpgsm -ear [email blocked] < plaintext.txt > output.pem.
In fact, however, I cannot even --learn-card, because it looks like gpgsm expects a PIV-like token, and does not do anything useful with an OpenPGP token.
$ gpgsm --debug-level basic --learn-card
gpgsm: enabled debug flags: ipc
gpgsm: DBG: chan_3 <- OK Pleased to meet you
gpgsm: DBG: connection to agent established
gpgsm: DBG: chan_3 -> RESET
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION ttyname=/dev/ttys003
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION ttytype=xterm-256color
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION display=/private/tmp/com.apple.launchd.GKERl8HsOA/org.macosforge.xquartz:0
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION lc-ctype=en_US.UTF-8
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION lc-messages=en_US.UTF-8
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> GETINFO version
gpgsm: DBG: chan_3 <- D 2.1.21
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION allow-pinentry-notify
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> SCD GETINFO version
gpgsm: DBG: chan_3 <- D 2.1.21
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> LEARN --send
gpgsm: DBG: chan_3 <- S PROGRESS learncard k 0 0
gpgsm: DBG: chan_3 <- S PROGRESS learncard k 0 0
gpgsm: DBG: chan_3 <- S PROGRESS learncard k 0 0
gpgsm: DBG: chan_3 <- S KEY-TIME 3 1452558194
gpgsm: DBG: chan_3 <- S KEY-TIME 2 1280446657
gpgsm: DBG: chan_3 <- S KEY-TIME 1 1451869133
gpgsm: DBG: chan_3 <- S KEY-FPR 3 FE2AC36ECFF7490348DD6F4E43EEB185FD3F6BEE
gpgsm: DBG: chan_3 <- S KEY-FPR 2 20805D50EC69217C2E7AB789D3C79381E5A4FF45
gpgsm: DBG: chan_3 <- S KEY-FPR 1 7ACC2166010FCD10AAB754656C34A49741E90902
gpgsm: DBG: chan_3 <- S LOGIN-DATA . . . . .
gpgsm: DBG: chan_3 <- S DISP-SEX 1
gpgsm: DBG: chan_3 <- S DISP-LANG en
gpgsm: DBG: chan_3 <- S DISP-NAME . . . . . .
gpgsm: DBG: chan_3 <- S EXTCAP gc=1+ki=1+fc=1+pd=0+mcl3=1216+aac=0+sm=2+si=0+dec=0+bt=0
gpgsm: DBG: chan_3 <- S APPTYPE OPENPGP
gpgsm: DBG: chan_3 <- S SERIALNO <valid Yubico OpenPGP applet ID>
gpgsm: DBG: chan_3 <- S READER Yubico Yubikey NEO OTP+U2F+CCID
gpgsm: DBG: chan_3 <- S KEYPAIRINFO 552188B2CDE62E39CCAC7F9EB9291EF02B833965 OPENPGP.3
gpgsm: DBG: chan_3 <- S KEYPAIRINFO 809CF6FC11A51D0EB4949FA841796F417CD71C72 OPENPGP.2
gpgsm: DBG: chan_3 <- S KEYPAIRINFO BE8588700B7454C50D4C0E5AC080837AED0112AB OPENPGP.1
gpgsm: DBG: chan_3 <- OK
secmem usage: 0/16384 bytes in 0 blocks
$
$ gpgsm --debug-level advanced -ear [email blocked] < tst-doc.txt
gpgsm: enabled debug flags: x509 ipc
gpgsm: can't encrypt to '[email blocked]': No public key
secmem usage: 0/16384 bytes in 0 blocks
$
It may well be that I'm doing something wrong. Could you please let me know how one is supposed to use gpgsm (maybe it's only for invocations by GPGMail?), and whether you can make it possible to use gpgsm with a dual-applet smartcard like Yubikey (when both PIV and OpenPGP applets are provisioned with the appropriate keys)?
Thanks!
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Luke Le on 16 Aug, 2017 01:53 PM
Hi mouse088,
since gpgsm expects an S/MIME certificate instead of a OpenPGP secret key, I do believe that this is not easily possible with a Yubikey.
Unfortunately our knowledge in this case is very minimal, so it would be best if you direct this question to the gnupg mailing list.
Sorry, we couldn't be more helpful
2 Posted by mouse008 on 17 Aug, 2017 05:15 PM
The problem is - Yubikey is both a PIV and an OpenPGP card. What's happening above, I think, is that gpgsm somehow forces the card into OpenPGP mode, so the PIV (aka S/MIME) certificates and keys are not available (as they're in a different applet).
I'll investigate more.
You're probably correct wrt. trying with gnupg developers. Frankly, so far I did not have any luck with them.
Steve closed this discussion on 17 Aug, 2017 07:22 PM.