Re: Adding new uid to causes bad signature
Hey there Werner! And thank you too for your reply. > Please run > > gpg-card > > to get infos on the card and used keys. No problem at all: $ gpg-card Reader ...: Yubico YubiKey OTP FIDO CCID 0 Card type : yubikey Card firmware : 5.4.3 Serial number : D27600012401000622314520 Application type .: OpenPGP Version ..: 3.4 Displayed s/n : 22 314 520 Manufacturer .: Yubico (6) Name of cardholder: Rens Rikkerink Language prefs ...: en Salutation ...: Mr. URL of public key : https://github.com/ikkerens.gpg Login data ...: [not set] Signature PIN : not forced Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 1192 Capabilities .: key-import algo-change button priv-data KDF setting ..: on UIF setting ..: Sign=off Decrypt=off Auth=off Signature key : 4DCD2F5D0F303B60FAFDB469BA33F314281B2D1B keyref .: OPENPGP.1 (sign,cert) algorithm ..: ed25519 stored fpr .: 6AA6FC5597E89BDC19ADD6AFCF2FEC503A89BCFF created : 2022-10-26 18:20:54 used for ...: OpenPGP main key .: fpr ..: 6AA6FC5597E89BDC19ADD6AFCF2FEC503A89BCFF created ..: 2022-10-26 18:20:54 user id ..: Rens Rikkerink user id ..: Rens Rikkerink Encryption key: 993197BDCB9A09A16C4918DED4310EEF4B6582E2 keyref .: OPENPGP.2 (encr) algorithm ..: cv25519 stored fpr .: FA57A5CBF68A422B1A54AC49A17864EE2C2102F8 created : 2022-10-26 18:21:17 used for ...: OpenPGP main key .: fpr ..: FA57A5CBF68A422B1A54AC49A17864EE2C2102F8 created ..: 2022-10-26 18:21:17 user id ..: Rens Rikkerink user id ..: Rens Rikkerink Authentication key: EB59A450FF4E1B233C523B860E458EF6D043DFE8 keyref .: OPENPGP.3 (sign,auth) algorithm ..: ed25519 stored fpr .: 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 created : 2022-10-26 18:20:28 used for ...: OpenPGP main key .: fpr ..: 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 created ..: 2022-10-26 18:20:28 user id ..: Rens Rikkerink user id ..: Rens Rikkerink > Given that you have an uncommon primary key Out of sheer curiosity, would you mind enlightening me on what part of my primary key is "uncommon"? Yours, Rens Rikkerink ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Adding new uid to causes bad signature
Hi! Given that you have an uncommon primary key I would like to see some information of the card. Please run gpg-card to get infos on the card and used keys. In case you don't want to share this with the list, feel free to send it to Eva or me directly (w...@gnupg.org - no html parts). Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Adding new uid to causes bad signature
Hey there Eva! And thank you for your reply. > For my key and using gpg 2.4.5 on a standard Windows 10 system "check" didn't > give an error and signing a document worked without any issues. I should perhaps clarify that signing anything else (documents, git commits) seems to work just fine. I can sign things, and then verify the signature, and it matches. My issue seems to solely relate to signing an extra uid. > Importing your second pubkey did not change anything noticeable, gpg reported > no changes on the key and there is no new UID to be seen. That is not the behaviour I am seeing on my end: $ gpg --import before.asc gpg: key 29AD46D6F58287A3: public key "Rens Rikkerink " imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found $ gpg --import after.asc gpg: key 29AD46D6F58287A3: 1 bad signature gpg: key 29AD46D6F58287A3: "Rens Rikkerink " not changed gpg: Total number processed: 1 gpg: unchanged: 1 As you can see here, the second public key does trigger a slightly different response for me (1 bad signature), so it ignores it and marks the public key as otherwise unchanged. > To avoid any confusion does > > gpg -k 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 > > show the new UID for you? Yes, it does: $ gpg -k 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 gpg: checking the trustdb gpg: no ultimately trusted keys found pub ed25519 2022-10-26 [CA] 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 uid [ unknown] Rens Rikkerink uid [ unknown] Rens Rikkerink sub ed25519 2022-10-26 [S] sub cv25519 2022-10-26 [E] > Is there additional info if you add "--list-options show-unusable-uids" > before the "-k"? No further information as far as I can tell: $ gpg --list-options show-unusable-uids -k 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 pub ed25519 2022-10-26 [CA] 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 uid [ unknown] Rens Rikkerink uid [ unknown] Rens Rikkerink sub ed25519 2022-10-26 [S] sub cv25519 2022-10-26 [E] Thank you for your time so far. Yours, Rens Rikkerink ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Adding new uid to causes bad signature
Hi, I have tried to replicate your issue using a Yubikey 5 NFC, doing what you did. > In general, I don't think my procedure for adding a new uid is abnormal: > $ gpg --edit-key 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 > gpg> adduid > gpg> save For my key and using gpg 2.4.5 on a standard Windows 10 system "check" didn't give an error and signing a document worked without any issues. I used a simple brainpool standard testkey with only one subkey, though. > General info: > OS: Windows 11 (AtlasOS) & MacOS 14.1.1 (tried on both) > GPG: GPG 2.4.4.-unknown (bundled with git-scm windows installer), GPG > 2.4.5 (homebrew) > > My public keys: > Before trying to add a new uid: > After trying to add a new uid: Importing your second pubkey did not change anything noticeable, gpg reported no changes on the key and there is no new UID to be seen. So it seems it was not exported. To avoid any confusion does gpg -k 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 show the new UID for you? Is there additional info if you add "--list-options show-unusable-uids" before the "-k"? Regards Eva -- g10 Code GmbH GnuPG.com AmtsGer. Wuppertal HRB 14459 Bergstr. 3a Geschäftsführung Werner Koch D-40699 Erkrath https://gnupg.com USt-Id DE215605608 ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
El día jueves, mayo 02, 2024 a las 07:46:33 +0200, Werner Koch via Gnupg-users
escribió:
> On Thu, 2 May 2024 15:31, Matthias Apitz said:
>
> > which locks the card again. Any ideas?
>
> If you really want to reset the card after an operation _and_ you are
> using pcscd you can use
>
> ...
Thanks for all the hints. The problem with this OpenPGP card in the
cellphone L5 is, that it is not an USB dongle which one could pull out
to invalidate the access to the keys. It sits inside the phone as a
Micro-SIM below the battery.
So I now do with ~/.ssh/config:
Host *
# note: this needs in /etc/ssh/ssh_config: PermitLocalCommand yes
#
LocalCommand gpgconf --reload scdaemon
This resets the card right after the PIN was provided for the SSH
session. This works fine for ssh(1) command, but not for the scp(1)
command. Even when I say:
$ scp "-oPermitLocalCommand=yes" foo www.unixarea.de:.
The "ssh" launched by "scp" shows in strace that it is launched with
the valeu "-oPermitLocalCommand=no":
$ grep exec scp.tr
10205 execve("/usr/bin/scp", ["scp", "-oPermitLocalCommand=yes", "foo",
"www.unixarea.de"...], 0xdf2147a0 /* 32 vars */) = 0
10206 execve("/usr/bin/ssh", ["/usr/bin/ssh", "-x", "-oPermitLocalCommand=no",
"-oClearAllForwardings=yes", "-oRemoteCommand=none", "-oRequestTTY=no", "-o",
"PermitLocalCommand=yes", "-oForwardAgent=no", "-l", "", "--",
"www.unixarea.de", "scp -t ."], 0xe38c6780 /* 32 vars */) = 0
To overcome this problem I use now a macro "scp" defined in ~/.bashrc
function scp {
$(which scp) $@
# lock the OpenPGP card again
gpgconf --reload scdaemon
}
Thanks
matthias
--
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
I am not at war with Russia. Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
