Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Provide More Information On The Releases For Newbies #37

Open
EmperorArthur opened this issue Jun 13, 2021 · 3 comments
Open

Feature Request: Provide More Information On The Releases For Newbies #37

EmperorArthur opened this issue Jun 13, 2021 · 3 comments

Comments

@EmperorArthur
Copy link
Contributor

EmperorArthur commented Jun 13, 2021
edited
Loading

Hello,

I apologize for the earlier confusion with the previous issue. This issue is a large one which I doubt is a high priority or will be tackled soon.

As someone new to the Smart Card space, I purchased a "PIVKey C980" as a learning card. Per usual, I did not know what I really needed to buy until hours into figuring out why things are not working. Loading JCAlgTest, it appears this card is running JavaCard 3.0 which, if it is not cutting off the last portion, is lower than the required 3.04.

Unfortunately, the only other OpenPGP card application is the old, unmaintained, Yubikey implementation. Which required re-writing the "build.xml" file and still crashes when attempting to install.

It is disappointing that brand new cards from seemingly reputable companies do not work with this software. Also that there are no alternatives without modifying code in what to me is an unfamiliar language, on an unfamiliar OS, running on unfamiliar hardware.

Examining in more detail, the two things keeping from going back to 3.0.3 (testing against this repository) are:

  • MessageDigest.LENGTH_SHA_224
  • sig.signPreComputedHash

What is interesting to me about the length one is that JCAlgTest reports "ALG_ECDSA_SHA_224;yes;0.161000". Which seems to imply the variable can be hard coded to work on at least some cards.
@breard-r
Copy link
Contributor

breard-r commented Jun 13, 2021
edited
Loading

Hi,

There already is several branches with lower JavaCard support :
https://github.com/ANSSI-FR/SmartPGP/branches

Edit:
I forgot, those branches are also released:
https://github.com/ANSSI-FR/SmartPGP/releases

@EmperorArthur EmperorArthur changed the title Feature Request: Increase Compatibily By Lowering JavaCard Required Version From 3.0.4 Feature Request: Provide More Information On The Releases For Newbies Jun 13, 2021
@EmperorArthur
Copy link
Contributor Author

Thanks for pointing that out. I see what happened. I was not paying attention and the "OpenPGP 3.4" standard looks like "3.0.4" when going a bit fast made me think the tags were actually some sort of OpenPGP version thing.

One way you may consider making things more newbie friendly is by commenting the releases similar to how xrdp does. A note in H1 with the "For JavaCards Running 3.0.1" would probably help people like me.

I would also implore you to release pre-compiled ".cap" files. If ant supports reproducible builds, then it would be easy for anyone else who can compile it to verify that the release has not been tampered with.

You might also consider adjusting the Readme to mention the other branches/releases.

@duxsco
Copy link

duxsco commented Sep 28, 2021

@EmperorArthur Hopefully, this helps :)
https://github.com/duxco/gpg-smartcard/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@breard-r @EmperorArthur @duxsco