Sign with GPG using GnuPG PKCS11

The GPG agent is part of the GPG tool suite and helps users to bridge to the location of their signing keys. When you use DigiCert​​®​​ Software Trust Manager , the GPG agent connects you to the DigiCert​​®​​ Software Trust Manager cloud key storage via the SCD.

Command:

gpg --card-status

Output:

gpg --card-status 
gpg: WARNING: server 'scdaemon' is older than us (development < 2.2.34) 
gpg: Note: Outdated servers may lack important security fixes. 
gpg: Note: Use the command "gpgconf --kill all" to restart them. 
Reader ...........: [none] 
Application ID ...: D27600000000000000000000 
Application type .: Unknown 
OK DigiCert One Secure Software Manager smart-card server for GnuPG ready

To verify that the SCD standalone runs without any issues, run:

./ssm-scd-darwin-amd64

Output:

OK DigiCert One Secure Software Manager smart-card server for GnuPG ready

Command to exit:

bye

To list public keys in your downloaded keyring:

gpg --list-keys

Command output:

pub   rsa3072 2022-05-31 [SC] 
      917D38F453BC677946186AA1E2EFF40CFD433E18 
uid           [ unknown] userid1 <jane.doe@example.com> 
sub   rsa2048 2022-05-31 [S] 
sub   rsa2048 2022-05-31 [S] 
pub   nistp256 2022-05-31 [SC] 
      DF0460CF2363E0FA9C502DD83D83032F38E2CEDC 
uid           [ unknown] useridsmctl1 <john.doe@example.com> 

To list private keys in your downloaded keyring:

gpg --list-secret-keys

Command output:

sec>  rsa3072 2022-05-31 [SC] 
      917D38F453BC677946186AA1E2EFF40CFD433E18 
      Card serial no. = D27600000000000000000000 
uid           [ unknown] userid1 <jane.doe@example.com> 
ssb>  rsa2048 2022-05-31 [S] 
ssb>  rsa2048 2022-05-31 [S] 
sec>  nistp256 2022-05-31 [SC] 
      DF0460CF2363E0FA9C502DD83D83032F38E2CEDC 
      Card serial no. = D27600000000000000000000 
uid           [ unknown] useridsmctl1 john.doe@example.com 

If you are using a Linux operating system that uses SystemD (Debian, Fedora, CentOS, Red Hat, Ubuntu, OpenSUSE, Arch, and Amazon Linux), GPG is run as a non-root user, this means that your DigiCert​​®​​ Software Trust Manager user environment variables are not visible in the GPG process, which runs at a system level.

GPG signing is complex, it therefore operates in “offline” mode using a local SQLite database containing all the certificates. In this model, only signing communicates to DigiCert​​®​​ Software Trust Manager where the private keys are securely stored. Follow the steps below to ensure that your environment variables are accessible.

systemctl --user show-environment         

There are three types of signing as shown below:

gpg --sign <unsigned file name>

gpg --sign UNSIGNED_JAR.jar 

gpg -u <subkey fingerprint>! --sign <file path>

gpg -u 8637E05EFAF1854A23AC297CE93BF08473D9C02AC927A158! --sign C:\Users\Name\Documents\UNSIGNED_JAR.jar

gpg --verify UNSIGNED_JAR.jar.gpg 
gpg: Signature made Tue May 31 21:32:03 2022 IST 
gpg:                using RSA key 3D989AF5AD0D75F44D27B9398B7EFC21C1776585 
gpg: Good signature from "userid1 <jane.doe@digicert.com>" [unknown] 
gpg: WARNING: This key is not certified with a trusted signature! 
gpg:          There is no indication that the signature belongs to the owner. 
Primary key fingerprint: 917D 38F4 53BC 6779 4618  6AA1 E2EF F40C FD43 3E18 
Subkey fingerprint: 3D98 9AF5 AD0D 75F4 4D27  B939 8B7E FC21 C177 6585 

gpg --list-keys --with-subkey-fingerprint

gpg –-armor –sign <file>

gpg –clearsign <file>

Error message

gpg: error getting version from 'scdaemon': No SmartCard daemon 
gpg: OpenPGP card not available: No SmartCard daemon 

Solution

Run the following command:

gpgconf --kill all

Error message

Command output shows pubring.kbx instead of pubring.gpg.

Solution

Remove the default pubring.kbx from /User/<user_name>/.gnupg/ so the keys from /User/<user_name>/.gnupg/pubring.gpg get displayed

When attempting to sign with gpg --sign <file path> you receive the following error:

Error message

gpg: signing failed: General error

Solution

Navigate to DigiCert ONE > DigiCert​​®​​ Software Trust Manager > Logs > Signature logs > Click on the signing event > View the Error message field.

If the error message is:

User - <user ID> does not have access to the GPG keypair with ID - <GPG keypair ID>

The most recently created subkey will always be used as the default to sign with even if you do not have access to that subkey. To avoid this error, use this command to sign with a different key:

gpg -u <subkey fingerprint>! --sign <file path>

When attempting to sign with gpg --sign <file path> you receive the following error:

Error message

gpg: signing failed: General error

Solution

Select one of the options below based on your method of GPG signing:

Error message

Provided gpg keypair <GPG keypair ID> is in OFFLINE state and cannot be used for signing. Please provide keypair in active state to be used for signing.

Solution

The most recently created subkey will always be used as the default to sign with even that subkey is in offline mod. There are three ways to avoid this error: