[pkg-gnupg-maint] Bug#1052131: gnupg2: gpg incompatible with Yubikey 5 NFC and key storage

Manoj Srivastava manoj.srivastava.1962 at gmail.com
Sun Sep 17 20:41:42 BST 2023


Package: gnupg2
Version: 2.2.40-1.1
Severity: minor
X-Debbugs-Cc: none, Manoj Srivastava <srivasta at debian.org>

Hi,

        I have a new Yubikey 5 NFC, and was using ‘gpg --card-edit’  and
‘gpg --edit-key --expert 0x123456789’ to move my gpg subkeys to the Yubikey.

 How to reproduce error mode:
 -----------------------------------------
 % gpg --card-edit
   > admin
   > passwd
     > change admin pin
     > change PIN

 % gpg --edit-key --expert 0x123456789’
   > key 7
   > keytocard
     > 1                    ## (signing key)
     <<gpg passphrese>>
     <<Yubikey Admin PIN>>
  Error failed to import key PIN failed
-----------------------------------------------
 Eventually this results in 3 failures for the ADMIN pin, locking the
Yubikey.  Hypothesis: gpg2 and keytocard do not work with custom
admin pins. Reversing the order of operations  worked:
  + add keys while the ADMIN PIN is 12345678
  + then change the PINs on the Yubikey
  + now signing with the gpg keys living on Yubikey works just fine.
 ---------------------------------------------
 % gpg --card-edit
   > admin
   > factory-reset
      > y
      > yes
% gpg --edit-key --expert 0x123456789’
   > key 7
   > keytocard
     > 1                    ## (signing key)
     <<gpg passphrese>>
     <<Yubikey Admin PIN>>
% gpg --card-edit
   > admin
   > passwd
     > change admin pin
     > change PIN

% lsusb | grep Yubikey
[90587.275149] input: Yubico YubiKey OTP+FIDO+CCID as
/devices/pci0000:00/0000:00:14.0/usb1/1-12/1-12:1.0/0003:1050:0407.0009/input/input23
[90587.339153] hid-generic 0003:1050:0407.0009: input,hidraw8: USB HID
v1.10 Keyboard [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-12/input0
[90587.339962] hid-generic 0003:1050:0407.000A: hiddev2,hidraw9: USB HID
v1.10 Device [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-12/input1

% gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240103040006247353380000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 24735338
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
---------------------------------------------------------------------

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.4.0-4-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored:
LC_ALL set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnupg2 depends on:
ii  gnupg  2.2.40-1.1

gnupg2 recommends no packages.

gnupg2 suggests no packages.

-- no debconf information

--------------------------------------------------------------------------------

        Thanks,

        Manoj
-- 
Education is an admirable thing, but it is well to remember from time to
time that nothing that is worth knowing can be taught. -- Oscar Wilde,
"The Critic as Artist"
Manoj Srivastava <srivasta at acm.org>
4096R/C5779A1C E37E 5EC5 2A01 DA25 AD20  05B6 CF48 9438 C577 9A1C
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20230917/b386d883/attachment.htm>


More information about the pkg-gnupg-maint mailing list