[Pkg-auth-maintainers] Bug#1023561: yubico-piv-tool: selfsign-certificate fails nondescriptively, update needed?

Jamie Lentin jm at lentin.co.uk
Sun Nov 6 17:58:06 GMT 2022 

Package: yubico-piv-tool
Version: 2.2.0-1.1
Severity: normal
X-Debbugs-Cc: jm at lentin.co.uk

Dear Maintainer,

I tried following the instructions to set up a Yubikey 5C Nano, firmware 5.4.3,
with PIV:

  https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html

$ ykman piv reset
WARNING! This will delete all stored PIV data and restore factory settings. Proceed? [y/N]: y
Resetting PIV data...
Success! All PIV data have been cleared from the YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
        PIN:    123456
        PUK:    12345678
        Management Key: 010203040506070801020304050607080102030405060708

$ yubico-piv-tool --version
yubico-piv-tool 2.2.0
$ yubico-piv-tool -s 9a -a generate -o public.pem
Successfully generated a new private key.
$ yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem
Enter PIN:
Successfully verified PIN.
Failed signing certificate.

Not entirely dissimilar to the upstream issue 185[0], however there is no wait
for a button press. Trying the same commands from upstream master 75188af,
compiling upstream as per README instructions[1], works fine:

$ ./tool/yubico-piv-tool --version
yubico-piv-tool 2.3.0
$ ./tool/yubico-piv-tool -s 9a -a generate -o public.pem
Successfully generated a new private key.
$ ./tool/yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S
"/CN=SSH key/" -i public.pem -o cert.pem
Enter PIN:
Successfully verified PIN.
Successfully generated a new self signed certificate.

NB: The tagged version yubico-piv-tool-2.3.0 fails to compile.

Does the package need updating? Is the Yubikey documentation not valid for
2.2.0, or am I just being dumb?

Cheers,

[0] https://github.com/Yubico/yubico-piv-tool/issues/185
[1] https://github.com/Yubico/yubico-piv-tool

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.19.0-2-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages yubico-piv-tool depends on:
ii  libc6      2.36-4
ii  libssl3    3.0.7-1
ii  libykpiv2  2.2.0-1.1

yubico-piv-tool recommends no packages.

yubico-piv-tool suggests no packages.

-- no debconf information

More information about the Pkg-auth-maintainers mailing list