[pkg-gnupg-maint] Bug#1052131: gnupg2: gpg incompatible with Yubikey 5 NFC and key storage
Manoj Srivastava
manoj.srivastava.1962 at gmail.com
Sun Sep 17 20:41:42 BST 2023
Package: gnupg2
Version: 2.2.40-1.1
Severity: minor
X-Debbugs-Cc: none, Manoj Srivastava <srivasta at debian.org>
Hi,
I have a new Yubikey 5 NFC, and was using ‘gpg --card-edit’ and
‘gpg --edit-key --expert 0x123456789’ to move my gpg subkeys to the Yubikey.
How to reproduce error mode:
-----------------------------------------
% gpg --card-edit
> admin
> passwd
> change admin pin
> change PIN
% gpg --edit-key --expert 0x123456789’
> key 7
> keytocard
> 1 ## (signing key)
<<gpg passphrese>>
<<Yubikey Admin PIN>>
Error failed to import key PIN failed
-----------------------------------------------
Eventually this results in 3 failures for the ADMIN pin, locking the
Yubikey. Hypothesis: gpg2 and keytocard do not work with custom
admin pins. Reversing the order of operations worked:
+ add keys while the ADMIN PIN is 12345678
+ then change the PINs on the Yubikey
+ now signing with the gpg keys living on Yubikey works just fine.
---------------------------------------------
% gpg --card-edit
> admin
> factory-reset
> y
> yes
% gpg --edit-key --expert 0x123456789’
> key 7
> keytocard
> 1 ## (signing key)
<<gpg passphrese>>
<<Yubikey Admin PIN>>
% gpg --card-edit
> admin
> passwd
> change admin pin
> change PIN
% lsusb | grep Yubikey
[90587.275149] input: Yubico YubiKey OTP+FIDO+CCID as
/devices/pci0000:00/0000:00:14.0/usb1/1-12/1-12:1.0/0003:1050:0407.0009/input/input23
[90587.339153] hid-generic 0003:1050:0407.0009: input,hidraw8: USB HID
v1.10 Keyboard [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-12/input0
[90587.339962] hid-generic 0003:1050:0407.000A: hiddev2,hidraw9: USB HID
v1.10 Device [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-12/input1
% gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240103040006247353380000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 24735338
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
---------------------------------------------------------------------
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.4.0-4-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored:
LC_ALL set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gnupg2 depends on:
ii gnupg 2.2.40-1.1
gnupg2 recommends no packages.
gnupg2 suggests no packages.
-- no debconf information
--------------------------------------------------------------------------------
Thanks,
Manoj
--
Education is an admirable thing, but it is well to remember from time to
time that nothing that is worth knowing can be taught. -- Oscar Wilde,
"The Critic as Artist"
Manoj Srivastava <srivasta at acm.org>
4096R/C5779A1C E37E 5EC5 2A01 DA25 AD20 05B6 CF48 9438 C577 9A1C
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20230917/b386d883/attachment.htm>
More information about the pkg-gnupg-maint
mailing list