You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the GnuPG ticket you mention the signed data is around 700 bytes, but are you sure that it's the Nitrokey 3 that rejects such large data? After some manual checking with Ed25519 it can sign up to 1024 bytes. (actually I also noticed that it crashes for 1025 Nitrokey/opcard-rs#173 😟 ).
So if it's only 700 bytes as in the GnuPG ticket I don't think the error comes directly from the Nitrokey 3 (and if it did you would have noticed a crashing key). I think we could bump it to a bit less than 2KB but that doesn't seem like the proper way to fix this problem.
So far I have had no issue signing ed25519 keys with either gpg or openssh.
I agree with you that this solution is not optimal. There is definitely a protocol issue here as NIIBE mentions. However, it would make NK3 a bit more robust to poorly specified protocol.
I will leave this open for documentation. If anyone encounters this issue, the recommended solutions are to either use another protocol that can do pre-hashing (P256 or RSA), or to use the OpenSSH integration with FIDO if you are using a sufficiently recent version of OpenSSH.
It's not clear if this is a firmware issue or the openssh protocol itself.
firmware: v1.5.0-test.20230704
gnupg: 2.4.3
openssh: OpenSSH_for_Windows_9.2p1, LibreSSL 3.7.2
os: Windows 11 Pro, fully updated
Here is the scenario:
sign_and_send_pubkey: signing failed for ED25519 "~/.ssh/ed25519.pub": agent refused operation
NIIBE Yutaka, author of Gnuk and Nitrokey Start, has a good explanation of the root cause of the problem and a possible workaround [1].
It would be awesome if the NK3 firmware could expand the memory to handle the new ssh protocol features.
[1] https://dev.gnupg.org/T6250
The text was updated successfully, but these errors were encountered: