gnupg and ssh interaction somehow broken (card reader with pinpad)
Dear all, I'd appreciate some advice. I recently returned back from a year abroad to my trusted hardware, and it seems an upgrade of gpg in the meantime broke things. Setup: * OpenPGP card with S, E, A subkeys; using both gnupg and ssh with the card * SPR532 USB card reader with pinpad ~/.bashrc (after consultation of the list archives): GPG_TTY=$(tty) gpg-connect-agent updatestartuptty /bye >/dev/null unset SSH_AGENT_PID unset SSH_ASKPASS export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" Symptoms: 1) first, sign something (e.g. detached file signature): works as expected (pinentry window pops up, pin entered on keypad) 2) then, use ssh with pubkey authentication: pinentry window pops up, pin is not accepted ("wrong beep") alternatively (after removing card, unpowering reader, plugging reader and card back in) 1) gpg --card-status finds the card and starts the agent 2) use ssh with pubkey authentication: pinentry window pops up, pin is accepted, works 3) then, sign something: pinentry window pops up, pin is not accepted ("wrong beep") Here's an excerpt from the debug log: 2021-03-15 19:41:01 gpg-agent[12004] starting a new PIN Entry 2021-03-15 19:41:01 gpg-agent[12004] DBG: connection to PIN entry established 2021-03-15 19:41:01 gpg-agent[12004] DBG: chan_11 -> END 2021-03-15 19:41:05 gpg-agent[12004] DBG: agent_cache_housekeeping 2021-03-15 19:41:06 gpg-agent[12004] DBG: chan_11 <- INQUIRE DISMISSPINPADPROMPT 2021-03-15 19:41:06 gpg-agent[12004] DBG: chan_11 -> END 2021-03-15 19:41:06 gpg-agent[12004] DBG: chan_11 <- ERR 100663351 Invalid value 2021-03-15 19:41:06 gpg-agent[12004] smartcard signing failed: Invalid value Any clue what's happening? TIA, Andreas -- Andreas K. Hüttel dilfri...@gentoo.org Gentoo Linux developer (council, toolchain, base-system, perl, libreoffice) signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Broken / lost smartcard
[changing the subject since this is quite a different topic] > What I would like to know how people handle the case when a SmardCard gets > lost, broken or maybe confiscicated at an Airport etc.? Well, that's the argument for having at least primary/cert key and encryption subkey not *only* on the smartcard but also in a safe place somewhere. For a signature subkey it doesnt matter then if you lose it (just make a new one), and for an authentication subkey you need to prepare to have some alternative means of access (or also a backup). -- Andreas K. Hüttel dilfri...@gentoo.org Gentoo Linux developer (council, qa, toolchain, base-system, perl, libreoffice) signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Sunset of a smartcard encryption key
Hi all, so here's a question that I'm sure people here have already been thinking about... Like probably many others here I have a gpg smartcard with three subkeys Sign, Encrypt, Authenticate, and an offline Certify master key at a safe place. * If I want to let my Signature subkey expire and generate a new one, that's not a big problem for me, since the public key is still available to everyone on the keyservers for verifying sigs. * If I want to let my Auth subkey expire and generate a new one, well I just need to add the new one to all authorized_keys files in time. But how do I sensibly handle a graceful sunset of an encryption key? If I replace the subkey on my card, I immediately can't read old e-mails anymore. If I had the key in a file, I could keep the old, expired subkey around and still decrypt the data, but that would kinda defy the security provided by the card... My best idea so far is to generate a second token (Nitrokey, Yubikey or similar) *only* for old encryption subkeys, and additionally plug that in if I need to read an old message. Does anyone already have experience with such a setup? Best, Andreas -- Andreas K. Hüttel dilfri...@gentoo.org Gentoo Linux developer (council, qa, toolchain, base-system, perl, libreoffice) signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users