OpenPGP card: When sending a signed message, it is signed twice
OpenPGP addon for Mozilla Thunderbird
Brought to you by:
pbrunschwig
Menu
▾
▴
#518 OpenPGP card: When sending a signed message, it is signed twice
invalid
nobody
None
1.8.2
Minor
31.8.0 (Enigmail 1.7.2)
2.1.3
All
---
nobody
2015-08-24
2015-08-24
No
When using OpenPGP card (Yubikey NEO) to sign a message for sending (without encryption), pin is requested twice, and signature count on the card is incremented by two. (Maybe it's because the message for the IMAP "Sent" folder is signed separately from the one to be send by SMTP/Submission?)
These two commands appear in the Enigmail console:
enigmail> /usr/local/bin/gpg2 --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 -t --clearsign -u 0x00FCC595 --use-agent
enigmail> /usr/local/bin/gpg2 --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --digest-algo sha256 -s -b -a -t -u 0x00FCC595 --use-agent
The need to enter pin twice is annoying, and signature counter on the card becomes misleading. The message ought to be signed once, and already signed copy sent and saved.
Are these two gpg calls shortly after another? Has this been a PGP/MIME message? If yes to both, then this has a technical reason: Enigmail needs to evaluate the used signing algorithm before constructing the final message, and this can only be done by internally creating an invisible signed test message. This way, the signing counter on the card is incremented and the passphrase/pin asked twice. If two the passphrase/pin question bothers you, please set the caching time of gpg-agent to a very short time (some seconds) instead of no caching.
Yes, the two commands in the log go shortly one after the other.
Yes, it's PGP/MIME.
Setting PIN caching in gpg-agent will still have sig counter on the card incremented twice, right?
I don't quite get why Enigmail cannot simpy format the text for the text/plain part of the multipart/signed message, call gpg to produce detached signature, detect its micalg, and put it in the application/pgp-signature part of the message.
But oh well... Thanks for the response.
There is no way to avoid this. Enigmail needs to first create a test message to determine the signing algorithm, and to verify if the signature creation will succeed, and then it will sign the messagre.