Re: gnupg SmartCard V3.3
On Thu, 1 Mar 2018 10:08, k...@glsys.de said: > i found this ct 2017-10 (german computer magazine) Article, > where they claim the reader to be working with the openpgp smartcard Version > 2.1 > by transfering precreated 4096-Bit keys. This is exactly what i am Well most drivers work on Windows because they fix them using their Windows drivers. This does not work on Linux because tehre is no generic (and proprietary) driver for them. > So either i am doing something stupid or the V3.3 card incorporated changes > which broke this. > I ordered another reader and asked if it would be possible do buy some > 2.1 cards for cross-tersting, but it seems they would have to be The interface part of the 3.3 cards is not different from the 2.1 cards; the chnages are just in the OpenPGP card application which counterpart is in GnuPG. > Can anybody suggest how i could further debug the --card-edit and > --card-status to find out why the stubs are not being generated? Now, are you on 2.1.11 or 2.2.3? Salam-Shalom, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpftlrIq01UK.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg SmartCard V3.3
Thank you all for the support! The mail about needing support for the V3.3 cards in opensc pointed me in the right direction. I relied on the information that the V3.3 is backwards compatible to the V2.1 but this does not seem to be the case. Compiling a fresh gpg 2.2.5 with --enable-ccid-driver from source did the trick for the linux machines. Kind Regards, Klaus Römer signature.asc Description: Message signed with OpenPGP ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg SmartCard V3.3
Hello Klaus, On Thursday, 01 March 2018 10:08:14 CET Klaus Römer wrote: > This is my target device because it is build-in in our Laptops, > i found this ct 2017-10 (german computer magazine) Article, > where they claim the reader to be working with the openpgp smartcard Version > 2.1 by transfering precreated 4096-Bit keys. This is exactly what i am > tring to do - and it seems to work, only the stub keys are not being > generated… > > So either i am doing something stupid or the V3.3 card incorporated changes > which broke this. I ordered another reader and asked if it would be > possible do buy some 2.1 cards for cross-tersting, but it seems they would > have to be manufactured as they are out of stock. Today I'm also setting up a bunch of V3.3 cards. There is indeed a problem: OpenSC added support for the new cards just in the current git HEAD version. See: https://github.com/OpenSC/OpenSC/issues/1215 -> we compiled opensc from git on Fedora now are able to talk to the card. You might be affected by this if gnupg talks to the card via opensc instead of the builtin libusb based CCID driver. (that's what NIIBE Yutaka suspected in his reply) HTH, Thomas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg SmartCard V3.3
> Am 28.02.2018 um 15:56 schrieb Werner Koch: > > On Tue, 27 Feb 2018 01:04, k...@glsys.de said: > >> gpg2 --version is 2.1.11 > > That is a pretty old an somewhat buggy version which will likely have > problems with newer smartcards. > >> Tried gpg (GnuPG/MacGPG2) 2.2.3 >> on a completely different machine (mac) > > That version is recent enough and as long as macOS is properly > configured for the card it will work. You maywant to ask over at > gpgtools.org, though. > >> Tried three different card-reader: >> - Cherry GmbH SmartBoard XX44 > > IIRC that is the old Omnikey reader based keyboard. I have one myself. > It does not work with 2048 bit keys unless you use their Windows driver. > >> - KOBIL EMV CAP - SecOVID Reader III > > I am not sure which reader this is, I had to dump my Kobil reader a logn > time ago wehn I moved to 2048 bit keys. The problem is slightly > different than with Omnicard keys but I can't remember the details. > >> - Alcor Micro AU9540 00 00 > > I am not sure about them. Quite some time ago they simply did not worked. This is my target device because it is build-in in our Laptops, i found this ct 2017-10 (german computer magazine) Article, where they claim the reader to be working with the openpgp smartcard Version 2.1 by transfering precreated 4096-Bit keys. This is exactly what i am tring to do - and it seems to work, only the stub keys are not being generated… So either i am doing something stupid or the V3.3 card incorporated changes which broke this. I ordered another reader and asked if it would be possible do buy some 2.1 cards for cross-tersting, but it seems they would have to be manufactured as they are out of stock. Can anybody suggest how i could further debug the --card-edit and --card-status to find out why the stubs are not being generated? Kind Regards, Klaus > > @gniibe: Do you have any more up to date information on macOS and > smartcard readers? > > > Shalom-Salam, > > Werner > > -- > # Please read: Daniel Ellsberg - The Doomsday Machine # > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: gnupg SmartCard V3.3
El día Thursday, March 01, 2018 a las 09:14:15AM +0900, NIIBE Yutaka escribió: > Hello, > > Werner Kochwrote: > > @gniibe: Do you have any more up to date information on macOS and > > smartcard readers? > > If possible, I recommend to use GnuPG's in-stock driver to access > smartcard. It is direct access by libusb, not using PC/SC service. > > For GNU/Linux, if you don't have any other use of PC/SC service, please > uninstall it, or disable the service, and try again with GnuPG's > in-stock driver. > > For the driver, I maintain this list: > > https://wiki.debian.org/GnuPG/CCID_Driver > > For macOS, I think that it still uses old PC/SC and libccid library. > I'm afraid that new readers (with new features like pinpad support) > don't work well, or don't work at all. > Hello, I do yous the following USB token ond FreeBSD-12 CURRENT and the 'pcscd' is configured to be started by devd on device attach: Mar 1 08:00:56 r314251-amd64 kernel: ugen0.2: at usbus0 Mar 1 08:00:56 r314251-amd64 root: CCID uTrust, type: ATTACH, system: USB, subsystem: INTERFACE Mar 1 08:00:56 r314251-amd64 root: /usr/local/sbin/pcscd Mar 1 08:00:56 r314251-amd64 root: Unknown USB device: vendor 0x04e6 product 0x5816 bus uhub0 The OpenPGP card works fine as: $ gpg2 --card-status Reader ...: Identiv uTrust 3512 SAM slot Token (55511514602745) 00 00 Application ID ...: D2760001240102010005532B Version ..: 2.1 Manufacturer .: ZeitControl Serial number : 532B Name of cardholder: Matthias Apitz ... Do I have any chance to use the USB token and the card directly without 'pcscd'? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: gnupg SmartCard V3.3
Hello, Werner Kochwrote: > @gniibe: Do you have any more up to date information on macOS and > smartcard readers? If possible, I recommend to use GnuPG's in-stock driver to access smartcard. It is direct access by libusb, not using PC/SC service. For GNU/Linux, if you don't have any other use of PC/SC service, please uninstall it, or disable the service, and try again with GnuPG's in-stock driver. For the driver, I maintain this list: https://wiki.debian.org/GnuPG/CCID_Driver For macOS, I think that it still uses old PC/SC and libccid library. I'm afraid that new readers (with new features like pinpad support) don't work well, or don't work at all. I need macOS developers who build GnuPG with libusb. Currently, GnuPG scdaemon uses PC/SC service on macOS and Windows. On GNU/Linux, people can use both ways (in-stock driver or PC/SC). > - Cherry GmbH SmartBoard XX44 02 Short APDU level exchange Because of this limitation, this reader cannot handle larger APDU (~= packet), which is needed for recent RSA key size. You can still use it with RSA-1024. > - KOBIL EMV CAP - SecOVID Reader III bPINSupport: 0x03 PIN Verification supported PIN Modification supported I'm afraid it doesn't work on macOS. > - Alcor Micro AU9540 00 00 I had a bug report with this reader: https://dev.gnupg.org/T1947 I think it now works fine by GnuPG's in-stock driver on GNU/Linux. Please test. It seems that this reader has a problem in PC/SC service, and it's not supported by PC/SC-lite + libccid. https://pcsclite.alioth.debian.org/ccid/unsupported.html#0x058F0x9540 * * * Supporting users' freedom on computing (for their privacy in digital world), I need have/collect/maintain knowledge of those hardware. But... when there is a problem, it tends to be because of bad firmware implementation, which is proprietary. In the proprietary world, the practice is... to be "fixed" in the proprietary driver (than the firmware). But that "fix" has tendency not to be published to users or developers of free software. For me, it's a pity that I somehow need to have knowledge around those proprietary firmware. Perhaps, someday, in free software, I will write CCID reader implementation which accesses smartcard, by free software (I mean, development environment), for free software (= GnuPG maintenance); Then, we can proceed to free firmware of smartcard itself. # About ten years ago, I didn't take that approach but a short cut, that # was Gnuk. The reason was that it was difficult to find hardware # vendors which allowed developing free firmware implementation of # smartcard. Having free CCID reader implementation still makes sense, to encourage free firmware implementation of smartcard. I'd like to work for some part this year. -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: gnupg SmartCard V3.3
On Tue, 27 Feb 2018 01:04, k...@glsys.de said: > gpg2 --version is 2.1.11 That is a pretty old an somewhat buggy version which will likely have problems with newer smartcards. > Tried gpg (GnuPG/MacGPG2) 2.2.3 > on a completely different machine (mac) That version is recent enough and as long as macOS is properly configured for the card it will work. You maywant to ask over at gpgtools.org, though. > Tried three different card-reader: > - Cherry GmbH SmartBoard XX44 IIRC that is the old Omnikey reader based keyboard. I have one myself. It does not work with 2048 bit keys unless you use their Windows driver. > - KOBIL EMV CAP - SecOVID Reader III I am not sure which reader this is, I had to dump my Kobil reader a logn time ago wehn I moved to 2048 bit keys. The problem is slightly different than with Omnicard keys but I can't remember the details. > - Alcor Micro AU9540 00 00 I am not sure about them. Quite some time ago they simply did not worked. @gniibe: Do you have any more up to date information on macOS and smartcard readers? Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpw4K8cDI0C4.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg SmartCard V3.3
Hello Klaus, On Tuesday, 27 February 2018 01:04:27 CET Klaus Römer wrote: > i bought two V3.3 cards, but can`t get them to work … > the keytocard command does not move the key but copy it and further on the > gpg2 --card-status -> fetch followed by gpg2 --card-status does not create > the stub keys, so gpg2 --list-secret-keys does not show any keys ... I have > the same (rsa4096) sub-key loaded to each slot 1,2,3 eg SEA and card-status > does show them … gpg2 --version is 2.1.11 > > > I did further tests by calling gpg2 —card-edit -> generate with keylength > 2048 and 4096 which fail with „card-error“ > > Tried gpg (GnuPG/MacGPG2) 2.2.3 > on a completely different machine (mac) > > Tried the other card (i bought two with consecutive serial numbers) > > Tried three different card-reader: > - Cherry GmbH SmartBoard XX44 > - KOBIL EMV CAP - SecOVID Reader III > - Alcor Micro AU9540 00 00 > > Can anybody help? I just tested an openpgp card V3.3 with a Cherry ST-2000 card reader and a Reiner cyberJack Go. It successfully created keys on the card and after a "factory-reset" command it also moved an existing key to the card just fine. Signing and decryption worked, too. Same thing with a V2.1 openpgp card. All tests have been done on a Fedora 27 live USB stick using gnupg 2.2.4. May be try on a non-Mac computer to see if this is the issue? If you want to give the Fedora 27 live CD a try, it might be good to update the included gnupg 2.2.0 to 2.2.4 before starting: dnf update -y gnupg2 libassuan libgcrypt libgpg-error Optionally: If you want "paperbackup" on the live system: dnf install -y git python3 python3-pillow PyX python3-qrencode enscript ghostscript zbar git clone https://github.com/intra2net/paperbackup.git See https://github.com/intra2net/paperbackup With the Fedora live CD, all operations are done on a ramdisk. Just remember to unplug the network cable once you start the key generation process :) HTH, Thomas -- Don't send emails here: jeffer...@intra2net.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: gnupg SmartCard V3.3
Hello, i bought two V3.3 cards, but can`t get them to work … the keytocard command does not move the key but copy it and further on the gpg2 --card-status -> fetch followed by gpg2 --card-status does not create the stub keys, so gpg2 --list-secret-keys does not show any keys ... I have the same (rsa4096) sub-key loaded to each slot 1,2,3 eg SEA and card-status does show them … gpg2 --version is 2.1.11 I did further tests by calling gpg2 —card-edit -> generate with keylength 2048 and 4096 which fail with „card-error“ Tried gpg (GnuPG/MacGPG2) 2.2.3 on a completely different machine (mac) Tried the other card (i bought two with consecutive serial numbers) Tried three different card-reader: - Cherry GmbH SmartBoard XX44 - KOBIL EMV CAP - SecOVID Reader III - Alcor Micro AU9540 00 00 Can anybody help? Kind Regards, Klaus ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users