Description of problem: On Fedora/RHEL platforms pkcs11-helper has been patched such that it mangles URIs in a manner that breaks other software, including GNU Privacy Guard when using PKCS#11 through gnupg-pkcs11-scd. This problem does not occur on Debian, on Ubuntu or even on RHEL 9 when compiling pkcs11-helper from upstream sources. The specific problem demonstrated here is importing a PKCS#11 key into gpg but any use of patched pkcs11-helper is potentially going to cause surprising problems that will be difficult to debug. Version-Release number of selected component (if applicable): Observed with pkcs11-helper 1.27-6.el9.x86_64 but probably affects any version on any RHEL compatible platform. How reproducible: Always Steps to Reproduce: 1. Install pkcs11-helper $ sudo dnf install epel-release && \ sudo dnf install -y \ git gnupg pinentry-tty patch libtool pkg-config \ libgpg-error-devel libassuan-devel libgcrypt-devel \ pkcs11-helper-devel 2. Compile gnupg-pkcs11-helper (no EPEL or RHEL package seems to exist) $ git clone https://github.com/alonbl/gnupg-pkcs11-scd.git $ cd gnupg-pkcs11-scd $ patch -p1 <<EOF diff --git a/configure.ac b/configure.ac index 2d31368..6598757 100644 --- a/configure.ac +++ b/configure.ac @@ -36,6 +36,7 @@ define([PACKAGE_VERSION_FIX], [1]) define([PACKAGE_SUFFIX], [_master]) AC_INIT([gnupg-pkcs11-scd], [PACKAGE_VERSION_MAJOR.PACKAGE_VERSION_MINOR.PACKAGE_VERSION_FIX[]PACKAGE_SUFFIX]) +AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([.]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_SRCDIR([gnupg-pkcs11-scd/common.h]) EOF $ libtoolize --automake && \ aclocal && \ autoheader && \ automake --add-missing --foreign && \ autoconf && \ ./configure && make && sudo make install 3. Configure a PKCS#11 provider with GnuPG $ mkdir -p ~/.gnupg/ && chmod 0700 ~/.gnupg/ $ cat <<EOF > ~/.gnupg/gpg-agent.conf scdaemon-program `find /usr/bin /usr/local/bin -name gnupg-pkcs11-scd` pinentry-program /usr/bin/pinentry-tty EOF $ cat <<EOF > ~/.gnupg/gnupg-pkcs11-scd.conf verbose providers p1 provider-p1-library /opt/nfast/toolkits/pkcs11/libcknfast.so EOF 4. Attempt to import a PKCS#11 protected key pair $ echo -e 'RELOADAGENT\nSCD LEARN' | gpg-agent --server gpg-connect-agent $ gpg --expert --full-generate-key Actual results: Your selection? 14 Serial number of the card: D2760001240111503131AD4306431111 Available keys: (1) 258DAF945486847792A1AC4F9E69487B7F6EF2A2 pkcs11:model=;token=loadshared%20accelerator;manufacturer=nCipher%20Corp.%20Ltd;serial=;id=%25%8d%af%94T%86%84w%92%a1%acO%9eiH%7b%7fn%f2%a2 (null) [... prompts for validity, username and email address ...] gpg: [internal]:0: invalid algorithm Expected results: Your selection? 14 Serial number of the card: D2760001240111503131AD4306431111 Available keys: (1) 258DAF945486847792A1AC4F9E69487B7F6EF2A2 nCipher\x20Corp\x2E\x20Ltd///loadshared\x20accelerator/258DAF945486847792A1AC4F9E69487B7F6EF2A2 rsa2048 [... same prompts this time without errors ...] Additional info: Actual and expected results above are copied from the output the same system. The second was collected after "rpm -e pkcs11-helper" and compiling both pkcs11-helper and gnupg-pkcs11-scd from upstream sources. With the expected results, I was able to sign and verify using gpg with the imported PGP key. In other words, Fedora and RHEL have patched pkcs11-helper such that it mangles URI values in a manner that confuses GNU Privacy Guard when attempting to use PKCS#11 keys. Other distributions such as Debian are not affected. Building pkcs11-helper from upstream sources after uninstalling the RPM also eliminates this problem.
Candidate fix at https://github.com/OpenSC/pkcs11-helper/pull/4/commits/94b0adf4b3be6ee359c4f46ec517b81aca9d8a9a (See discussion at https://github.com/alonbl/gnupg-pkcs11-scd/issues/63 )
Scratch build for EPEL9 at https://koji.fedoraproject.org/koji/taskinfo?taskID=124260347
I am not sure why I am listed as the assignee for this bug, and my apologies for not seeing it before now. Does someone need me to do something?