openpgp: gpg-agent fails for ed25519 keys with ssh certificates #348
Comments
|
Hi, thank you for the report. In the GnuPG ticket you mention the signed data is around 700 bytes, but are you sure that it's the Nitrokey 3 that rejects such large data? After some manual checking with Ed25519 it can sign up to 1024 bytes. (actually I also noticed that it crashes for 1025 Nitrokey/opcard-rs#173 😟 ). So if it's only 700 bytes as in the GnuPG ticket I don't think the error comes directly from the Nitrokey 3 (and if it did you would have noticed a crashing key). I think we could bump it to a bit less than 2KB but that doesn't seem like the proper way to fix this problem. |
|
Thank you for the quick response. So far I have had no issue signing ed25519 keys with either gpg or openssh. I agree with you that this solution is not optimal. There is definitely a protocol issue here as NIIBE mentions. However, it would make NK3 a bit more robust to poorly specified protocol. |
|
I will leave this open for documentation. If anyone encounters this issue, the recommended solutions are to either use another protocol that can do pre-hashing (P256 or RSA), or to use the OpenSSH integration with FIDO if you are using a sufficiently recent version of OpenSSH. |
It's not clear if this is a firmware issue or the openssh protocol itself.
firmware: v1.5.0-test.20230704
gnupg: 2.4.3
openssh: OpenSSH_for_Windows_9.2p1, LibreSSL 3.7.2
os: Windows 11 Pro, fully updated
Here is the scenario:
sign_and_send_pubkey: signing failed for ED25519 "~/.ssh/ed25519.pub": agent refused operation
NIIBE Yutaka, author of Gnuk and Nitrokey Start, has a good explanation of the root cause of the problem and a possible workaround [1].
It would be awesome if the NK3 firmware could expand the memory to handle the new ssh protocol features.
[1] https://dev.gnupg.org/T6250
The text was updated successfully, but these errors were encountered: