Re: Cannot export SSH public key

[Felix E. Klee]

On Fri, Jan 5, 2024 at 2:43 PM Werner Koch  wrote:
> That is right.  The ssh-agent protocol has no means to tell the
> ssh-agent or gpg-agent some important environment cariabales, like the
> current tty or DISPLAY.

Interesting, thanks for the look behind the scenes!

> I am so used to run the updatestartuptty that I don't even think about
> this. It is the first thing I do when I ssh into my laptop.

I have to do it twice, though, until it works. In my `~/.bashrc` I have:

gpg-connect-agent updatestartuptty /bye

Right after logging in (auto login on Ubuntu / WSL 2), I get:

gpg-connect-agent: no running gpg-agent - starting
'/usr/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established

That looks good, but somehow it doesn’t work:

$ ssh some_server
sign_and_send_pubkey: signing failed for RSA "cardno:18 698 015"
from agent: agent refused operation
sign_and_send_pubkey: signing failed for RSA "(none)" from agent:
agent refused operation
felix@some_server: Permission denied (publickey).

After starting `tmux`, which runs `gpg-connect-agent` again, everything
works fine. I get the PIN entry dialog, and I can connect by SSH.

This is a non-issue, not really worth debugging. I start `tmux` every
time anyhow.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

On Fri, Nov 24, 2023 at 9:09 AM Felix E. Klee  wrote:
> In addition, I need:
>
> gpg-connect-agent updatestartuptty /bye

or otherwise, I get no PIN entry dialog / prompt

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg --card-status

[Felix E. Klee]

On Sat, Dec 30, 2023 at 11:30 PM Felix E. Klee  wrote:
> Example output with line numbers:
>
> 01 Reader ...: Yubico YubiKey CCID 00 00
> 02 Application ID ...: D276000124010304000618698015
> 03 Application type .: OpenPGP
> 04 Version ..: 3.4
> 05 Manufacturer .: Yubico
> 06 Serial number : 18698015
> 07 Name of cardholder: [not set]
> 08 Language prefs ...: [not set]
> 09 Salutation ...:
> 10 URL of public key : [not set]
> 11 Login data ...: [not set]
> 12 Signature PIN : not forced
> 13 Key attributes ...: rsa4096 rsa4096 rsa4096
> 14 Max. PIN lengths .: 127 127 127
> 15 PIN retry counter : 3 0 3
> 16 Signature counter : 0
> 17 KDF setting ..: off
> 18 Signature key : 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
>D589
> 19   created : 2023-06-29 03:50:43
> 20 Encryption key: DBBD 3239 D0F1 4326 808D  FC8F 7CC0 2D68 D2E3
>1736
> 21   created : 2023-06-29 03:50:43
> 22 Authentication key: 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
>D589
> 23   created : 2023-06-29 03:50:43
> 24 General key info..: pub  rsa4096/1BE349D11B6ED589 2023-06-29
>Felix E. Klee (YubiKey) 
> 25 sec>  rsa4096/1BE349D11B6ED589  created: 2023-06-29  expires:
>never
> 26 card-no: 0006 18698015
> 27 ssb>  rsa4096/7CC02D68D2E31736  created: 2023-06-29  expires:
>never
> 28 card-no: 0006 18698015
> 29 ssb#  rsa4096/32B106F6877CC64B  created: 2023-11-22  expires:
>never

Thanks for all the input! My current state of knowledge is:

  * Lines 18, 20, 22: Fingerprints identifying the secret keys stored on
the card.

A fingerprint is an SHA-1 hash of: corresponding public key + some
meta data

The fingerprints displayed on these lines are stored on the card.

  * Lines 25, 27, 29: Information about availability of secret keys on
the card.

The numbers are long key IDs. A long key ID is the last 16
characters of a fingerprint.

The fingerprints displayed on these lines are generated from the
public keys stored on disk.

Here:

  - sec: Secret primary key

  - ssb: Secret sub key

  - >: Secret key is available on the card

  - #: Secret key is missing from the card

For a summary concerning how the fingerprints are calculated, I found:

https://blog.djoproject.net/2020/05/03/main-differences-between-a-gnupg-fingerprint-a-ssh-fingerprint-and-a-keygrip/

Please correct me where I’m wrong!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee via Gnupg-users]

Thanks, Ingo!

Looking at my log, I realize that I indeed uploaded the primary key when
I did `keytocard`. I did not do `key 2` to select the authentication sub
key. Instead I was assuming that GnuPG does automatically select the
right sub key. There was a warning about moving the primary key, which I
ignored.

Today I fixed that, and now all works consistently:

$ gpg --card-status
[…]
Signature key : 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
Encryption key: DBBD 3239 D0F1 4326 808D  FC8F 7CC0 2D68 D2E3
1736
  created : 2023-06-29 03:50:43
Authentication key: 9DFF AD98 566A 604F 7290  7C24 32B1 06F6 877C
C64B
  created : 2023-11-22 15:14:14
General key info..: pub  rsa4096/1BE349D11B6ED589 2023-06-29 Felix
E. Klee (YubiKey) 
sec>  rsa4096/1BE349D11B6ED589  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb>  rsa4096/7CC02D68D2E31736  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb>  rsa4096/32B106F6877CC64B  created: 2023-11-22  expires: never
card-no: 0006 18698015
$ gpg --export-ssh-key yubikey
ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== openpgp:0x877CC64B
$ ssh-add -L
ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== cardno:18 698 015
ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== (none)

Weird only is that `ssh-add -L` outputs the key twice.

Logging in via SSH with the authentication sub key now works as
expected, all smooth.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

Thanks, Ingo!

Looking at my log, I realize that I indeed uploaded the primary key when
I did `keytocard`. I did not do `key 2` to select the authentication sub
key. Instead I was assuming that GnuPG does automatically select the
right sub key. There was a warning about moving the primary key, which I
ignored.

Today I fixed that, and now all works consistently:

$ gpg --card-status
[…]
Signature key : 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
Encryption key: DBBD 3239 D0F1 4326 808D  FC8F 7CC0 2D68 D2E3
1736
  created : 2023-06-29 03:50:43
Authentication key: 9DFF AD98 566A 604F 7290  7C24 32B1 06F6 877C
C64B
  created : 2023-11-22 15:14:14
General key info..: pub  rsa4096/1BE349D11B6ED589 2023-06-29 Felix
E. Klee (YubiKey) 
sec>  rsa4096/1BE349D11B6ED589  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb>  rsa4096/7CC02D68D2E31736  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb>  rsa4096/32B106F6877CC64B  created: 2023-11-22  expires: never
card-no: 0006 18698015
$ gpg --export-ssh-key yubikey
ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== openpgp:0x877CC64B
$ ssh-add -L
ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== cardno:18 698 015
ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== (none)

Weird only is that `ssh-add -L` outputs the key twice.

Logging in via SSH with the authentication sub key now works as
expected, all smooth.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg --card-status

[Felix E. Klee]

Example output with line numbers:

01 Reader ...: Yubico YubiKey CCID 00 00
02 Application ID ...: D276000124010304000618698015
03 Application type .: OpenPGP
04 Version ..: 3.4
05 Manufacturer .: Yubico
06 Serial number : 18698015
07 Name of cardholder: [not set]
08 Language prefs ...: [not set]
09 Salutation ...:
10 URL of public key : [not set]
11 Login data ...: [not set]
12 Signature PIN : not forced
13 Key attributes ...: rsa4096 rsa4096 rsa4096
14 Max. PIN lengths .: 127 127 127
15 PIN retry counter : 3 0 3
16 Signature counter : 0
17 KDF setting ..: off
18 Signature key : 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
   D589
19   created : 2023-06-29 03:50:43
20 Encryption key: DBBD 3239 D0F1 4326 808D  FC8F 7CC0 2D68 D2E3
   1736
21   created : 2023-06-29 03:50:43
22 Authentication key: 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
   D589
23   created : 2023-06-29 03:50:43
24 General key info..: pub  rsa4096/1BE349D11B6ED589 2023-06-29
   Felix E. Klee (YubiKey) 
25 sec>  rsa4096/1BE349D11B6ED589  created: 2023-06-29  expires:
   never
26 card-no: 0006 18698015
27 ssb>  rsa4096/7CC02D68D2E31736  created: 2023-06-29  expires:
   never
28 card-no: 0006 18698015
29 ssb#  rsa4096/32B106F6877CC64B  created: 2023-11-22  expires:
   never

Lines 18, 20, 22: Fingerprint. I read somewhere that this a hash of the
key. But of which one? The public key? The private key? What hash
function?

Line 25: “sec>” means secret primary key. Where does the key ID come
from? Is it read from the card? Or it read from the public key ring on
disk?

Line 27: “ssb>” means secret sub key.

Line 29: “ssb#” means secret sub key, but without the matching secret
key on the card. This I just learned from Ingo Klöcker in another
thread.

If there is any authoritative documentation, please let me know! So far,
I’ve puzzled the info together, piece by piece from various resources on
the web.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee via Gnupg-users]

Thanks for pointing out that the signature key and the authentication
keys are identical:

$ gpg --card-status
[…]
Signature key : 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
Encryption key: DBBD 3239 D0F1 4326 808D  FC8F 7CC0 2D68 D2E3
1736
  created : 2023-06-29 03:50:43
Authentication key: 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
[…]
sec>  rsa4096/1BE349D11B6ED589  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb>  rsa4096/7CC02D68D2E31736  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb#  rsa4096/32B106F6877CC64B  created: 2023-11-22  expires: never

At the same time, the key IDs are different:

$ gpg --list-keys --keyid-format LONG yubi...@f76.eu
pub   rsa4096/1BE349D11B6ED589 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
uid [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096/7CC02D68D2E31736 2023-06-29 [E]
sub   rsa4096/32B106F6877CC64B 2023-11-22 [A]

How does that go together?

I thought the long key ID is the last 16 characters of the fingerprint.
And the fingerprint is a 40 character hash of the public (or private?)
key.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

Thanks for pointing out that the signature key and the authentication
keys are identical:

$ gpg --card-status
[…]
Signature key : 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
Encryption key: DBBD 3239 D0F1 4326 808D  FC8F 7CC0 2D68 D2E3
1736
  created : 2023-06-29 03:50:43
Authentication key: 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
[…]
sec>  rsa4096/1BE349D11B6ED589  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb>  rsa4096/7CC02D68D2E31736  created: 2023-06-29  expires: never
card-no: 0006 18698015
ssb#  rsa4096/32B106F6877CC64B  created: 2023-11-22  expires: never

At the same time, here the key IDs are different:

$ gpg --list-keys --keyid-format LONG yubi...@f76.eu
pub   rsa4096/1BE349D11B6ED589 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
uid [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096/7CC02D68D2E31736 2023-06-29 [E]
sub   rsa4096/32B106F6877CC64B 2023-11-22 [A]

How does that go together?

I thought the long key ID is the last 16 characters of the fingerprint.
And the fingerprint is a 40 character hash of the public (or private?)
key.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

So `gpg --card-status` imports [SC] and [E], but not [A]:

$ rm ~/.gnupg/private-keys-v1.d/*
$ ls -a1 ~/.gnupg/private-keys-v1.d/
.
..
$ gpg --card-status
[…]
Signature key : 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
Encryption key: DBBD 3239 D0F1 4326 808D  FC8F 7CC0 2D68 D2E3
1736
  created : 2023-06-29 03:50:43
Authentication key: 7A0F E73D DB74 4F0F 9734  1DA7 1BE3 49D1 1B6E
D589
  created : 2023-06-29 03:50:43
[…]
sec>  rsa4096/1BE349D11B6ED589  created: 2023-06-29  expires: never
card-no: 0006 18698016
ssb>  rsa4096/7CC02D68D2E31736  created: 2023-06-29  expires: never
card-no: 0006 18698016
ssb#  rsa4096/32B106F6877CC64B  created: 2023-11-22  expires: never
$ gpg --list-keys --keyid-format LONG --with-keygrip yubi...@f76.eu
pub   rsa4096/1BE349D11B6ED589 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
  Keygrip = 0E67508AC6866D82ABB95E0B53CF5D18DC48A786
uid [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096/7CC02D68D2E31736 2023-06-29 [E]
  Keygrip = 07D6164F019D2EDF59C650992CF93776B2DD17F2
sub   rsa4096/32B106F6877CC64B 2023-11-22 [A]
  Keygrip = 9C67E5BBB72EF0BF2625792F8F134CE4FD961FF5
$ ls -a1 ~/.gnupg/private-keys-v1.d/
.
..
07D6164F019D2EDF59C650992CF93776B2DD17F2.key
0E67508AC6866D82ABB95E0B53CF5D18DC48A786.key

To me it looks like [A] is on the Yubikey, as it should.

*But how do I get the private key stub for [A] imported?*

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

On Thu, Nov 23, 2023 at 10:17 AM Felix E. Klee 
wrote:
> Can you explain why the output of `ssh-add -L` did not change? Also
> why is it not the same as the output from `gpg --export-ssh-key
> yubi...@f76.eu`?

OK, I may have found the issue:

$ grep -rl Use-for-ssh ~/.gnupg/private-keys-v1.d/*
.gnupg/private-keys-v1.d/0E67508AC6866D82ABB95E0B53CF5D18DC48A786.key

That’s the key grip of the master key:

$ gpg -k --with-keygrip yubi...@f76.eu
pub   rsa4096 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
  Keygrip = 0E67508AC6866D82ABB95E0B53CF5D18DC48A786
uid   [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096 2023-06-29 [E]
  Keygrip = 07D6164F019D2EDF59C650992CF93776B2DD17F2
sub   rsa4096 2023-11-22 [A]
  Keygrip = 9C67E5BBB72EF0BF2625792F8F134CE4FD961FF5

I don’t remember adding this, but I guess I did, maybe some months ago.
Anyhow, now I removed `Use-for-ssh` from that key.

I then added the keygrip of the authentication key to
`~/.gnupg/sshcontrol`. However, that doesn’t work:

$ ssh-add -l
The agent has no identities.

Only if I add the key grip of the master key to `~/.gnupg/sshcontrol`,
then `ssh-add -l` is happy. But this seems wrong.

I notice that the private key stub of the authentication sub key isn’t
present in `~/.gnupg/private-keys-v1.d`:

$ ls -1 ~/.gnupg/private-keys-v1.d/
07D6164F019D2EDF59C650992CF93776B2DD17F2.key
0E67508AC6866D82ABB95E0B53CF5D18DC48A786.key
250CD54A263D092C462509D83D034E4BAAF73311.key
BB1D7402E4603D0C12512AB235B12FE1F4BD9667.key

*How do I generate the private key stub for the authentication sub key?*

`gpg --card-status` doesn’t do it.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

On Thu, Nov 23, 2023 at 2:19 PM Stephan Verbücheln via Gnupg-users
 wrote:
> Host gitlab.com
> HostName gitlab.com
> User git
> IdentityAgent ${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh

Thanks, that works. Even the variable is expanded.

In addition, I need:

gpg-connect-agent updatestartuptty /bye

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

On Wed, Nov 22, 2023 at 8:57 PM Werner Koch  wrote:
> Here is the snippet from by ~/.bashrc

I have a similar config. Thank you for the detailed explanation!

Only the following line does not work right after autologin (default
with Ubuntu / WSL2), seems like something is not ready yet.

gpg-connect-agent updatestartuptty /bye

> What is in your ~/.gnupg/sshcontrol file?

It’s empty, with only comments at the top. I left it that way, and
proceeded as follows:

> Instead of putting this into sshcontrol you may also put them into the
> private-keys-v1.d/.key file with a line:
>
>   Use-for-ssh: yes

I added that to 0E67508AC6866D82ABB95E0B53CF5D18DC48A786.key, which is
my master key.  But it still doesn’t work, see below.

Should I add a file with the authentication key instead?

>   gpg --export-ssh-key
>
> Adds a comment with the keyid - is that one correct?  Does it match what
> you see with
>
>   ssh-add -L

Output:

$ gpg -k --with-keygrip yubi...@f76.eu
pub   rsa4096 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
  Keygrip = 0E67508AC6866D82ABB95E0B53CF5D18DC48A786
    uid   [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096 2023-06-29 [E]
  Keygrip = 07D6164F019D2EDF59C650992CF93776B2DD17F2
sub   rsa4096 2023-11-22 [A]
  Keygrip = 9C67E5BBB72EF0BF2625792F8F134CE4FD961FF5
$ gpg --export-ssh-key yubi...@f76.eu
ssh-rsa B3NzaC1yc2EDAQABAAACAQC1jJSXxnM4iR3F16Yd5FEjrOo6sbGF
rkvVVoqUt9iyL5Z+Lz1ElpyUoKcGRRtU8NNueI8RpJT7ipIxubMiefDHVU7FRhk809jQ
vlTu8YDezdIZ0BWJ3W9+CCCQkD9JNmr5LsUnqD5KKUP4v0rwN6zLsXARGjpv1Jj61vJe
o3+B9CGpe8cIFvbdVw7QEi5t1hW9ghRrHDREXhIYkc51rzK4htBBdlX7E4yFuiuPZC/2
Q2lUelBrHP+bwgC+GzliHUIseuGAGEpSjJadtuSC2gUZbgv7PN6jM7WzaSdJ22spoFlP
XoIimu4hSOpEgK/txOuB+ge3MrpXEQPYW1tN0nD1RZF39uGbGdQrk9s6MARbZ+1APTJh
H6oi9fPfOp7EEkmZsm1ojwGoIN+RoYQ23KMVqI915SNn5CaRySQNenVyAJ7Skl2Q3bdK
ENW7lkGFXZ/DxpA8dQITZGBJEGhVppj2Pfp4uANDcdqUUGCN3i0srmkb7XaNn3U9qyIB
KEgnFupkNfMVB48AQu1PYxoEoO/zIyTVlPn0iSAl64zA27u5RXlikEbx0ePvPSYuMTL4
ZaDk2vNvKNmPvXBi6dZvXIPx2ROrqBrLMNx19EHDVSSVT+R3Qf1f/4TwRdHPb6ZliSFv
FF6eygY40y5whHNy7Q8zxrj5Py56Cp+Alus3jr6UNw== openpgp:0x877CC64B
$ ssh-add -L
ssh-rsa B3NzaC1yc2EDAQABAAACAQCpsX4nQnLh3SJDdIDkdX0DFY4c2uFu
6QJRPrXyub32Ae5SX+3rQnhj/7U8PGFG5LbRT8NVHMyxmoXAHda3wZ1Za3mTC8oWUPSz
dIlSgB7HrVNvmP0fvk0b1V9BOkBJrV6RMMNLEssiD9PCiI95z1+uEbxr9tZAJO/lDYnU
jhEK6PykBhQiJISHpWnWmE0qj+84wQ+/cEPJYnt4tgqLuFH+COFGBVuN6DDi6ubbDlCy
693UqQjWSNi1A34JmUKFOw5Kt0It3Qj3nNVdm8/hRiVZ84qPVbF1Vvp0gZ9k1sFg+3O9
LZYo0vZ73gLMx6AjO1A+Cqcef/e6O+aT+CVgINQ6oaDMyKtHkD7caflg8nPrmiVASxTe
nn51W3Uiu1wksrtEH2HCUcLXpMWKNTjjwpUUTSmMy4m069K5SENsjzsMsHiN2cTxdNu5
CufP1Q3XtGI4VCdW5ql0vgZMCPHIuXHLyFpz9scc2I68B8YnoMzzH0CDyLpjudBRlup+
BZD1g2xlCWB9f+43Oy+Ibf5wAW8/gjk5ly6fhQwB712GTHXNKpPl2ymXgtP2v0K48TE7
OsIfR0sBk2LbwuXr2tLB1WYgrNYs8YY83u/HC6RWHskrcIRq75ahcdeTu8Ukdz1VhAdL
sk25F529lMjW0CgshB9xvFxCwFzcGMmHniuMjoFN6Q== cardno:18 698 015
$ ssh-add -l
4096 SHA256:Pun8mwtl04HFOK8Z1LbCRZ/oQLgZDpkgNHU5/E1MM8I cardno:18 69
8 015 (RSA)

As you see, the public keys are different. `ssh-add -L` does not add the
key ID. So I’ve no idea what is going on.

The key exported by `ssh-add -L` works. I get asked for the PIN, the
Yubikey blinks, and then I’m in:

$ ssh u...@example.com
[user@example ~]$

The key exported by `gpg --export-ssh-key yubi...@f76.eu` does not work:

$ ssh u...@example.com
u...@example.com: Permission denied (publickey).

As it works with the key exported with `ssh-add -L`, maybe I should not
complain. However what confuses me is that the output of `ssh-add -L`
does not change after I replaced the authentication subkey.

Can you explain why the output of `ssh-add -L` did not change? Also why
is it not the same as the output from `gpg --export-ssh-key
yubi...@f76.eu`?

(Background: I replaced the authentication subkey because the first time
I added it, I forgot to make a backup of the updated secret key.)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee via Gnupg-users]

On Tue, Nov 21, 2023 at 12:38 AM Ingo Klöcker  wrote:
> $ gpg --export-ssh-key 1B6ED589

Thanks, this worked! I then added the key on the remote system to:

~/.ssh/authorized_keys

However, I could not log in.  SSH reports:

Permission denied (publickey).

I then tried exporting the key using `ssh-add`:

ssh-add -L >~/.ssh/id_rsa.pub

If I add this key to `authorized_keys`, I can log in, after unlocking my
Yubikey with a PIN. Great! Or not, read on.

Now it gets a bit weird: Apparently the key exported by `ssh-add` is not
tied to my authentication key! I noticed this because I replaced the
authentication key. They key exported by `ssh-add` did not change. I can
still log in using that key. So I assume that key is based on the my
signature key `1B6ED589`:

$ gpg --list-keys --keyid-format SHORT yubi...@f76.eu
pub   rsa4096/1B6ED589 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
uid [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096/D2E31736 2023-06-29 [E]
sub   rsa4096/877CC64B 2023-11-22 [A]

Should I better use the authentication key exported by GPG for SSH? But
how to make that work?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot export SSH public key

[Felix E. Klee]

On Tue, Nov 21, 2023 at 12:38 AM Ingo Klöcker  wrote:
> $ gpg --export-ssh-key 1B6ED589

Thanks, this worked! I then added the key on the remote system to:

~/.ssh/authorized_keys

However, I could not log in.  SSH reports:

Permission denied (publickey).

I then tried exporting the key using `ssh-add`:

ssh-add -L >~/.ssh/id_rsa.pub

If I add this key to `authorized_keys`, I can log in, after unlocking my
Yubikey with a PIN. Great! Or not, read on.

Now it gets a bit weird: Apparently the key exported by `ssh-add` is not
tied to my authentication key! I noticed this because I replaced the
authentication key. They key exported by `ssh-add` did not change. I can
still log in using that key. So I assume that key is based on the my
signature key `1B6ED589`:

$ gpg --list-keys --keyid-format SHORT yubi...@f76.eu
pub   rsa4096/1B6ED589 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
uid [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096/D2E31736 2023-06-29 [E]
sub   rsa4096/877CC64B 2023-11-22 [A]

Should I better use the authentication key exported by GPG for SSH? But
how to make that work?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Cannot export SSH public key

[Felix E. Klee]

I added an authentication key to my existing key .

$ gpg --edit-key --expert yubi...@f76.eu
> addkey

I selected:

8: RSA (set your own capabilities)
S: disable sign capability
E: disable encrypt capability
A: enable authenticate capability
4096: key size
0: expiry (never)

However, I cannot export it for SSH:

$ gpg --list-keys --keyid-format SHORT yubi...@f76.eu
pub   rsa4096/1B6ED589 2023-06-29 [SC]
  7A0FE73DDB744F0F97341DA71BE349D11B6ED589
uid [ultimate] Felix E. Klee (YubiKey) 
sub   rsa4096/D2E31736 2023-06-29 [E]
sub   rsa4096/FBA5B1E5 2023-11-20 [A]

$ gpg --export-ssh-key FBA5B1E5
gpg: key "FBA5B1E5" not found: Unusable public key
gpg: export as ssh key failed: Unusable public key

GnuPG version:

$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/felix/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

What’s wrong here?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Finding all files encrypted with a certain key

[Felix E. Klee]

On Wed, Oct 25, 2023 at 9:23 PM Werner Koch  wrote:
> > gpg: decryption failed: No secret key
> >
> > I wonder how to get rid of that.
>
> grep -v on stderr ;-).

Thanks, I was thinking about that. But I think simply using find, as
suggested by Andrew and raf, is sufficient and simple.

> I think it is time to make things like this easier. Actually
> re-encrypt support has been on our feature list for many years.

That would be fancy. Personally, I’m happy with a bit of shell
scripting. My use case is rather simple, and I don’t need to do
re-encryption very often.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Finding all files encrypted with a certain key

[Felix E. Klee]

On Tue, Oct 24, 2023 at 5:12 PM Andrew Gallagher 
wrote:
> GNU `file` will print the encryption key ID:

Interesting. I wonder if there is any disadvantage of using `file` over
Werner’s proposal.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Finding all files encrypted with a certain key

[Felix E. Klee]

On Wed, Oct 25, 2023 at 10:08 AM raf via Gnupg-users
 wrote:
> > How do I do that for a massive directory tree?
>
> With my rawhide (rh) program (github.com/raforg/rawhide) you can do it
> with something like this:
>
>  rh /path '"*.gpg" && "*PGP*encrypted*BEF6EFD3 8FE8DCA0*".what'

Very interesting, may look into that. But first working with Werner’s
solution.

> Also, in case you need to re-encrypt regularly, I recommend assigning
> some label to the key and putting it in the filename (e.g.
> blah.gpg.key23).

I may do that.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Finding all files encrypted with a certain key

[Felix E. Klee]

On Tue, Oct 24, 2023 at 5:21 PM Werner Koch  wrote:
> encrypted-to-me-p.sh
> --8<---cut here---start->8---
> #/bin/sh
> gpg -d  --status-fd 1 -o /dev/null 2>/dev/null "$1" | awk '
> $1=="[GNUPG:]" && $2=="ENC_TO" && $3=="BEF6EFD38FE8DCA0" {print $1; exit 0}'
> --8<---cut here---end--->8---

Thank you! I modified that a bit, to make it more readable to me and fix
a little bug: The second `$1` doesn’t expand to the file name. Also, I
had to pass `--pinentry-mode cancel`. Otherwise it would ask me for the
PIN of my smartcard. See below for my version.

What I don’t like is the `2>/dev/null` because that may mask actual
error messages. I specified `--quiet`. That works to some extend, but I
still get:

gpg: decryption failed: No secret key

I wonder how to get rid of that.

My version:

#/bin/sh

filename=$1
enc_sub_key=04FDF78D1679DD94

gpg --decrypt \
--pinentry-mode cancel \
--status-fd 1 \
--quiet \
--output /dev/null "$1" |
awk -v filename="$filename" \
-v enc_sub_key="$enc_sub_key" \
'
$1=="[GNUPG:]" &&
$2=="ENC_TO" &&
$3==enc_sub_key {
print filename
exit 0
}'

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Finding all files encrypted with a certain key

[Felix E. Klee]

For the purpose of re-encryption with a new key, I’d like to find all
files that are encrypted with my key BEF6EFD38FE8DCA0. All encrypted
files, independent of key, have the extension `.gpg`.

How do I do that for a massive directory tree?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: YubiKey/OpenPGP card connection issues for non-root user

[Felix E. Klee]

The issue persists. Sometimes the readers (just now the YubiKey) are not
visible to the user. But they are always to root k. I then disabled the
PC/SC daemon:

[felix@felix-arch ~]$ sudo systemctl disable pcscd
Removed "/etc/systemd/system/sockets.target.wants/pcscd.socket".
[felix@felix-arch ~]$ sudo systemctl stop pcscd
Warning: Stopping pcscd.service, but it can still be activated by:
  pcscd.socket

Afterwards, `gpg --card-status` immediately showed the card status to
the ordinary user.

However, this solution is not good. As I mentioned before, I may want to
use PC/SC in the future, and I may also just accidentally re-enable it.
So it would be better to have a solution where the PC/SC daemon does not
cause some race condition.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: YubiKey/OpenPGP card connection issues for non-root user

[Felix E. Klee]

On Mon, Aug 7, 2023 at 3:30 PM Werner Koch  wrote:
> > I also tried killing root’s gpg-agent, to avoid conflicts with that
> > of the user, but that didn’t help either.
>
> Right a second scdaemon might have grabbed the device. If you don't
> need it as root put into root's gpg-agent.conf "disable-scdaemon".
>
> Another option is to put
>
> pcsc-shared

Thanks, good to know about this option. However, I hope that fixing
PC/SC access has solved the issue. See my other message.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: YubiKey/OpenPGP card connection issues for non-root user

[Felix E. Klee]

On Mon, Aug 7, 2023 at 9:00 AM NIIBE Yutaka  wrote:
> Please note that there may be two methods to access the device in
> scdaemon:
>
>   * in-stock CCID driver of scdaemon
>   * the PC/SC service
>
> Your output shows that you are connecting the smartcard reader through
> the PC/SC service.

Interesting. I assume the problem is down to a race-condition with the
two competing for access. That would explain its apparent randomness.

> If it's not your intention and your scdaemon has support of in-stock
> CCID driver, I'd recommend not to use the PC/SC service. Perhaps,
> simply uninstall pcscd.

I prefer not to, because: I may install the PC/SC service again in the
future and then I likely will have forgotten about our conversation
here.

> If you have a reason using PC/SC service (say, for example, you need
> the service for other applications and other cards, as well as your
> use of OpenPGP smartcard for GnuPG), please make sure that you
> configure the PC/SC service correctly.

Indeed it was not properly set up:

[felix@felix-arch ~]$ opensc-tool -l
No smart card readers found.

I added a Polkit rule following the [instructions][1] for PC/SC:

[root@felix-arch ~]# cat /etc/polkit-1/rules.d/01-pcscd.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.user == "felix") {
return polkit.Result.YES;
}
});

Now it works:

[felix@felix-arch ~]$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0Yes Yubico YubiKey CCID 00 00

I should see in the upcoming days whether that solves the issue.

Thank you!

[1]: https://github.com/LudovicRousseau/PCSC/blob/master/doc/README.polkit

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: YubiKey/OpenPGP card connection issues for non-root user

[Felix E. Klee]

On Thu, Aug 3, 2023 at 9:28 PM Michael Richardson
 wrote:
> I think you need to make sure that it's not VMware that's failing to
> plug the device through in a timely manner.

I have configured the VMware guest to automatically take over these
devices from the Windows 10 host:

usb.autoConnect.device0 = "0x04e6:0xe003"
[…]
usb.autoConnect.device7 = "0x1050:0x0404"

> dmesg -w

I just played around. After unplugging the YubiKey, I connected the
SPR332:

[felix@felix-arch ~]$ sudo dmesg -w
[…]
[ 5135.728320] usb 2-1: new full-speed USB device number 6 using
uhci_hcd
[ 5136.137546] usb 2-1: New USB device found, idVendor=04e6,
idProduct=e003, bcdDevice= 7.01
[ 5136.137551] usb 2-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=5
[ 5136.137553] usb 2-1: Product: SPRx32 USB Smart Card Reader
[ 5136.137554] usb 2-1: Manufacturer: SCM Microsystems Inc.
[ 5136.137555] usb 2-1: SerialNumber: 51271741200012
^C
[felix@felix-arch ~]$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
[felix@felix-arch ~]$ sudo gpg --card-status
Reader ...: SCM Microsystems Inc. SPR 532 [CCID Interface]
(51271741200012) 00 00
Application ID ...: D276000124010303000564D5
Application type .: OpenPGP
Version ..: 3.3
Manufacturer .: ZeitControl
Serial number : 64D5
Name of cardholder: Felix Klee
Language prefs ...: en
Salutation ...: Mr.
URL of public key :

https://sks-keyservers.net/pks/lookup?op=get=0x5EF8B6017F668171259945D6BEF6EFD38FE8DCA0
Login data ...: [not set]
Signature PIN : forced
Key attributes ...: rsa4096 rsa4096 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 3 3
Signature counter : 10
KDF setting ..: off
Signature key : 5EF8 B601 7F66 8171 2599 45D6 BEF6 EFD3 8FE8
DCA0
  created : 2016-12-17 10:49:18
Encryption key: 27BF BB40 70FC 6351 189E 79FE 04FD F78D 1679
DD94
  created : 2016-12-17 10:49:18
Authentication key: [none]
General key info..: pub rsa4096/BEF6EFD38FE8DCA0 2016-12-17 Felix E.
Klee 
sec> rsa4096/BEF6EFD38FE8DCA0 created: 2016-12-17 expires:
2020-11-10 card-no: 0005 64D5
ssb> rsa4096/04FDF78D1679DD94 created: 2016-12-17 expires:
2020-11-10 card-no: 0005 64D5
[felix@felix-arch ~]$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

As you can see, I can connect to it as root but not as regular user.
Sometimes connection as regular user works, sometimes not. Sometimes I
just have to wait for a while, can be minutes, and then it works.

I also tried killing root’s gpg-agent, to avoid conflicts with that of
the user, but that didn’t help either.

Furthermore, even if udev doesn’t trigger, I should have rw access to
the device file (it’s an SPR332, not sure why it says SPR532):

[felix@felix-arch ~]$ lsusb | grep SPR532
Bus 002 Device 006: ID 04e6:e003 SCM Microsystems, Inc. SPR532
PinPad SmartCard Reader
[felix@felix-arch ~]$ ls -l /dev/bus/usb/002/006
crw-rw 1 root scard 189, 133 Aug  5 12:02 /dev/bus/usb/002/006
[felix@felix-arch ~]$ groups
scanner saned uucp optical lp audio wheel felix scard plugdev
[felix@felix-arch ~]$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

Why does it work as root but not as regular user?

Any suggestion for a fix, even if crude, is welcome!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

YubiKey/OpenPGP card connection issues for non-root user

[Felix E. Klee]

Recently I set up a YubiKey 5C NFC, and when I connect it to my Linux
system (running in VMware under Windows), it sometimes takes minutes to
be able to use. I.e. it can take forever until I get a successful
response from:

gpg --card-status

OTOH I can immediately get a response when I run the above command as
root. Now I notice that the occasional connection issues I have with the
OpenPGP card in my SCM SPR332 are similar. Furthermore, it happens that
the YubiKey or the card reader suddenly disappear for the ordinary user,
although that is rare.

I have set up udev rules for both. But it seems that sometimes they
don't trigger, or only with a long delay.

[felix@felix-arch ~]$ cd /etc/udev/rules.d/
[felix@felix-arch rules.d]$ cat 70-yubikey.rules
# YubiKey Support
#

ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050",
ENV{ID_MODEL_ID}=="0404", MODE="660", GROUP="scard"
[felix@felix-arch rules.d]$ cat 71-gnupg-ccid.rules # GPG SmartCard
Reader Support
#

ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="04e6",
ENV{ID_MODEL_ID}=="e003", MODE="660", GROUP="scard"

Even without udev rules, I think I should have access to the devices,
because I'm in group `scard`:

[felix@felix-arch ~]$ ls /dev/bus/usb/002/011
/dev/bus/usb/002/011
[felix@felix-arch ~]$ ls -l /dev/bus/usb/002/011
crw-rw 1 root scard 189, 138 Aug  3 14:56 /dev/bus/usb/002/011
[felix@felix-arch ~]$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
[felix@felix-arch ~]$ groups
scanner saned uucp optical lp audio wheel felix scard plugdev
[felix@felix-arch ~]$ lsusb
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 004: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 003 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 003 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 002 Device 011: ID 1050:0404 Yubico.com Yubikey 4/5 CCID
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

How do I fix that?

I am happy to substitute the udev rules with a timer, or to call some
command to give permissions every time I want to use the YubiKey or the
OpenPGP card. I just would like the whole process to be more reliable.
Currently, it’s extremely frustrating.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: YubiKey 5C NFC not detected

[Felix E. Klee]

Werner Koch via Gnupg-users  writes:
> scdaemon does not see any reader.  That might simply due to another
> process which uses the reader (the yubikey tools).

None the wiser:

$ cat ~/.gnupg/scdaemon.conf
debug cardio
verbose
log-file /tmp/scd.log
pcsc-shared
$ gpgconf --kill gpg-agent
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
$ cat /tmp/*.log
2022-01-30 20:50:40 scdaemon[416012] listening on socket 
'/run/user/1000/gnupg/S.scdaemon'
2022-01-30 20:50:40 scdaemon[416012] handler for fd -1 started
2022-01-30 20:50:40 scdaemon[416012] ccid open error: skip
2022-01-30 20:50:40 scdaemon[416012] pcsc_list_readers failed: no readers 
available (0x8010002e)

>> gpg (GnuPG) 2.2.32
>
> Note that there is a bug in the reader-port implementation of 2.2.33;
> you better wait for 2.2.34 instead of updating to 2.2.33.

Good to know.  Will keep an eye on it.  Even if 2.2 doesn’t work with
that YubiKey, it does work just fine with the OpenPGP smart card in my
[SPR232 mod][1].  So I don’t want to loose access there.

[1]: https://github.com/feklee/0.332


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: YubiKey 5C NFC not detected

[Felix E. Klee]

Ingo Klöcker  writes:
> $ echo scd getinfo reader_list | gpg-connect-agent --decode

$ ykman config usb -l
OTP
FIDO U2F
FIDO2
OATH
PIV
OpenPGP
YubiHSM Auth
$ gpgconf --kill gpg-agent
$ echo scd getinfo reader_list | gpg-connect-agent --decode
OK

:(


> If scdaemon doesn't see your reader then it's probably not (yet)
> supported by GnuPG's CCID driver. Then you could try to use pcsc by
> adding the option disable-ccid to your scdaemon.conf.

$ echo disable-ccid >~/.gnupg/scdaemon.conf
$ gpgconf --kill gpg-agent
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

:(

> You could also try GnuPG 2.3.4.

Think I’ll wait until it’s in Arch.  At the moment:

$ gpg --version
gpg (GnuPG) 2.2.32


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: YubiKey 5C NFC not detected

[Felix E. Klee]

Ingo Klöcker  writes:
> Are you sure "Yubico Yubi" is the correct value for the reader-port
> option?

It’s what is suggested in the official [Troubleshooting Issues with
GPG][1].  They also suggest:

Yubico Yubikey

That doesn’t work either.  As I realized before, their guides are not up
to date.  [Elsewhere][2] I found that one can scan for devices:

$ gpgconf --kill gpg-agent
$ ykman config usb -l
OTP
FIDO U2F
FIDO2
OATH
PIV
OpenPGP
YubiHSM Auth
$ pcsc_scan -n
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader... |

That just hangs, same when prefixed with `sudo`.

> Did you try without specifying this option?

Yes. 

$ rm .gnupg/scdaemon.conf
$ gpgconf --kill gpg-agent
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

By the way, to make `ykman` see the key, I had to add a udev rule:

$ cat /etc/udev/rules.d/10-security-key.rules
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0666", GROUP="users", 
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407"

Any idea what else I can try?

[1]:
https://support.yubico.com/hc/en-us/articles/360013714479-Troubleshooting-Issues-with-GPG
[2]: https://blog.programster.org/yubikey-link-with-gpg


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

YubiKey 5C NFC not detected

[Felix E. Klee]

I would like to set up a YubiKey 5C NFC for SSH, but it doesn’t get
detected by GnuPG:

$ ykman config usb -l
OTP
FIDO U2F
FIDO2
OATH
PIV
OpenPGP
YubiHSM Auth
$ cat .gnupg/scdaemon.conf
reader-port Yubico Yubi
$ gpgconf --kill gpg-agent
$ ps x | grep scdaemon
  33408 ?SLl0:00 scdaemon --multi-server
  49465 pts/2S+ 0:00 grep scdaemon
$ /usr/lib/gnupg/scdaemon --version
scdaemon (GnuPG) 2.2.32
libgcrypt 1.9.4-unknown
libksba 1.6.0
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
$ gpg --verbose --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

What can I do?


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Limit access to unlocked OpenPGP SmartCard?

[Felix E. Klee]

Well, I think I could extend my SPR332 [mod][1]:

  * Add a push-button that one has to press to close the C7 circuit for
I/O.  Without that button pressed, the smart card cannot communicate
with the reader.  That means, for every operation, one would need to
hold that button, kind of – but not as elegantly – as with a
YubiKey.

  * Using some electronics detect when the green PIN pad ✓-button is
pressed to confirm PIN entry on the reader.  Let it trigger a timer
that cuts I/O for good after a few minutes.

Very likely there are some issues that I don’t see at the moment.

[1]: https://github.com/feklee/0.332


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Limit access to unlocked OpenPGP SmartCard?

[Felix E. Klee]

Jacob Bachmeyer via Gnupg-users  writes:
>> After I unlock an OpenPGP SmartCard V2.1 in my SPR332 [mod][1], […]
>
> Does your smartcard reader have its own keypad for entering the PIN?

yes


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Limit access to unlocked OpenPGP SmartCard?

[Felix E. Klee]

On Thu, 27 Jan 2022 at 14:54, Matthias Apitz  wrote:
> gpgconf --reload scdaemon

Gotta try that, maybe execute it with a timer, better than nothing.

Best would be if the card itself could be configured to only do a
certain number of operations after being unlocked. I think everything
else is pretty much unsafe as well.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Limit access to unlocked OpenPGP SmartCard?

[Felix E. Klee]

After I unlock an OpenPGP SmartCard V2.1 in my SPR332 [mod][1], I can
use it to decrypt as many files as I want.  While this is convenient, it
is not great if the system is compromised and I forget to unplug the
card reader.

Is there any way to limit how long the OpenPGP SmartCard remains
unlocked?

[1]: https://github.com/feklee/0.332


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Decrypting fails unless card status

[Felix E. Klee]

On Tue, 15 Dec 2020 at 19:45, MFPA
<2017-r3sgs86x8e-lists-gro...@riseup.net> wrote:
> Is that a consequence of using a card?

No. I do have an accessible private key, but it’s more than 9,000 km
away, and traveling is not so easy these days.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Decrypting fails unless card status

[Felix E. Klee]

Since some time, maybe since a minor system update, before decrypting
from my OpenPGP smart card, I always have to run:

gpg --card-status

Otherwise, I get an error message:

$ gpg --faked-system-time 20200101T00 -d world.gpg
gpg: WARNING: running with faked system time: 2020-01-01 00:00:00
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created
2016-12-17
  "Felix E. Klee "
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key

Note that I have to run with faked system time since I cannot extend the
validity of my key. Anyhow, even without faking the time, I get the
error message.

*Any idea how to get `gpg` back to normal?*

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 0.332

[Felix E. Klee]

On Mon, Feb 11, 2019 at 12:17 PM Gerd v. Egidy
 wrote:
> How does it compare size-wise to the cyberJack one from Reiner SCT?

  * cyberJack RFID standard:

62 x 95 x 13 mm

  * 0.332 enclosure:

69 × 111 × 13 mm

It could be fun to replace the pin pad by a smaller one and create a
custom board. IOW it could be fun to create an open source card reader!

> That is the one I use for size-constrained use cases.

Did that in the past too. However, the “cyberJack RFID standard” needs
dedicated drivers while the Reiner SCT directly interfaces with
GnuPG. In particular with Termux on my rooted Android phone, I did not
get the cyberJack to work.

> I think having a slot for a regular card is an advantage as you can
> easily take the card out, carry it with you in your wallet and use it
> on other systems too.

I understand, but that’s not my use-case. If someone wants to give it a
go, it should not be too hard to modify the current design. You can
start from the STL files if you don’t have Rhino3D (proprietary).

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

0.332

[Felix E. Klee]

FYI:

https://github.com/feklee/0.332

This is a mod of the SCM SPR332 v2 smart card reader, making it
smaller and lighter. For quite a while I have regularly been using it
with my phone:

https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

On Wed, Aug 15, 2018 at 12:13 PM, Peter Lebbing
 wrote:
>> So, perhaps enQsig is using 3DES.
>
> Good find! This sounds plausible.

Created a custom key pair not on a smart card, just for this single
transaction. Result:

>gpg --verbose --decrypt encrypted.asc | head
gpg: armor header: Version: enQsig
gpg: public key is FDE5C6E97DA42AE8
gpg: public key is 92663E7CA68E4EC6
gpg: public key is 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 92663E7CA68E4EC6
gpg: encrypted with 4096-bit RSA key, ID FDE5C6E97DA42AE8, created
2018-09-06
      "Felix E. Klee "
gpg: 3DES encrypted data
gpg: Note: sender requested "for-your-eyes-only"

So yes, 3DES!

Fortunately, as can be seen above, with the custom key I was able to
decrypt the message.

Issue solved.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Communication with card reader encrypted?

[Felix E. Klee]

Thanks for clarification!

On Mon, Aug 27, 2018 at 11:51 AM, Werner Koch  wrote:
> The connection between the card reader and the host is not encrypted
> because that would require a key setup first and that would also be
> subject to key logging.

The host could provide a public encryption key to the card reader. Of
course:

  * With a tampered USB cable, there still would be attacks possible,
though different ones. That is, unless the reader can know the
identify of the host, which would again require a priori exchange,
so nothing gained.

  * This is very likely not part of the existing API (PC/SC?).

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Communication with card reader encrypted?

[Felix E. Klee]

On Sun, Aug 26, 2018 at 10:41 AM, Peter Lebbing
 wrote:
> The OpenPGP smartcard and generic smartcard protocols do define
> "Secure Messaging", but I don't think this is commonly used for cabled
> OpenPGP smartcards.

Would be interesting to find out.

> I think you'll need to trust the cable anyway,

Well, if the cable is soldered to the reader, then it’s much harder to
tamper with. Swapping a replaceable cable requires much less effort.

Concerning key loggers for comparison: It is possible that the [attack
at TAZ][1] would not have happened had the attacker to tamper with the
victim’s keyboards, their computers, or their software.

I would not be surprised if you can find USB cables on Alibaba that
include sniffers and multiple GBs of flash memory for logging
everything, for debugging of course. ;)

[1]: http://www.taz.de/!5307828/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Communication with card reader encrypted?

[Felix E. Klee]

On Sun, Aug 26, 2018 at 12:31 AM, Dirk Gottschalk
 wrote:
> This is a really interesting question. But, does this really matter
> got an USB device? If there is a program on your computer, which
> interceps the communication, the security of you system is already
> broken.

I am more thinking about a hardware attack. If the communication is not
encrypted, this opens another attack vector. For comparison, think about
[key loggers][1]. Putting a hardware logger somewhere between the USB
peripheral device and the computer is potentially easier and quicker
than tampering with either the peripheral device or the computer.

Background: I want to put my SCM SPR332 v2 card reader into a different
enclosure, so that it’s more portable for [use with my mobile phone][2].
The very long cable also needs to be replaced. One option is to add a
USB port to the reader so that arbitrary cables can be used. This
thought coincided with me reading about [doctored USB cables][3]. I
don’t want to be required to trust three devices: phone, reader, and now
cable

[1]: http://www.taz.de/!5307828/
[2]: https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19
[3]: 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Communication with card reader encrypted?

[Felix E. Klee]

When I decrypt a file using an OpenPGP card, is the communication
between a USB card reader and the GnuPG daemon encrypted? Or: Is the
decrypted session key sent unencrypted through the cable?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Android/Termux: How to build gpg-agent without maintainer mode?

[Felix E. Klee]

On 8/22/18, Dirk Gottschalk 
wrote:
> This depends on the source of your source version. If it is from a
> release tarball, this shouldn't bother you.
>
> I only get this warning if I have compiled from the GIT repository.

Uh oh, I didn’t check out a release! Changed the [build
instructions][1] now to also include:

$ git checkout gnupg-2.2.9 # matches GnuPG in Termux

Thanks for pointing me in the right direction!

> I don't know if it is possible to compile only the agent.

Doesn’t really matter anyhow. The compile process on my phone is quite
fast, profiting from the multi core architecture.

[1]: https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Android/Termux: How to build gpg-agent without maintainer mode?

[Felix E. Klee]

On Wed, Aug 22, 2018 at 1:08 PM, Dirk Gottschalk
 wrote:
> There's nothing what should "bug" you.

Well if I call `g10/gpg` in the build, I get a big fat warning:

gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!

*Shouldn’t that bug me?*

That being said:

  * The `agent/gpg-agent` does not output the warning.

  * As said in my original post, I am only interested in the agent. It
is compatible with the `gpg` provided with Termux.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Android/Termux: How to build gpg-agent without maintainer mode?

[Felix E. Klee]

I managed to get `gpg-agent` run with USB smart card support under
Android/Termux:

https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19

What bugs me is that I had to compile in maintainer mode: Now I get
warnings that the software should not used be used with production keys.

Maintainer mode is in fact suggested by `autogen.sh`:

$ git clone git://git.gnupg.org/gnupg.git
[…]
$ cd gnupg
$ export C_INCLUDE_PATH=$PREFIX/include/:$PREFIX/include/libusb-1.0/
:$PREFIX/include/libandroid-support
$ ./autogen.sh
[…]
autogen.sh: You may now run:
  ./configure --sysconfdir=/etc --enable-maintainer-mode  && make

If I try without maintainer mode, then I get:

$ ./configure
[output attached]
$ make
make  all-recursive
make[1]: Entering directory '/data/data/com.termux/files/home/src/g/
gnupg'
Making all in m4
make[2]: Entering directory '/data/data/com.termux/files/home/src/g/
gnupg/m4'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/data/data/com.termux/files/home/src/g/
gnupg/m4'
Making all in common
make[2]: Entering directory '/data/data/com.termux/files/home/src/g/
gnupg/common'
make[2]: *** No rule to make target 'audit-events.h', needed by 'all
'.  Stop.
make[2]: Leaving directory '/data/data/com.termux/files/home/src/g/g
nupg/common'
make[1]: *** [Makefile:613: all-recursive] Error 1
make[1]: Leaving directory '/data/data/com.termux/files/home/src/g/g
nupg'
make: *** [Makefile:533: all] Error 2

*How do I build `gpg-agent` without maintainer mode?*

Note that I only need the agent, so I could probably speed up compile
time by quite a lot if disable the other tools in `./configure`. But
that’s not a priority now.


configure_output
Description: Binary data
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

On Wed, Aug 15, 2018 at 12:13 PM, Peter Lebbing
 wrote:
> Here's the catch: unless you have an on-disk copy of your private
> encryption key, you can't. [if enQsig uses 3DES]

I do have a backup of the private key, but it’s 1. out of reach at the
moment and 2. it’s a pain to restore. So far, I’m still optimistic that
the sender will eventually provide me with a message that I can decrypt.

Thanks a lot for your explanations!

PS: I’m toying with the idea of switching from my smart card to a Trezor
hardware token. This would mean generating an entirely new key (only
256 bit ECC supported). OTOH there are several advantages such as the
Trezor being a well documented open source device, and – of course – its
size with integrated key pad solution. It also depends on whether I can
get either a smart card reader or the Trezor to work with
Termux/Android.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

*Update:* Yesterday, I was reading the [GnuPG wiki page on
SmartCards][1] due to another issue. At its bottom I found listed as
known bug:

  * Encrypted message with 3DES can't be decrypted with OpenPGP Card
(V2.1, V3.3 without fix)

  - Due to the bug, it results: Missing item in object 

  - See: https://dev.gnupg.org/T3576

Well, indeed if I encrypt a message with 3DES, I cannot decrypt it with
my SmartCard:

$ echo "Hello, world!" >foo
$ gpg -e -r felix.k...@inka.de --personal-cipher-preference 3DES foo
$ gpg -d --debug=crypto foo.gpg
[…]
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2
016-12-17
          "Felix E. Klee "
gpg: public key decryption failed: Missing item in object
gpg: decryption failed: No secret key
gpg: secmem usage: 0/32768 bytes in 0 blocks
$ gpg --version
gpg (GnuPG) 2.2.9
libgcrypt 1.8.3
[…]

“Missing item in object” is the same message that I get when trying to
decrypt the enQsig encrypted message! So, perhaps enQsig is using 3DES.
*How do I find that out?*

Also, I don’t understand: I was assuming that all the card does is
decrypt my session key using my private 4096 bit RSA key. *If the
session key is a 3DES key, why should the card care?*

[1]: https://wiki.gnupg.org/SmartCard

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

On Thu, Aug 2, 2018 at 2:14 PM, Peter Lebbing 
wrote:
> So I think it's a safe bet they also screwed up the PKESK packet for
> your subkey, and the error is indeed related to it not representing a
> valid session key.

As I would like to understand things a bit better, do you think it is
possible to get some more details? In particular:

  * Is the encrypted packet in a bad format?

  * Does the 4096 bit RSA decryption fail?

  * Or: Is the decrypted packet in a bad format?

Again, the output by `pgpdump` for the packet associated with my
encryption key 04FDF78D1679DD94:

$ pgpdump 02-001.pk_enc
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x04FDF78D1679DD94
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4095 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1
block type 02

For comparison, the output for a packet encrypted with GnuPG:

$ gpg --version
gpg (GnuPG) 2.2.9
libgcrypt 1.8.3
[…]
$ gpg --recv BEF6EFD38FE8DCA0
$ echo "Hello world!" >test
$ gpg -e -r BEF6EFD38FE8DCA0 test
$ gpgsplit test.gpg
$ ls -1
01-001.pk_enc
02-018.encrypted_mdc
test
test.gpg
$ pgpdump 01-001.pk_enc
Old: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x04FDF78D1679DD94
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4095 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1
block type 02

The only difference: `Old` vs. `New` – Could this be an issue?

PS: Had to think a bit that PKESK = “Public-Key Encrypted Session Key”.
The crypto world seems to love acronyms. ;) (which does not make things
easier for us users)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

Hi Dirk,

thanks for all your suggestions!

If I can, I want to avoid creating another key. I prefer getting the
issue resolved and have bugs reported/fixed along the way. I had it once
before that I could not decrypt a document encrypted by a big German
company with my private key. These enterprise “solutions” seem to have
issues.

On Mon, Jul 30, 2018 at 5:14 PM, Dirk Gottschalk via Gnupg-users
 wrote:
> The last packet mentions your signature key as used for encryption,
> this is an error for sure.

I now removed my signature key BEF6EFD38FE8DCA0 from the encrypted
message:

$ gpg --dearmor encrypted.asc
$ gpgsplit encrypted.asc.gpg
$ ls -1
01-001.pk_enc
02-001.pk_enc
03-001.pk_enc
04-001.pk_enc
05-018.encrypted_mdc
encrypted.asc
encrypted.asc.gpg
$ pgpdump 01-001.pk_enc
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0xBEF6EFD38FE8DCA0
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4096 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1
block type 02
$ pgpdump 02-001.pk_enc
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x04FDF78D1679DD94
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4095 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1
block type 02
$ pgpdump 03-001.pk_enc
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x92663E7CA68E4EC6
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4096 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1
block type 02
$ pgpdump 04-001.pk_enc
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0x9D8C454A43A6D2DE
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4094 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1
block type 02
$ pgpdump 05-018.encrypted_mdc
New: Symmetrically Encrypted and MDC Packet(tag 18)(1718 bytes)
Ver 1
(plain text + MDC SHA1(20 bytes))
$ cat 02-001.pk_enc 03-001.pk_enc 04-001.pk_enc \
05-018.encrypted_mdc >new.gpg

Decryption still fails:

$ gpg -d new.gpg
gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 92663E7CA68E4EC6
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created
2016-12-17
      "Felix E. Klee "
gpg: public key decryption failed: Missing item in object
gpg: decryption failed: No secret key
$ gpg --list-packets new.gpg
gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 92663E7CA68E4EC6
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created
    2016-12-17
  "Felix E. Klee "
gpg: public key decryption failed: Missing item in object
gpg: decryption failed: No secret key
# off=0 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94
data: [4095 bits]
# off=527 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 92663E7CA68E4EC6
data: [4096 bits]
# off=1054 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 9D8C454A43A6D2DE
data: [4094 bits]
# off=1581 ctb=d2 tag=18 hlen=3 plen=1718 new-ctb
:encrypted data packet:
length: 1718
mdc_method: 2

As before, the reason given for “public key decryption failed” depends
on the card reader used:

  * SCM SPR332 v2: “Missing item in object”

  * Cherry ST-2000: “Invalid value”

  * REINER SCT cyberJack: “Missing item in object”

It seems like the card reader cannot decrypt the session key. *Is that correct?*

I also tried removing all keys except for my encryption key
04FDF78D1679DD94. This does not make a difference, i.e. encryption fails
as above.

/ Felix

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

On Mon, Jul 30, 2018 at 12:40 PM, Felix E. Klee 
wrote:
> “Invalid value”

Same on Linux BTW (with the Cherry ST-2000).

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

Now I tried a different card reader (after restarting Windows 7x64).
This time it’s a Cherry ST-2000. Previously it was a ReinerSCT
cyberJack.

With the Cherry I get a different error message! This time it’s “Invalid
value” instead of “Invalid ID”!

*What does that mean?*

>gpg --list-packets encrypted.asc
# off=0 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid BEF6EFD38FE8DCA0
data: [4096 bits]
# off=527 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94
data: [4095 bits]
# off=1054 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 92663E7CA68E4EC6
data: [4096 bits]
# off=1581 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 9D8C454A43A6D2DE
data: [4094 bits]
gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 92663E7CA68E4EC6
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2
016-12-17
  "Felix E. Klee "
gpg: public key decryption failed: Invalid value
gpg: encrypted with 4096-bit RSA key, ID BEF6EFD38FE8DCA0, created 2
016-12-17
          "Felix E. Klee "
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key
# off=2108 ctb=d2 tag=18 hlen=3 plen=1718 new-ctb
:encrypted data packet:
length: 1718
mdc_method: 2

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

Zum Vergleich eine Datei, die ich selbst für mich verschlüsselt habe,
und die ich erfolgreich entschlüsseln kann:

>gpg --list-packets foo.gpg
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2
016-12-17
  "Felix E. Klee "
# off=0 ctb=85 tag=1 hlen=3 plen=524
:pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94
data: [4094 bits]
# off=527 ctb=d2 tag=18 hlen=2 plen=76 new-ctb
:encrypted data packet:
length: 76
mdc_method: 2
# off=548 ctb=a3 tag=8 hlen=1 plen=0 indeterminate
:compressed packet: algo=2
# off=550 ctb=cb tag=11 hlen=2 plen=23 new-ctb
:literal data packet:
mode b (62), created 1532945681, name="",
raw data: 17 bytes

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

On Sun, Jul 29, 2018 at 11:37 PM, Dirk Gottschalk via Gnupg-users
 wrote:
>> My encryption key is the sub key 04FDF78D1679DD94. The private key is
>> on a smart card. […]
>
> Does this key work as expected in other programs, MUAs for example?

I use it daily for encryption/decryption of documents, though only with
GnuPG.

> I didn't test it mysqlf, but exporting a only a sub key should be no
> problem.

*But how?*

Your suggestion doesn’t seem to work:

>gpg --export 04FDF78D1679DD94 | gpg --keyid-format long
gpg: WARNING: no command supplied.  Trying to guess what you mean ..
.
pub   rsa4096/BEF6EFD38FE8DCA0 2016-12-17 [SC] [expires: 2018-12-17]
  5EF8B6017F668171259945D6BEF6EFD38FE8DCA0
uid       Felix E. Klee 
sub   rsa4096/04FDF78D1679DD94 2016-12-17 [E] [expires: 2018-12-17]

> Could you provide an example file with this error, in best case
> generated from the Sender?

I can ask him of course. First I would like to see, though, if GnuPG can
tell us what’s the problem.

> Have you tried to inspect the packets in the file with
> "--list-packets"?

Here you go (again my encryption key is `04FDF78D1679DD94`):

>gpg --list-packets encrypted.asc
# off=0 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid BEF6EFD38FE8DCA0
data: [4096 bits]
# off=527 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94
data: [4095 bits]
# off=1054 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 92663E7CA68E4EC6
data: [4096 bits]
# off=1581 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
:pubkey enc packet: version 3, algo 1, keyid 9D8C454A43A6D2DE
data: [4094 bits]
gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 92663E7CA68E4EC6
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2
016-12-17
  "Felix E. Klee "
gpg: public key decryption failed: Missing item in object
gpg: encrypted with 4096-bit RSA key, ID BEF6EFD38FE8DCA0, created 2
016-12-17
  "Felix E. Klee "
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key
# off=2108 ctb=d2 tag=18 hlen=3 plen=1718 new-ctb
:encrypted data packet:
length: 1718
mdc_method: 2

I wonder what “Missing item in object” means.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Cannot decrypt file encrypted with enQsig

[Felix E. Klee]

To receive a document in encrypted form, I provided my public key to the
sender. See attachment. The key contains a sub key for encryption:

sec  rsa4096/BEF6EFD38FE8DCA0
 created: 2016-12-17  expires: 2018-12-17  usage: SC
 card-no: 0005 4980
 trust: ultimate  validity: ultimate
ssb  rsa4096/04FDF78D1679DD94
 created: 2016-12-17  expires: 2018-12-17  usage: E
 card-no: 0005 4980
[ultimate] (1). Felix E. Klee 

The sender then prepared the encrypted file using a software called
enQsig: “wir verwenden eine zentrale Gateway Verschlüsselungslösung
(EnQsig).” (German)

After I received `encrypted.asc` from the sender, I tried to decrypt it,
to no avail:

C:\Users\Felix\Desktop>gpg -v -d encrypted.asc
gpg: armor header: Version: enQsig
gpg: public key is BEF6EFD38FE8DCA0
gpg: no running gpg-agent - starting 'C:\Program Files (x86)\Gpg4win
\..\GnuPG\bin\gpg-agent.exe'
gpg: waiting for the agent to come up ... (5s)
gpg: waiting for the agent to come up ... (4s)
gpg: connection to agent established
gpg: pinentry launched (9620 qt 1.1.1-beta5 - - -)
gpg: public key is 04FDF78D1679DD94
gpg: using subkey 04FDF78D1679DD94 instead of primary key BEF6EFD38F
E8DCA0
gpg: pinentry launched (4608 qt 1.1.1-beta5 - - -)
gpg: public key is 92663E7CA68E4EC6
gpg: public key is 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE
gpg: encrypted with RSA key, ID 92663E7CA68E4EC6
gpg: using subkey 04FDF78D1679DD94 instead of primary key BEF6EFD38F
E8DCA0
gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2
016-12-17
  "Felix E. Klee "
gpg: public key decryption failed: Missing item in object
gpg: encrypted with 4096-bit RSA key, ID BEF6EFD38FE8DCA0, created 2
016-12-17
          "Felix E. Klee "
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key

>From what I can tell, the file has been encrypted with four keys. My
encryption key is the sub key 04FDF78D1679DD94. The private key is on a
smart card. As you can see, decryption fails with an error message:
“gpg: public key decryption failed: Missing item in object”

*What does the error message mean? Why does encryption fail?*

I wonder if perhaps enQsig cannot properly deal with encryption sub keys:

*Would it be possible to extract the public encryption sub key?* (to
only provide that to the sender)

I am using Gpg4win 3.1.2 on Windows 7x64. If more information is needed,
then I am happy to provide it!


5EF8B6017F668171259945D6BEF6EFD38FE8DCA0.asc
Description: Binary data
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: [don't know]: 1st length byte missing

[Felix E. Klee]

Thanks, Werner!

No backup, and I think there is no way to recover the password, which
- in this case - is very unfortunate. :( I wonder how this happened.
The drive is a Samsung EVO SSD with NTFS.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: [don't know]: 1st length byte missing

[Felix E. Klee]

On Sun, Oct 22, 2017 at 12:06 PM,   wrote:
> please list the encrypted text as part of the inline message.

Thanks for pointing that out. Here you go:

-BEGIN PGP ARMORED FILE-
Comment: Use "gpg --dearmor" for unpacking

hQIMAwT9940Wed2UAQ//X3XcOwKvauUCfRI0tqWBrf4CUs/HnzJgaLgL3snxCd0T
cYr78WQvrwUBAJEwvakjuTsrBC7CdxJHWmaEYQZrw8dIAMdxDoKGaWti9S0cGrZD
CjaUjZypCM7bmJViUUmy7nBgrkThQGzS5fqT9EelJ/loJZViIm8kqtV3BGknkyrX
GF92v6CKhh6VDZE4p4trePV46l2Dw4zdB3CPsEc06HREOdGN1RZssMKpQCxnbk44
AskDJS/AOG0xnvgLny96j38xdCz+F9KQ8dA9UZCRau6qTYaOtjvhLIHW1eWjNNtD
Eay54IkFbdF4bReS3fSPp4pv3w2SZLPyX+WX8w5lmRyv7+CsSPzP2spD2KunSsiA
0+1Tw/Lr2Rvwbb+j1cgcr4+IcpPGddn4un+KS42HpxWfZfM7bqoetNO6lL0n2EHI
2W3brKf/9HWeR0vj9LQlDQJGPhejvm6Jgmv/QVYlAEqkkdQurA8UZ3t6v2aQwdgO
smHUfnCVj/CZd3qU5rlvWq2N/vjxIra1VVbFLpC6FU6ISaxBn8D6wBQ4IJmKXTMn
b/hGQtd8paHeUXIyg48f1abGsaa1/bvQ8ReZjVpAkEFCaQeSovf67krSCYNdeJ/+
YY9QHly/kj0JGqcNtFhBEAJxmh05bGkTmYKauiMF4iLa5fQj639oW6TsiXB5wi3S
=UO5M
-END PGP ARMORED FILE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg: [don't know]: 1st length byte missing

[Felix E. Klee]

See the attached file. When I try to decrypt it using `gpg -d`, I get:

gpg: [don't know]: 1st length byte missing

`gpg --version` (on Windows):

gpg (GnuPG) 2.2.1
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Users/Felix/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

IIRC I haven’t updated gpg since I encrypted the file. So I assume that
the same gpg 2.2.1 has been used for encryption.

The private key is on an OpenPGP smartcard by ZeitControl.

*Any idea how to fix the issue?*


password.gpg
Description: Binary data
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: KEYTOCARD failed: Unusable secret key

[Felix E. Klee]

On Tue, Jul 26, 2016 at 1:22 PM, Andrew Gallagher 
wrote:
> If you want to keep a backup copy on local disk, you need to quit
> *without saving* immediately after running 'keytocard'.

Hitting  to quit did the trick. Now I could copy the key – a new
one – to two cards. Thanks for the suggestion!

Before that I tried re-importing the private key from the `.asc` file,
but it still was not possible to write it to another card. The error
message was the same as before. I don’t understand this: The key is
around, but somehow I cannot use it.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: KEYTOCARD failed: Unusable secret key

[Felix E. Klee]

On Tue, Jul 26, 2016 at 1:22 PM, Andrew Gallagher 
wrote:
> What does it say when you run "gpg --list-secret-keys" on your local
> machine now?

*Without* the smart card reader connected, it says:

# gpg –list-secret-keys
/ramdisk/pubring.kbx

sec>  rsa4096 2016-07-26 [SC] [expires: …]
  AFADB5A…
  Card serial no. = …
uid   [ultimate] Felix …
ssb>  rsa4096 2016-07-26 [E] [expires: …]

Also I can export the private key:

# gpg --armor --export-secret-keys | wc -l
53

So it seems to be still there, no?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg: KEYTOCARD failed: Unusable secret key

[Felix E. Klee]

Successfully moved a key to an [OpenPGP-Card][1]. Now, as backup, I
want to install the key to a second card, but that failed:

# gpg --edit-key $KEY
[...]
gpg> toggle
[...]
ggp> keytocard
Really move the primary key? (y/N) y
[...]
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

gpg: WARNING: such a key has already been stored on the card!

Replace existing key? (y/N) y
gpg: KEYTOCARD failed: Unusable secret key

Why did it work for the first card but not for the second one?

I assume, although `keytocard` is documented as *moving* the key to the
card, it actually copies it.

[1]: https://g10code.com/p-card.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to export ASCII armored secret key without passphrase?

[Felix E. Klee]

On Wed, Jan 20, 2016 at 6:13 PM, Peter Lebbing 
wrote:
> $ gpg2 --export-secret-keys | gpg --import

Thanks! On my system, Arch, that’s:

$ gpg --export-secret-keys | gpg1 --import

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How to export ASCII armored secret key without passphrase?

[Felix E. Klee]

There’s a known issue: 

Is there any workaround? For example, could I export an ASCII armored
key with a passphrase, then decrypt the exported key?

Command that failed without passphrase (the key doesn't have one):

$ gpg --armor --export-secret-keys >key.txt

Affected version of GnuPG is 2.1.10.

With 2.0.19 I did not run into this issue.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Generating 4096 bit key fails – why?

[Felix E. Klee]

On Wed, Nov 4, 2015 at 3:09 AM, NIIBE Yutaka  wrote:
> Here is a fix.  It will be in the next release.
>
> http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c5a9fedba66361ddd9f596528882750068543298

Thanks!

Any idea when the next release is scheduled to be available?

I tried installing the Git version into `/usr/local`, but that couldn’t
interface with my reader’s PIN pad.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Generating 4096 bit key fails – why?

[Felix E. Klee]

On Mon, Nov 2, 2015 at 3:04 AM, NIIBE Yutaka  wrote:
> It failed when gpg frontend tried to change the key attribute for
> RSA-4096.
>
>> […]
>
> Do you happened to have (and run) old scdaemon of 2.0?

Unfortunately that doesn’t seem to be the explanation. After starting
`gpg --card-edit`, I checked which version is running, and it’s 2.1.9:

$ ps aux | grep scdaemon
root   506  […] scdaemon --multi-server
felix  562  […] grep scdaemon
$ sudo ls -l /proc/506/exe
[…] /proc/506/exe -> /usr/lib/gnupg/scdaemon
$ /usr/lib/gnupg/scdaemon --version
scdaemon (GnuPG) 2.1.9
libgcrypt 1.6.4
libksba 1.3.3
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

What else can I try?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Generating 4096 bit key fails – why?

[Felix E. Klee]

On Tue, Oct 27, 2015 at 9:09 PM, Werner Koch  wrote:
> Please add
>
> --8<---cut here---start->8---
>   debug 1024
>   debug 2048
>   log-file /this/is/my/scdaemon.log
> --8<---cut here---end--->8---
>
> to scdaemon.conf, kill scdaemon, and try again.  The log file will then
> contain a log of all APDUs send and received to/from the card.  Post it
> here.

See attachment.

And, yes, the OpenPGP card V2.1 does 4096 bit keys, just as V2.0, which
I successfully used with such keys. In fact on V2.1, it is printed: “RSA
with up to 4096 bit”


scdaemon.log.gz
Description: GNU Zip compressed data
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Generating 4096 bit key fails – why?

[Felix E. Klee]

As already mentioned in the October 2015 thread “Bad secret key” on
, I cannot generate a 4096 bit on
my [OpenPGP card][1]. What could be the issue?

Details:

$ uname -a
Linux felix-arch 4.2.3-1-ARCH #1 SMP PREEMPT Sat Oct 3 18:52:50 CEST
2015 x86_64 GNU/Linux
$ gpg --version
gpg (GnuPG) 2.1.9
libgcrypt 1.6.4
[…]
$ gpg --card-edit

Application ID ...: D276000124010201000540D8
Version ..: 2.1
Manufacturer .: ZeitControl
Serial number : 40D8
Name of cardholder: Felix Klee
Language prefs ...: de
Sex ..: unspecified
URL of public key : [not set]
Login data ...: [not set]
Signature PIN : not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key : [none]
Encryption key: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> generate
Make off-card backup of encryption key? (Y/n) n
What keysize do you want for the Signature key? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
Note: There is no guarantee that the card supports the requested
  size. If the key generation does not succeed, please check the
  documentation of your card to see what sizes are allowed.
gpg: error changing size of key 1 to 4096 bits: Invalid data

[1]: http://g10code.com/p-card.de.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Trezor - Could this be the model for a PGP crypto device?

[Felix E. Klee]

Yesterday in Las Palmas de Gran Canaria, I attended a [talk][1] by Marek
Palatinus, one of the relatively early Bitcoin miners and cofounder of
[SatoshiLabs][2]. He gave an introduction to his path into Bitcoin, and
things that went wrong, and then he presented the [Trezor][3] crypto
device.

The Trezor has a little display and two buttons. It generates and stores
your private key which is used for identifying your address in the
Bitcoin network. The Bitcoins that you own are associated with your
address. Connected via USB to a computer, the Trezor signs Bitcoin
transactions.

Marek later explained to me that the Bitcoin crypto standard is
different from those used with PGP.

After the talk, I hammered him with questions:

  * What if I lose the device or if it breaks? For backup, the device
presents a list of 24 English words, that the user should write down
and keep on paper in a safe place. Using this list, the private key
can be recreated.

  * What if Eve wants to access the device without my authorization?
There is a PIN.

  * How is the key generated? With an RNG on the device, using entropy
gathered from the connected computer.

  * There’s no PIN pad on the device; Couldn’t malware sniff the PIN?
The device has a little screen that displays a matrix of nine
numbers. On the computer’s screen appears the same matrix without
numbers, and one clicks on these with the mouse.

  * Do I have to enter the PIN for every transaction? Only once, then
the device remains activated.

  * Once the device is activated, couldn’t malware do arbitrary
transactions? For every transaction there is information displayed
on the device’s display, and it has to be confirmed with the press
of a button on the device.

  * Can I trust the firmware? [Source code][4] is available. Users can
check the code, compile it, and flash their own version.

  * What if Eve modifies the firmware in a malignant way and flashs it
to the device? Flashing unsigned firmware causes the private key to
be erased by the bootloader.

  * Can I trust the bootloader? Source code is available as well.

Of course there could still be backdoors. However, at the moment I
cannot see what can be done better, other than building your own
hardware, ideally down to chip manufacturing level.

[1]: http://www.meetup.com/lpa-tech/events/220413356/
[2]: http://satoshilabs.com/
[3]: http://satoshilabs.com/trezor/
[4]: https://github.com/trezor/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Talking about Cryptodevices... which one?

[Felix E. Klee]

On Wed, Jan 28, 2015 at 1:46 AM, NIIBE Yutaka gni...@fsij.org wrote:
 From the viewpoint of getting unencrypted private key, it's like:

  On flash ROM: Private key encrypted --\
 \
  On flash ROM: DEK encrypted --\   [AES]-- Private key
   [AES]- DEK --/
Passphrase --[S2K]--/

Thanks a lot for this explanation!

 From this point, it is better for smartcard/token, not to have other
 useful features.

I still would feel more comfortable with a pinpad, or some hardware
button (see thread “crypto device where I need to confirm every
operation?”).

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Talking about Cryptodevices... which one?

[Felix E. Klee]

On Tue, Jan 27, 2015 at 6:14 PM, Andreas Schwier
andreas.schwier...@cardcontact.de wrote:
 The encryption on the card is unrelated to the PIN.

So the private key is encrypted with an AES key that is also stored on
the card? Then why encrypt the private key at all? Against what attack
does encryption of the private key on the card protect?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Talking about Cryptodevices... which one?

[Felix E. Klee]

On Sat, Jan 24, 2015 at 4:05 AM, NIIBE Yutaka gni...@fsij.org wrote:
 gnuk (running on the FST-01)

How does that store the private key? Password encrypted?

A smart card stores the key unencrypted, right?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Talking about Cryptodevices... which one?

[Felix E. Klee]

On Tue, Jan 27, 2015 at 5:19 PM, Andreas Schwier
andreas.schwier...@cardcontact.de wrote:
 The platform we use for the SmartCard-HSM generates a random AES key
 during platform initialization and encrypts all key material in EEPROM
 under this key. The only time the key is handled in plain (plain
 meaning within the protected enclosure of the secure microcontroller)
 is when the crypto unit performs a private key operation.

Good! What PIN length do you recommend? (for the case that there is a
backdoor to get the *encrypted* key off the card)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Talking about Cryptodevices... which one?

[Felix E. Klee]

On Fri, Jan 23, 2015 at 3:25 AM, Faramir faramir...@gmail.com wrote:
 Any advice?

I bought an OpenPGP smart card at [cryptoshop][1]. Whether they ship to
Chile, I don’t know. The cards are actually distributed by [kernel
concepts][2]. I called them, and they told me:

  * Currently they don’t have cards in stock.

  * The shop will be back IIRC next month, or in March.

  * There will be a new batch of cards, with the same functionality but
updated print: On the back of the current cards, it says “RSA with
up to 3072 bit” when in fact the cards support up to 4096 bit.

Also: You can get that card, if you become an [FSFE fellow][3].

As for the reader, I got a Reiner SCT cyberJack RFID standard. The RFID
functionality allows me to use it with the German ID card as well. If
you don’t need that, there is a smaller device, the cyberJack go plus.

I’m running the setup with Win7 X64, with Gpg4win, which works fine:

  * PIN entry is via the pinpad on the reader.

  * 4096 bit RSA

  * Decryption of a 30 kB file takes one or two seconds.

[1]: http://www.cryptoshop.com/checkout/cart/
[2]: http://shop.kernelconcepts.de/
[3]: https://fsfe.org/fellowship/card.en.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Crypto device where I need to confirm every operation?

[Felix E. Klee]

On Thu, Jan 22, 2015 at 6:34 PM, Johannes Zarl johan...@zarl.at wrote:
 On my setup, the smartcard seems to only allow one sign operation per
 pin-entry.

Right, for signing I am always asked for the PIN. I didn't check that
before posting.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Crypto device where I need to confirm every operation?

[Felix E. Klee]

I currently use GnuPG with an OpenPGP Card V2.0 in a smart card reader
with PIN pad. Surely, that adds a certain layer of security, as all
encryption and signing operations happen on the card. However, there
is one attack which I think could be easily prevented: With the card
in the reader, the PIN entered, and Eve having remote access to my
machine, she could sign and decrypt documents.

To prevent such an attack, I imagine a device where I have to confirm
every transaction with a simple push on a hardware button.

Does that exist?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Info on sub keys?

[Felix E. Klee]

I've a couple of newbee questions concerning sub keys:

* Aside from convenience, is there any difference between a sub key and
  an ordinary key signed with the master key?

* Can such an ordinary key be transformed into a sub key?

* Since when (date and version) does PGP and since when does GnuPG
  support signing sub keys?  I ask because I read that old versions, at
  least of PGP, support only encryption sub keys, not signing sub keys.

* Are signing sub keys part of the OpenPGP standard?

* One can include any number of sub keys into a key, right?  I ask
  because I recall reading that there was/is some problem with key
  servers and sub keys.

If there is any good documentation on sub keys, aside from technical
specifications (such as RFC 2440), then please let me know.

-- 
Felix E. Klee

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Info on sub keys?

[Felix E. Klee]

At Sun, 04 Jun 2006 03:02:19 +0930,
Alphax wrote:
 A subkey cannot issue a certification signature - at least not in any
 known implementations.

Right, I read about that before.

 PGP 8 supports signing subkeys; no other offical version of PGP before
 then does. 

According to Tom McCune's FAQ [1] version 8.1 was the first version that
supported signing subkeys for checking signatures:

  GPG (but not PGP) can now generate subkeys for signing.  Until PGP
  8.1, PGP had no support for this, and could not verify signatures made
  with such a signing subkey.

So, I assume that there was a version 8.0 which doesn't support them.  I
wonder when version 8.1 was released.

  * One can include any number of sub keys into a key, right?  I ask
because I recall reading that there was/is some problem with key
servers and sub keys.
 
 PKS keyservers (pre version  0.9.6) had a bug that mangled keys with
 multiple subkeys.

Hm, as far as I understand it, public key servers exchange updates among
each other, in oder to stay synchronized.  Consider the following
example:

  I upload a key to server A, from there it goes to server B and
  finally it arrives at server C: A-B-C.

Now what would happen if that key contains a signature sub key and
server B runs a pre 0.9.6 PKS version?  Would the key end up in a
mangled state on B and C?  Could the mangled key propagate back to A?

  If there is any good documentation on sub keys, aside from technical
  specifications (such as RFC 2440), then please let me know.
 
 Adrian von Bidder wrote an excellent tutorial on subkeys at
 http://fortytwo.ch/gpg/subkeys.

I recall finding it on the web some time ago, but I didn't read it.  I
better do that now.

BTW, there's another little question I forgot to raise in my first
message:

  In his FAQ, Tom McCune uses the expression 4096/2048 RSA to refer to
  a 2048 bit master key with a 4096 bit encryption sub key.  Is this a
  general convention?  I.e. does foo Y/X, in general, refer to an X
  bit master key of type foo with an Y bit sub key for encryption?

[1] http://www.mccune.cc/PGPpage2.htm

-- 
Felix E. Klee

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

OpenPGP card: What RSA problems? Why not for key signing?

[Felix E. Klee]

I consider creating a new master key: My old one wasn't stored securely
in the past and it has been rarely used.  This new key I want to
generate on a system with a temporary fresh LINUX install and upload it
to two Smartcards (one is for backup).  Now, the only thing that's
preventing me from doing this are the following paragraphs that I found
in The GnuPG Smartcard HOWTO (How to use the Fellowship Smartcard):

  The card does not support DSA keys. Even if you are using a RSA key
  you might encounter problems. The cards available at the moment only
  support 1024 bit keys.

  The suggestion is to use the key on the card only for signing and
  decrypting but NOT for key signing.

This calls for some questions:

* What are those problems that one may encounter with RSA?

* Why should the key on the card not be used for key signing?

* Is there any advantage in using a DSA master key (not supported by the
  OpenPGP card, I know) instead of an RSA master key?

* What's the best tool for generating the 1024 bit RSA key?  Should I
  simply use plain gpg --gen-key --no-random-seed-file or should the
  key be generated on card, or does it not really matter?

PS: Of course, I will use a subkey with limited lifetime for everyday
use, and I'll store this key on a third card.

-- 
Felix E. Klee

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: OpenPGP card not available: Assuan server fault

[Felix E. Klee]

At Mon, 13 Feb 2006 14:47:51 +0100,
Werner Koch wrote:
  As I'm at it, a minor complaint: In order to get the gpg2 binary, I
  had to do:
 
 You shall not build gpg2.  Configure does not enable this option for a
 reason.  Use gpg 1.4.2 (or the cvs version) for OpenPGP.  This is
 stated at several places.

But I don't want to do OpenPGP: I want to do SSH with the OpenPGP card.
I roughly followed the howto behind the following URL:

  http://cyphertext.de/ssh-openpgpcard-howto.txt

This howto mentions the use of gpg2.

-- 
Felix E. Klee

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg: OpenPGP card not available: Assuan server fault

[Felix E. Klee]

 card not available: Assuan server fault

* Auxiliary packages:

  libgpg-error 1.1
  libgcrypt 1.2.2
  libassuan 0.6.10
  libksba 0.9.13
  pth 2.0.6

-- 
Felix E. Klee

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Pinpad on SPR532 isn't used

[Felix E. Klee]

At Thu, 25 Aug 2005 15:24:03 +0200,
Joerg Schmitz-Linneweber wrote:
  After installing GNUPG 1.4.2, I can now access my OpenPGP smartcards
  (bought at Kernelconepts) using my SPR532 reader.  However, the
  pinpad of the reader is not used.  An example: ...
 
 If you browse through the archives of this group you'll find that
 there *is* no keypad support for _any_ card reader (until now).
 
 The documentation also always states that it *would be possible* to
 integrate support for pinpads...

Well, then the document How to use the Fellowship Smartcard - The GnuPG
Smartcard HOWTO from March 5th, 2005 needs to be corrected.  Quote:

  SCM Microsystems SPR532
  
  This is a USB (CCID)/serial reader with a numerical keypad and three
  extra buttons. The pinpad may be used to securely enter the PIN
  without using the attached computer. Only USB has been tested.

Anyway, does this lack of pinpad support apply to *any* driver or only
to the internal CCID one?
  
-- 
Felix E. Klee

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Pinpad on SPR532 isn't used

[Felix E. Klee]

After installing GNUPG 1.4.2, I can now access my OpenPGP smartcards
(bought at Kernelconepts) using my SPR532 reader.  However, the pinpad
of the reader is not used.  An example:

  ~ gpg --card-edit
  gpg: WARNING: using insecure memory!
  gpg: please see http://www.gnupg.org/faq.html for more information
  
  Application ID ...: D276000124010101000105B6
  Version ..: 1.1
  Manufacturer .: PPC Card Systems
  Serial number : 05B6
  Name of cardholder: [not set]
  Language prefs ...: de
  Sex ..: unspecified
  URL of public key : [not set]
  Login data ...: [not set]
  Private DO 1 .: [not set]
  Private DO 2 .: [not set]
  Signature PIN : forced
  Max. PIN lengths .: 254 254 254
  PIN retry counter : 3 3 3
  Signature counter : 0
  Signature key : [none]
  Encryption key: [none]
  Authentication key: [none]
  General key info..: [none]
  
  Command passwd
  gpg: OpenPGP card no. D276000124010101000105B6 detected
  
  PIN
  Enter PIN: [Here I have to enter my PIN via my computer's keyboard]

The version of the reader's firmware is 5.05 IIRC.  

What may be the reason for the problem?

-- 
Felix E. Klee

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing the email address on an existing key...how? Should I?

[Felix E. Klee]

At Fri, 22 Jul 2005 16:32:25 -0700,
mweisler wrote:
 What is good practice in this regard and where might I read more about
 it?

You could create a new identity and, optionally, revoke the old one.
Read more about it in the GNU Privacy Handbook.  Also, keep in mind
that, if your key is very old already, chances are that it's private
part may have been stolen at some point during its life time, unless you
have handled it very carefully.  If you're worried about this, you may
want to create a new key.

-- 
Felix E. Klee

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP and Smartcards?

[Felix E. Klee]

At Fri, 22 Jul 2005 22:42:20 +0200,
Zeljko Vrba wrote:
 Felix, if you wish to finish the applet yourself, I can help you a bit
 with the existing code, if you need help.

Right at the moment, I also have time problems ;-).  But I may be
interested to do that in the near future.

-- 
Felix E. Klee

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

PGP and Smartcards?

[Felix E. Klee]

I'd like to do PGP with a Smartcard that contains my main private key (I
want to go for 2048 RSA, it should last for about five years) and
subkeys (they should each last for about six months).  I didn't buy a
smart card for this purpose yet, and before I go ahead, I'd like to get
some questions answered:

* Can I use GnuPG for signing and decryption with a smart card and 2048
  bit RSA keys?  What limitations do I have to expect, if any?

* Personally, I currently favor the Axalto Cryptoflex 32k.  But is there
  any card that you recommend? (I know that there's the OpenPGP card but
  it only supports keys up to 1024 bits - not an option.)

* Why was OpenSC removed with development version 1.9.17 of GnuPG?  From
  a software developer's point of view it just doesn't make sense to
  ditch an existing and supposedly well working library that provides a
  standardized interface (PKCS#11) and whose license (LGPL) is compliant
  with the license of the GnuPG.

* If not GnuPG, what free software alternatives are there for doing PGP
  signing and decryption with a smart card?

-- 
Felix E. Klee

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

PGP and Smartcards?

[Felix E. Klee]

I'd like to do PGP with a Smartcard that contains my main private key (I
want to go for 2048 RSA, it should last for about five years) and
subkeys (they should each last for about six months).  I didn't buy a
smart card for this purpose yet, and before I go ahead, I'd like to get
some questions answered:

* Can I use GnuPG for signing and decryption with a smart card and 2048
  bit RSA keys?  What limitations do I have to expect, if any?

* Personally, I currently favor the Axalto Cryptoflex 32k.  But is there
  any card that you recommend? (I know that there's the OpenPGP card but
  it only supports keys up to 1024 bits - not an option.)

* Why was OpenSC removed with development version 1.9.17 of GnuPG?  From
  a software developer's point of view it just doesn't make sense to
  ditch an existing and supposedly well working library that provides a
  standardized interface (PKCS#11) and whose license (LGPL) is compliant
  with the license of the GnuPG.

* If not GnuPG, what free software alternatives are there for doing PGP
  signing and decryption with a smart card?

-- 
Felix E. Klee

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users