Re: No SSH public key authentication using smartcard

[Stephan Verbücheln via Gnupg-users]

To my knowledge, no (explicit) agent forwarding is required for
ProxyJump configurations.

I am using the following configuration to access a LAN machine over the
Internet. Both machines use the GnuPG key for authentication.

Host rdeep
HostName 192.168.1.151
ProxyJump verbuecheln.ch
IdentityAgent ${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh

This also works when the Internet connection is using IPv6 and the LAN
connection is using IPv4. SSH takes care of these things transparently.

Regards
Stephan



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: No SSH public key authentication using smartcard

[Jacob Bachmeyer via Gnupg-users]

Thomas wrote:

Hi,
this is exactly what I thought.
However, there's no solution for it.

Let me repeat my comments posted previously to get an overview what is 
working...
Actually I have a working setup on Windows 10, but here I use another 
terminal emulator: MobaXterm.

And in the settings of MobaXterm I enabled SSH forwarding.
As of now I don't want to continue using MobaXterm on Windows 11, but
using Windows Terminal.
I can run ssh-add.exe -L in Windows PowerShell and get the correct SSH 
public key fetched from secure card.


If you are using a Windows port of OpenSSH, try "ssh.exe -o ForwardAgent 
JUMPHOST" and see if that makes your local SSH agent available at the 
jumphost.  As I do not use Windows, I do not know where that Windows 
port would expect to find its configuration file.



-- Jacob

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: No SSH public key authentication using smartcard

[Thomas via Gnupg-users]

Hi,
this is exactly what I thought.
However, there's no solution for it.

Let me repeat my comments posted previously to get an overview what is 
working...
Actually I have a working setup on Windows 10, but here I use another 
terminal emulator: MobaXterm.

And in the settings of MobaXterm I enabled SSH forwarding.
As of now I don't want to continue using MobaXterm on Windows 11, but
using Windows Terminal.
I can run ssh-add.exe -L in Windows PowerShell and get the correct SSH 
public key fetched from secure card.



THX


Am 28.11.23 um 03:53 schrieb Jacob Bachmeyer:

Thomas via Gnupg-users wrote:

Hello Stephan,

thanks for your reply.

When you say I should modify ~/.ssh/config, where is this file?
On jumphost?


You need to configure SSH agent forwarding on your client, which will 
provide access to your local SSH agent at the jumphost via the SSH 
connection between your client and the jumphost.  Since you are using 
a Windows client, ~/.ssh/config may not be relevant to your 
configuration.



-- Jacob



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: No SSH public key authentication using smartcard

[Jacob Bachmeyer via Gnupg-users]

Thomas via Gnupg-users wrote:

Hello Stephan,
 
thanks for your reply.
 
When you say I should modify ~/.ssh/config, where is this file?

On jumphost?


You need to configure SSH agent forwarding on your client, which will 
provide access to your local SSH agent at the jumphost via the SSH 
connection between your client and the jumphost.  Since you are using a 
Windows client, ~/.ssh/config may not be relevant to your configuration.



-- Jacob

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: No SSH public key authentication using smartcard

[Thomas via Gnupg-users]

Hello Stephan,

thanks for your reply.

When you say I should modify ~/.ssh/config, where is this file?
On jumphost?

Actually I have a working setup on Windows 10, but here I use another
terminal emulator: MobaXterm.
And in the settings of MobaXterm I enabled SSH forwarding.

As of now I don't want to continue using MobaXterm on Windows 11, but
using Windows Terminal.

Please not that I have not installed git for windows [1] that includes 
tool "Git BASH"; I don't think that this additional terminal is required 
to use SSH.


I can run ssh-add.exe -L in Windows PowerShell and get the correct SSH 
public key fetched from secure card.


But once connected to jumphost, all SSH relevant information is 
unavailable.


THX

On 2023-11-25 12:30, Stephan Verbücheln via Gnupg-users wrote:


Coincidentally, I have a similar setup. Fortunately, you do *not* need
Agent Forwarding for authentication via jump hosts.

The entry for your host (in "~/.ssh/config") for this host should look
something like this:

Host myalias
HostName myserver.com
ProxyJump jumpserver.net
IdentityAgent %d/.gnupg/S.gpg-agent.ssh

There may be some Windows-specific pitfalls. Perhaps you have to be
careful with the line breaks (Unix versus Windows convention) in the
configuration files.

Regards
Stephan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users




Links:
--
[1] https://gitforwindows.org/___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: No SSH public key authentication using smartcard

[Bernd Naumann]

On 25.11.23 13:24, Thomas Schneider via Gnupg-users wrote:
> Hello Stephan,
> 
> thanks for your reply.
> 
> When you say I should modify ~/.ssh/config, where is this file?
> On jumphost?
> 
> Actually I have a working setup on Windows 10, but here I use another
> terminal emulator: MobaXterm.
> And in the settings of MobaXterm I enabled SSH forwarding.
> 
> As of now I don't want to continue using MobaXterm on Windows 11, but
> using Windows Terminal.

Hey Stephan,

I can not answer where to find that file on windows, but the first hit
with google: https://stackoverflow.com/a/56536275

You can also set these options directly on the command line:
```
ssh -o IdentityAgent='%d/.gnupg/S.gpg-agent.ssh' -o
ProxyJump=jumpserver.example.net targethost.example.org
```

I'm not sure if you really have to set the IdentityAgent if your GPG and
SSH Agent Socket is setup correctly...

Do you see something with `ssh-add -L`? If yes, then you should not have
a need to set IdentityAgent for a Host. (Only if you have multiple
Agents or you have to specify it only for certain hosts etc etc but if
its your only Agent and you have no special requirements, then just
leave it out IF `ssh-add -L` shows you the key from your card.)

Good luck,
Bernd

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: No SSH public key authentication using smartcard

[Thomas via Gnupg-users]

Hello Stephan,

thanks for your reply.

When you say I should modify ~/.ssh/config, where is this file?
On jumphost?

Actually I have a working setup on Windows 10, but here I use another 
terminal emulator: MobaXterm.

And in the settings of MobaXterm I enabled SSH forwarding.

As of now I don't want to continue using MobaXterm on Windows 11, but 
using Windows Terminal.


THX

Am 25.11.23 um 12:30 schrieb Stephan Verbücheln via Gnupg-users:

Coincidentally, I have a similar setup. Fortunately, you do *not* need
Agent Forwarding for authentication via jump hosts.

The entry for your host (in “~/.ssh/config”) for this host should look
something like this:

Host myalias
HostName myserver.com
ProxyJump jumpserver.net
IdentityAgent %d/.gnupg/S.gpg-agent.ssh

There may be some Windows-specific pitfalls. Perhaps you have to be
careful with the line breaks (Unix versus Windows convention) in the
configuration files.

Regards
Stephan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: No SSH public key authentication using smartcard

[Thomas Schneider via Gnupg-users]

Hello Stephan,

thanks for your reply.

When you say I should modify ~/.ssh/config, where is this file?
On jumphost?

Actually I have a working setup on Windows 10, but here I use another 
terminal emulator: MobaXterm.

And in the settings of MobaXterm I enabled SSH forwarding.

As of now I don't want to continue using MobaXterm on Windows 11, but 
using Windows Terminal.


THX

Am 25.11.23 um 12:30 schrieb Stephan Verbücheln via Gnupg-users:

Coincidentally, I have a similar setup. Fortunately, you do *not* need
Agent Forwarding for authentication via jump hosts.

The entry for your host (in “~/.ssh/config”) for this host should look
something like this:

Host myalias
 HostName myserver.com
 ProxyJump jumpserver.net
 IdentityAgent %d/.gnupg/S.gpg-agent.ssh

There may be some Windows-specific pitfalls. Perhaps you have to be
careful with the line breaks (Unix versus Windows convention) in the
configuration files.

Regards
Stephan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: No SSH public key authentication using smartcard

[Stephan Verbücheln via Gnupg-users]

Coincidentally, I have a similar setup. Fortunately, you do *not* need
Agent Forwarding for authentication via jump hosts.

The entry for your host (in “~/.ssh/config”) for this host should look
something like this:

Host myalias
HostName myserver.com
ProxyJump jumpserver.net
IdentityAgent %d/.gnupg/S.gpg-agent.ssh

There may be some Windows-specific pitfalls. Perhaps you have to be
careful with the line breaks (Unix versus Windows convention) in the
configuration files.

Regards
Stephan


signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

No SSH public key authentication using smartcard

[Thomas via Gnupg-users]

Hello,
I'm trying to configure a solution for this use case:
SSH                  SSH
Client                >    Jumphost    >    Server
(Windows 11)           (Linux)              (Linux)

I connect a Nitrokey security-token (that is comparable to Yubikey) with 
OpenPGP keys to my client.

And I want to use this Nitrokey for SSH login to remote servers.

For this I installed GPG4Win on my client and configured file 
gpg-agent.conf:

enable-ssh-support
To Enable support for PuTTY
enable-putty-support
To Enable support for the native Microsoft OpenSSH binaries (requires 
gpg 2.4.0 / Gpg4win 4.1.0 or higher)

enable-win32-openssh-support
use-standard-socket
default-cache-ttl 600
max-cache-ttl 7200

Then I  (re-) start the gpg-agent and try to SSH into the Jumphost using 
command ssh  in Windows PowerShell.
Here I get a popup window where I must enter the PIN previously set on 
Nitrokey.

After this I'm connected to the jumphost (Linux).

Now I want to connect to the server using command ssh , 
however I need to enter a password.

This means public key authentication fails.
And I think this fails because SSH agent forwarding is not working.

Can you please advise how to SSH agent forwarding in my setup correctly?

THX
Thomas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Question about redundant smartcard setup

[kho via Gnupg-users]

  
  
Hi,

Recently I have been working with GPG and 2 smartcards (Yubikey).
Despite some information here an there on internet, some things are
still not clear to me.

My setup has 1 master key with 6 subkeys, twice 3 keys for different
purposes(A,E,S). So each smartcard will receive 3 keys. It works fine
with Thunderbird and also with other tools: passwordstore (unix pass).

Here some questions about particular situations:

1. In the passwordstore, I encrypted a few passwords, which are in fact
just GPG files that store the passwords. When I want to decrypt them
with the Yubikey, I receive the message: Please insert card with serial
number. But what if I don't have that smartcard2 at hand? And how do I
know that smartcard1 then really works , if it is never asked to insert
smartcard1? I found a way to encrypt with smartcard1 via the option: -r
! . Smartcard1 seems to work fine. But then
the question remains, suppose GPG asks for smartcard2 and smartcard2 is
stolen. I can only provide smartcard1 and GPG asks for smartcard2. What
to do?

2. Then some people suggest to use a different master key, but the goal
was that both smartcards back each other up, in case one is broke. So
that idea is not going to work, correct?

3. Also with different master keys, if I have sent a bunch of e-mails
with smartcard1 and smartcard2. When one of the smartcards is broke , I
will not be able to open those e-mails with the working smartcard?

4. Another approach is that I could for example have created just 3
subkeys (not 6) and copied all 3 to smartcard1 and again to smartcard2.
I thought that having those subkeys separately is ideal, specially in a
occasion were smartcard2 is stolen. Then I revoke the smartcard2 subkeys
and keep on using the smartcard1 until I have ordered a new backup
smartcard. Because some e-mails are sent encrypted (not so many), am I
sure then when I revoke the subkey of smartcard2 that all e-mail will
open with smartcard1?

5. What is at the end the best way to setup 2 smartcards that can be
used in encryption, signing and decryption? And additionally both
smartscard should work, I have 2 smartcards for redundancy.

On internet there are many blogs etc, but they never deal with the
complete picture.

Thanks in advance for your help.

All the best!
 
  


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about redundant smartcard setup

[kho via Gnupg-users]

Yes, will do that. And the full chain from start to finish with a test
key. Deal.

On 8/19/22 16:25, Andrew Gallagher wrote:
> On 19 Aug 2022, at 17:17, kho  wrote:
>>
>> Thanks for this fast, complete and clear answer.
>>
>> I am going to see if I can still pick up somewhere or just remove all I
>> did and start all over by following your steps.
>
> Just a note of caution: since it is quite an involved process I would
> recommend keeping it as simple as possible at first, and trying it out
> with a test key before doing it in production. So long as you have a
> (tested!) offline backup you should be safe.
>
> A
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about redundant smartcard setup

[Andrew Gallagher via Gnupg-users]

On 19 Aug 2022, at 17:17, kho  wrote:
> 
> Thanks for this fast, complete and clear answer.
> 
> I am going to see if I can still pick up somewhere or just remove all I
> did and start all over by following your steps.

Just a note of caution: since it is quite an involved process I would recommend 
keeping it as simple as possible at first, and trying it out with a test key 
before doing it in production. So long as you have a (tested!) offline backup 
you should be safe.

A



signature.asc
Description: Message signed with OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about redundant smartcard setup

[kho via Gnupg-users]

Thanks for this fast, complete and clear answer.

I am going to see if I can still pick up somewhere or just remove all I
did and start all over by following your steps.

This is the confirmation I needed! Thanks!

On 8/19/22 15:25, Andrew Gallagher wrote:
> On 19 Aug 2022, at 13:48, kho via Gnupg-users  wrote:
>> 5. What is at the end the best way to setup 2 smartcards that can be
>> used in encryption, signing and decryption? And additionally both
>> smartscard should work, I have 2 smartcards for redundancy.
> If you want the two smartcards to be redundant copies of each other, then 
> they MUST contain exactly the same key material. It is possible to generate 
> multiple signing/authentication subkeys that will be treated the same for 
> practical purposes, since most software will try each valid sig/auth-capable 
> (sub)key in turn during verification. There is no equivalent ability for 
> encryption subkeys, as clients will encrypt to only the most recent valid 
> encryption subkey. If you lose/break the smartcard with the only copy of an 
> encryption subkey then there is no way to recover.
>
> You can save the same key material to multiple smartcards using the gnupg 
> command line interface:
>
> 1. Run gnupg and follow the usual process for generating (sub)keys, but 
> “save” to save and exit before transferring subkeys to the smartcard. This 
> ensures that you have a copy on disk before continuing.
>
> 2. Run gnupg again and copy the subkey(s) to the card, but afterwards you 
> should say “quit” to exit *without* saving (not “save”). That way the subkeys 
> will not be deleted from disk and you can use them again.
>
> 3. Repeat step 2 for the second (third, fourth,…) smartcard. Only choose 
> “save” to save-and-exit after copying to the last smartcard, however be aware 
> that “last” in this context really means “last”. No take-backs.
>
> If you have to generate a new subkey for whatever reason (say you had to 
> revoke the previous one) you must follow a similar save/quit sequence, 
> remembering the order “run, generate, save, run, copy, quit, run, copy, quit, 
> … run, copy, save"
>
> To keep open the possibility of provisioning extra cards in the future, you 
> could back up your entire .gnupg directory to a secure offline storage medium 
> (such as an encrypted thumb drive) after generating the keys but before 
> transferring to smartcard(s). Or you could perform the whole process of 
> generating and managing your keys using a secure live system such as Tails 
> with an encrypted persistent partition (remembering to “quit” after copying 
> even the last time so that there is always a copy on disk). If you do either 
> of these you only need one smartcard, so long as you don’t mind waiting for a 
> replacement smartcard to arrive in the post if your original breaks.
>
> On any given machine, gnupg will only ask for one smartcard. You should 
> therefore consider one smartcard your working copy and one your emergency 
> backup (if you have multiple machines, you could assign different primary 
> cards to each machine). To force gnupg to ask for the other smartcard, you 
> can delete the stub `.key` files under ~/.gnupg/private-keys-v1.d (on 
> Linux/Mac, I forget the Windows equivalent). To work out which files to 
> delete, incant `gpg -K --with-keygrip` and note the “Keygrip” lines under the 
> three subkeys. Delete the corresponding `.key` files only, then plug in the 
> replacement smartcard and incant `killall gpg-agent; gpg --card-status` 
> (again Linux/Mac only). gnupg should now recognise the replacement card as 
> the primary, and will ask consistently for that one until you repeat the 
> process.
>
> A
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about redundant smartcard setup

[kho via Gnupg-users]

Of course, you are right. I could store it digitally on a encrypted disk
and even on paper. And like you say they are not really gone. Thanks for
the tip.

On 8/19/22 15:21, Werner Koch wrote:
> On Fri, 19 Aug 2022 14:48, kho said:
>
>> 4. Another approach is that I could for example have created just 3
>> subkeys (not 6) and copied all 3 to smartcard1 and again to smartcard2.
>> I thought that having those subkeys separately is ideal, specially in a
>> occasion were smartcard2 is stolen. Then I revoke the smartcard2 subkeys
> No need to.  Save a paper copy of the keys before you remove them from
> the disk.  If both cards are broken you can still type the keys in and
> create a new smartcard.  Exact procedures depend on your threat model.
>
>
> Salam-Shalom,
>
>Werner
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about redundant smartcard setup

[Werner Koch via Gnupg-users]

On Fri, 19 Aug 2022 14:48, kho said:

> 4. Another approach is that I could for example have created just 3
> subkeys (not 6) and copied all 3 to smartcard1 and again to smartcard2.
> I thought that having those subkeys separately is ideal, specially in a
> occasion were smartcard2 is stolen. Then I revoke the smartcard2 subkeys

No need to.  Save a paper copy of the keys before you remove them from
the disk.  If both cards are broken you can still type the keys in and
create a new smartcard.  Exact procedures depend on your threat model.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about redundant smartcard setup

[Andrew Gallagher via Gnupg-users]

On 19 Aug 2022, at 13:48, kho via Gnupg-users  wrote:
> 
> 5. What is at the end the best way to setup 2 smartcards that can be
> used in encryption, signing and decryption? And additionally both
> smartscard should work, I have 2 smartcards for redundancy.

If you want the two smartcards to be redundant copies of each other, then they 
MUST contain exactly the same key material. It is possible to generate multiple 
signing/authentication subkeys that will be treated the same for practical 
purposes, since most software will try each valid sig/auth-capable (sub)key in 
turn during verification. There is no equivalent ability for encryption 
subkeys, as clients will encrypt to only the most recent valid encryption 
subkey. If you lose/break the smartcard with the only copy of an encryption 
subkey then there is no way to recover.

You can save the same key material to multiple smartcards using the gnupg 
command line interface:

1. Run gnupg and follow the usual process for generating (sub)keys, but “save” 
to save and exit before transferring subkeys to the smartcard. This ensures 
that you have a copy on disk before continuing.

2. Run gnupg again and copy the subkey(s) to the card, but afterwards you 
should say “quit” to exit *without* saving (not “save”). That way the subkeys 
will not be deleted from disk and you can use them again.

3. Repeat step 2 for the second (third, fourth,…) smartcard. Only choose “save” 
to save-and-exit after copying to the last smartcard, however be aware that 
“last” in this context really means “last”. No take-backs.

If you have to generate a new subkey for whatever reason (say you had to revoke 
the previous one) you must follow a similar save/quit sequence, remembering the 
order “run, generate, save, run, copy, quit, run, copy, quit, … run, copy, save"

To keep open the possibility of provisioning extra cards in the future, you 
could back up your entire .gnupg directory to a secure offline storage medium 
(such as an encrypted thumb drive) after generating the keys but before 
transferring to smartcard(s). Or you could perform the whole process of 
generating and managing your keys using a secure live system such as Tails with 
an encrypted persistent partition (remembering to “quit” after copying even the 
last time so that there is always a copy on disk). If you do either of these 
you only need one smartcard, so long as you don’t mind waiting for a 
replacement smartcard to arrive in the post if your original breaks.

On any given machine, gnupg will only ask for one smartcard. You should 
therefore consider one smartcard your working copy and one your emergency 
backup (if you have multiple machines, you could assign different primary cards 
to each machine). To force gnupg to ask for the other smartcard, you can delete 
the stub `.key` files under ~/.gnupg/private-keys-v1.d (on Linux/Mac, I forget 
the Windows equivalent). To work out which files to delete, incant `gpg -K 
--with-keygrip` and note the “Keygrip” lines under the three subkeys. Delete 
the corresponding `.key` files only, then plug in the replacement smartcard and 
incant `killall gpg-agent; gpg --card-status` (again Linux/Mac only). gnupg 
should now recognise the replacement card as the primary, and will ask 
consistently for that one until you repeat the process.

A



signature.asc
Description: Message signed with OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Question about redundant smartcard setup

[kho via Gnupg-users]

Hi,

Recently I have been working with GPG and 2 smartcards (Yubikey).
Despite some information here an there on internet, some things are
still not clear to me.

My setup has 1 master key with 6 subkeys, twice 3 keys for different
purposes(A,E,S). So each smartcard will receive 3 keys. It works fine
with Thunderbird and also with other tools: passwordstore (unix pass).

Here some questions about particular situations:

1. In the passwordstore, I encrypted a few passwords, which are in fact
just GPG files that store the passwords. When I want to decrypt them
with the Yubikey, I receive the message: Please insert card with serial
number. But what if I don't have that smartcard2 at hand? And how do I
know that smartcard1 then really works , if it is never asked to insert
smartcard1? I found a way to encrypt with smartcard1 via the option: -r
! . Smartcard1 seems to work fine. But then
the question remains, suppose GPG asks for smartcard2 and smartcard2 is
stolen. I can only provide smartcard1 and GPG asks for smartcard2. What
to do?

2. Then some people suggest to use a different master key, but the goal
was that both smartcards back each other up, in case one is broke. So
that idea is not going to work, correct?

3. Also with different master keys, if I have sent a bunch of e-mails
with smartcard1 and smartcard2. When one of the smartcards is broke , I
will not be able to open those e-mails with the working smartcard?

4. Another approach is that I could for example have created just 3
subkeys (not 6) and copied all 3 to smartcard1 and again to smartcard2.
I thought that having those subkeys separately is ideal, specially in a
occasion were smartcard2 is stolen. Then I revoke the smartcard2 subkeys
and keep on using the smartcard1 until I have ordered a new backup
smartcard. Because some e-mails are sent encrypted (not so many), am I
sure then when I revoke the subkey of smartcard2 that all e-mail will
open with smartcard1?

5. What is at the end the best way to setup 2 smartcards that can be
used in encryption, signing and decryption? And additionally both
smartscard should work, I have 2 smartcards for redundancy.

On internet there are many blogs etc, but they rarely deal with the
complete picture.

Thanks in advance for your help.

All the best!


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP smartcard and P-256 in non expert mode

[Werner Koch via Gnupg-users]

On Thu, 11 Aug 2022 17:25, Sosthène Guédon | Nitrokey said:

> That makes sense to me. However why offer curves not supported by the 
> hardware?

Because we can't now what curves a certain smartcard supports.  The
announcement of the car capabilities is a relative new and optional
OpenPGP card feature and GnuPG shall still work with older cards.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP smartcard and P-256 in non expert mode

[Werner Koch via Gnupg-users]

On Thu, 11 Aug 2022 14:58, Sosthène Guédon | Nitrokey said:

> I'm using gpg 2.2.36 and a OpenPGP smart card implementation we are
> currently developing.

You should better use the stable branch (2.3) instead of the LTS.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP smartcard and P-256 in non expert mode

[Sosthène Guédon | Nitrokey via Gnupg-users]

n 8/11/22 15:30, Ingo Klöcker wrote

Only experts will be able to make an educated decision between P-256 and
P-384. It's good to give "normal" people less choice by default because more
choice will just confuse them even more. Even having to choose between
Curve25519 and P-384 will be too much already for people who just have been
told that they should generate an ECC key.


That makes sense to me. However why offer curves not supported by the hardware?

Regards,
Sosthène

--
Sosthène Guédon
Intern

Nitrokey GmbH
https://www.nitrokey.com
Email: sosth...@nitrokey.com

Rheinstr. 10 C, 14513 Teltow, Germany
CEO / CEO: Jan Suhr
Register: AG Potsdam, HRB 32882 P
VAT ID / VAT ID: DE300136599


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP smartcard and P-256 in non expert mode

[Ingo Klöcker]

On Donnerstag, 11. August 2022 09:39:24 CEST Sosthène Guédon | Nitrokey via 
Gnupg-users wrote:
> I don't understand why generating a key on a smartcard only offers
> Curve25519 and P-384 for ECC cryptography unless the --expert flag is used.

You are asking the question the wrong way. Why should P-256 be offered without 
the --expert flag? It's not as if gpg wouldn't allow you to create a P-256 key.

Only experts will be able to make an educated decision between P-256 and 
P-384. It's good to give "normal" people less choice by default because more 
choice will just confuse them even more. Even having to choose between 
Curve25519 and P-384 will be too much already for people who just have been 
told that they should generate an ECC key.

Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP smartcard and P-256 in non expert mode

[Sosthène Guédon | Nitrokey via Gnupg-users]

Hi!


Please share your GnUPG version and the type of smartcard you are using
with us.  A 9 year old commit is not very helpful.


I'm using gpg 2.2.36 and a OpenPGP smart card implementation we are currently 
developing.

You're right the commit itself isn't very helpful, here are is the code that is 
relevant in the 2.2 branch:
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=g10/keygen.c;h=fee752376d28d7c7704336d681da8be92c4f22bc;hb=491645b50ec97db12520483d347291d660db209c#l2393
See the `expert_only` flag set to 1 for P-256. This was introduced in the 
commit I mentioned.

Regards,
Sosthène

--
Sosthène Guédon
Intern

Nitrokey GmbH
https://www.nitrokey.com
Email: sosth...@nitrokey.com

Rheinstr. 10 C, 14513 Teltow, Germany
CEO / CEO: Jan Suhr
Register: AG Potsdam, HRB 32882 P
VAT ID / VAT ID: DE300136599


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP smartcard and P-256 in non expert mode

[Werner Koch via Gnupg-users]

Hi!

Please share your GnUPG version and the type of smartcard you are using
with us.  A 9 year old commit is not very helpful.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

OpenPGP smartcard and P-256 in non expert mode

[Sosthène Guédon | Nitrokey via Gnupg-users]

Hi!

I don't understand why generating a key on a smartcard only offers Curve25519 
and P-384 for ECC cryptography unless the --expert flag is used.
P-384 is offered even when the hardware key doesn't support it and other curves 
which the hardware supports are not offered which is confusing.
Why is the P-256 curve disabled by default? It seems deliberate in 
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=402aa0f94854bb00475c934be5ca6043a4632126
but I can't find any documentation on why that choice was made.

Thanks,
Sosthène

--
Sosthène Guédon
Intern

Nitrokey GmbH
https://www.nitrokey.com
Email: sosth...@nitrokey.com

Rheinstr. 10 C, 14513 Teltow, Germany
CEO / CEO: Jan Suhr
Register: AG Potsdam, HRB 32882 P
VAT ID / VAT ID: DE300136599


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Limit access to unlocked OpenPGP SmartCard?

[Felix E. Klee]

Well, I think I could extend my SPR332 [mod][1]:

  * Add a push-button that one has to press to close the C7 circuit for
I/O.  Without that button pressed, the smart card cannot communicate
with the reader.  That means, for every operation, one would need to
hold that button, kind of – but not as elegantly – as with a
YubiKey.

  * Using some electronics detect when the green PIN pad ✓-button is
pressed to confirm PIN entry on the reader.  Let it trigger a timer
that cuts I/O for good after a few minutes.

Very likely there are some issues that I don’t see at the moment.

[1]: https://github.com/feklee/0.332


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Limit access to unlocked OpenPGP SmartCard?

[Felix E. Klee]

Jacob Bachmeyer via Gnupg-users  writes:
>> After I unlock an OpenPGP SmartCard V2.1 in my SPR332 [mod][1], […]
>
> Does your smartcard reader have its own keypad for entering the PIN?

yes


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Limit access to unlocked OpenPGP SmartCard?

[Jacob Bachmeyer via Gnupg-users]

Felix E. Klee wrote:

After I unlock an OpenPGP SmartCard V2.1 in my SPR332 [mod][1], I can
use it to decrypt as many files as I want.  While this is convenient, it
is not great if the system is compromised and I forget to unplug the
card reader.

Is there any way to limit how long the OpenPGP SmartCard remains
unlocked?
  


Does your smartcard reader have its own keypad for entering the PIN?  If 
not and you are concerned about a possible system compromise, you have 
bigger problems, like the possibility for your smartcard PIN to be 
stolen as you enter it.  If you then leave the card in the reader, 
Mallory can abuse it at his leisure.  Even if you only insert the card 
when you intend its use, Mallory could plant malware that waits for the 
card to be inserted, then abuses it.



-- Jacob

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Limit access to unlocked OpenPGP SmartCard?

[Felix E. Klee]

On Thu, 27 Jan 2022 at 14:54, Matthias Apitz  wrote:
> gpgconf --reload scdaemon

Gotta try that, maybe execute it with a timer, better than nothing.

Best would be if the card itself could be configured to only do a
certain number of operations after being unlocked. I think everything
else is pretty much unsafe as well.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Limit access to unlocked OpenPGP SmartCard?

[Felix E. Klee]

After I unlock an OpenPGP SmartCard V2.1 in my SPR332 [mod][1], I can
use it to decrypt as many files as I want.  While this is convenient, it
is not great if the system is compromised and I forget to unplug the
card reader.

Is there any way to limit how long the OpenPGP SmartCard remains
unlocked?

[1]: https://github.com/feklee/0.332


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error messages reconfiguring an OpenPGP smartcard

[Borden via Gnupg-users]

Thank you for the feedback and suggestions. As happens in most open source 
software, a few updates and weeks later, key regeneration worked just fine. So 
the error may have been some library mismatch.

Updating the beginner documentation with these debugging suggestions may divert 
some amateurs like me from bothering the list. I didn't come across these 
suggestions in my search. In fact, it may be worthwhile to update the code 
proper to suggest these debugging options when it throws general errors - since 
it's evident that the information I posted wasn't all that helpful in 
troubleshooting the problem.

With thanks,

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error messages reconfiguring an OpenPGP smartcard

[Werner Koch via Gnupg-users]

On Sat,  4 Sep 2021 12:11, Borden said:

> According to gpg --card-status, I have an OpenPGP card v. 2.1 made by
> LogoEmail (that's not from whom I bought it, so I'm not sure if the

Note that re-configuring a card is only possible with certain cards; it
is an optional feature of the specification.  I don't know the card from
www.scardsolutions.com - you may want to ask them what they implement.

If gpg --card-status -v does not hsow any hints and you have the time,
you can add some debugging options:  Add these lines to
~/.gnupg/scdameon.conf:

--8<---cut here---start->8---
log-file /some/where/scd.log
verbose
debug ipc,reader,cardio
--8<---cut here---end--->8---

and

  gpgconf --kill scdaeemon

then try again and have a look at the log file.  We might be able to
help anlyzing the log but we would see the PINs etc.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error messages reconfiguring an OpenPGP smartcard

[Bernhard Reiter]

Hi Borden,

Am Samstag 04 September 2021 12:11:34 schrieb Borden via Gnupg-users:
>  Can I get some troubleshooting guidance to understand this output and why
> I cannot generate a new encryption key?

in general, increasing verbosity helps to understand better what is going on.

For most GnuPG command line tools, this means to add "--verbose" or the short 
form "-v" to the command line. A second "-v" will give you more data.
Then there is the group of "--debug" options which will give you even more 
insights. Check the documentation to see what they actually do.

(And be careful when posting those verbose information, it my contain sensible 
parts if higher debug levels are used.)

Regards,
Bernhard



-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Error messages reconfiguring an OpenPGP smartcard

[Borden via Gnupg-users]

I've tried to follow the patchwork documentation to reconfigure my OpenPGP 
card, but rather than continue wasting time, I thought I'd reach out for help.

According to gpg --card-status, I have an OpenPGP card v. 2.1 made by LogoEmail 
(that's not from whom I bought it, so I'm not sure if the information is even 
correct).

I'm trying to follow 
https://gnupg.org/howtos/card-howto/en/smartcard-howto.html . I get to part 
3.3. When I type "generate" and enter the requested information, I get the 
following output after a brief pause:

gpg: signing failed: Invalid value
gpg: make_keysig_packet failed: Invalid value
Key generation failed: Invalid value

I've searched for these error messages and cannot find anything helpful. When I 
run gpg --card-status again, the signature and authentication keys seem to be 
updated, but the encryption key is not. Furthermore, General key info reads 
[none]. Again, if there's documentation to say whether this output is correct 
or not, I haven't found it in over two hours.

I'm on Debian testing, if that's relevant. Can I get some troubleshooting 
guidance to understand this output and why I cannot generate a new encryption 
key?

Also, I believe that, after generating the keys, I need to import them into my 
keyring. This isn't documented in the How-to, and it really should be. Could I 
get a brief explanation on how to do so if I don't generate an off-card backup 
of the encryption key?

With thanks,

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Smartcard Status Message Inconsistency

[Werner Koch via Gnupg-users]

Hi!

On Fri,  6 Aug 2021 18:36, Joey Berkovitz said:
> I was looking through the Smartcard commands and found that while most
> commands related to attribute changes output an SC_OP_SUCCESS, except for
> the name change command which doesn't output a success message on the
> status-fd.

Probably an overview or lazyness in 2009.  I just added this to master.
Thanks for reporting.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Smartcard Status Message Inconsistency

[Joey Berkovitz via Gnupg-users]

Hi,

I was looking through the Smartcard commands and found that while most
commands related to attribute changes output an SC_OP_SUCCESS, except for
the name change command which doesn't output a success message on the
status-fd.

The relevant code for each of the attribute commands is listed below:
name - no success message (
https://github.com/gpg/gnupg/blob/master/g10/card-util.c#L787)
url - https://github.com/gpg/gnupg/blob/master/g10/card-util.c#L845
login - https://github.com/gpg/gnupg/blob/master/g10/card-util.c#L1003
lang - https://github.com/gpg/gnupg/blob/master/g10/card-util.c#L1140
salutation - https://github.com/gpg/gnupg/blob/master/g10/card-util.c#L1176

Is there any reason why name changes don't output a status message?

Best,
Joey Berkovitz
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: safe curves in openPGP smartcard

[Werner Koch via Gnupg-users]

On Sun, 20 Jun 2021 18:57, mailinglisten--- said:
> is there any educated guess, when some safe curve (25519?) will find
> their ways into openPGP smart cards?

Yubikeys and the Gnuk token support 25519 for a long time now.  For the
Zeitcontrol card, I can't give a concrete timeline.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: safe curves in openPGP smartcard

[John Scott via Gnupg-users]

On Sun, 2021-06-20 at 18:57 +, mailinglisten--- via Gnupg-users
wrote:
> is there any educated guess, when some safe curve (25519?) will find
> their ways into openPGP smart cards?
Some cards already support Curve25519; I'm signing this with my
Nitrokey Start (which is really a Gnuk) using my ed25519 subkey.
Nitrokey advertises support for this [1], so I presume it's reliable as
it has been for me.

[1] https://www.nitrokey.com/#comparison


signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

safe curves in openPGP smartcard

[mailinglisten--- via Gnupg-users]

Hi there,
is there any educated guess, when some safe curve (25519?) will find
their ways into openPGP smart cards?

regards

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Smartcard readers: Cherry ST 2100

[Ingo Klöcker]

On Donnerstag, 7. Januar 2021 10:47:35 CET Bernhard Reiter wrote:
> Hi,
> 
> just wanted to report that that Cherry ST-2100 smartcard reader
> responded without further configuration on Debian Buster
> with gnupg2-2.2.20-1~bpo10+1.
> 
> Do we have a good place to collect experience reports about devices
> and tokens?

https://wiki.gnupg.org/SmartCard collects some information and further 
references.

https://wiki.debian.org/GnuPG/CCID_Driver (referenced on the above page) lists 
"smartcard readers and tokens supported by the GnuPG's in-stock CCID driver".

> Just tested gpg --card-status, do we have a good test (plan) or list
> what people would want to know about a cardreader or security token?
> 
> Is it possible to test a security token and then completely reset it
> into the state before (aka factory reset)?

Depends. Some tokens can never be fully reset (e.g. TeleSec NetKey). Others 
can be reset for example with gpg --card-edit's factory-reset command (which 
may or may not be present in gpg 2.2.20) or with the (currently unreleased) 
gpg-card's factory-reset command. (gpg-card, the new administration tool for 
smart cards, will be part of GnuPG 2.3.)

Regards,
Ingo




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Smartcard readers: Cherry ST 2100

[Bernhard Reiter]

Hi,

just wanted to report that that Cherry ST-2100 smartcard reader
responded without further configuration on Debian Buster
with gnupg2-2.2.20-1~bpo10+1.

Do we have a good place to collect experience reports about devices
and tokens? 

Just tested gpg --card-status, do we have a good test (plan) or list
what people would want to know about a cardreader or security token?

Is it possible to test a security token and then completely reset it
into the state before (aka factory reset)?

== Details
My Linux (the famous kernel) said
usb 7-3: new full-speed USB device number 2 using ohci-pci
usb 7-3: New USB device found, idVendor=046a, idProduct=003e, bcdDevice= 7.10
usb 7-3: New USB device strings: Mfr=1, Product=2, SerialNumber=5
usb 7-3: Product: SmartTerminal ST-2xxx
usb 7-3: Manufacturer: Cherry GmbH
usb 7-3: SerialNumber: .

Best,
Bernhard

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [developer preview] smartcard + opengp as a linux gadget

[NIIBE Yutaka]

Vincent Pelletier wrote:
> I would like to announce my implementation of a software CCID card
> reader targeting the Linux gadget subsystem, along with a smartcard OS
> and openpgp card application to use with this reader.

Great.  (And thanks for the patches for tests of Gnuk.  I'll apply
those, soon.)

FWIW, it was around 2008/2009, when Daiki Ueno had an implementation of
USB token toolkit with Linux gadget, called "Tandoori" (IIRC).  I think
that the purpose was similar.

However, today, I can't find any code.

All that I found is a record of symposium called ComSys2008 (in
Japanese):

https://iss.ndl.go.jp/books/R10002-I09985680-00

Historically, it was done before Gnuk.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Unlock smartcard PIN without decrypting a file

[jman]

To do the verification without any operation you can use "gpg
--card-edit" and then enter "verify".



If you want to see the commands send to the scd run
gpg --debug ipc --card-edit


Thank you so much for the detailed anwser! Based on your suggestion I
could debug that the "verify" command sends:

gpg/card> verify
gpg: DBG: chan_4 -> SCD CHECKPIN AAABBBCCCDDD
gpg: DBG: chan_4 <- INQUIRE PINENTRY_LAUNCHED 401855 tty 1.1.0 /dev/pts/0 
xterm-kitty -

gpg: DBG: chan_4 -> END

therefore the onliner I was looking for could look like this:

gpg-connect-agent 'SCD CHECKPIN AAABBBCCCDDD' /bye

("AAABBBCCCDDD" being the serial number of the smartcard)

regards,

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unlock smartcard PIN without decrypting a file

[Werner Koch via Gnupg-users]

On Tue, 29 Dec 2020 15:13, Journeyman said:

> that SCD commands do not require the PIN.

The PIN is passed to the card and processed by the card.  Thus the card
decides on whether an operation needs a PIN.  Usually the PIN is
required only once and valid until the card is powered down
(e.g. unplugged).  The OpenPGP card may require a PIN for each signing
operaion - this behaviour can be controlled using the "forcesig" command
of gpg --card-edit.

To do the verification without any operation you can use "gpg
--card-edit" and then enter "verify".

If you want to see the commands send to the scd run
gpg --debug ipc --card-edit


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Unlock smartcard PIN without decrypting a file

[Journeyman]

Howdy,

usually I unlock my Yubikey and enter its PIN when I need to decrypt a
file.

Sometimes I'd like to unlock the smartcard without really interacting
with the private key stored there.

Is there an SCD command that allows me to do this? I've read the GNUPG
manual but couldnt really find anything for this, my (perhaps limited) 
understanding is

that SCD commands do not require the PIN.

thanks for any suggestion!

regards,

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[developer preview] smartcard + opengp as a linux gadget

[Vincent Pelletier via Gnupg-users]

Hello,

First: this is announce is aimed at potential contributors (code,
documentation, ...) and experimentation (seeing what this is about,
identifying bugs, ...). It is not aimed at general use: do not use this
(yet) with valuable keys or data.

I would like to announce my implementation of a software CCID card
reader targeting the Linux gadget subsystem, along with a smartcard OS
and openpgp card application to use with this reader.

- CCID card reader:
  https://github.com/vpelletier/python-usb-f-ccid
- smartcard OS:
  https://github.com/vpelletier/python-smartcard
- OpenPGP app:
  https://github.com/vpelletier/python-smartcard-app-openpgp

I describe at length the thought process which led to this project in
the README:
  
https://github.com/vpelletier/python-smartcard-app-openpgp/blob/master/README.rst
but in a nutshell this project should be seen as yet another computer
holding private keys (with all the attack surfaces this implies), with
the extra capability of being seen as a smartcard from a host computer.

So, why not a real smartcard, with its minimal attack surface ?
For the hardware flexibility: I wanted an inter-operable token capable
of displaying a grid of random PINs, so that I can use it on an
untrusted computer without leaking the PIN or using it behind my back,
for uses where token theft (for actual use/exposure of the contained
secrets) is not as important as resisting remote accesses.
With this implementation, I can pick up a Pi Zero, put a 2 inches
screen on it and get such functionality.

I'm sure more creative uses of commonly available hardware can be
found, and this is what this project is hoping to allow.

The CCID card reader is considered to be feature-complete.

The OpenPGP app passes the most important tests from the gnuk test
suite (with a few minor patches I sent to its maintainer).
Specifically, it fails strict ATR and Extended Capabilities comparison,
because it does not implement the exact same set of features, and the
non-standard admin-less test variants.

The smartcard OS is the least polished part: it is supposed to be
application-independent, but only the codepaths exercised by OpenPGP
are known to work. I did implement a bit beyond that, but there is
still a lot of work needed - although it is second in priority to
OpenPGP implementation.

Regards,
-- 
Vincent Pelletier

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Smartcard not initialized automatically on GnuPG 2.2.24

[Ingo Klöcker]

On Donnerstag, 10. Dezember 2020 11:57:53 CET Heiko Carrasco via Gnupg-users 
wrote:
> I recently got the "new" version of GnuPG 2.2.24 through my distribution
> and noticed some form of bug together with my smartcard.

It's a regression. It has already been fixed. See below. You could ask your 
distribution to quickly update to GnuPG 2.2.25.

> When I attempt to use gpg to decrypt something I get the following
> error:
> $ gpg -d test.gpg
> gpg: encrypted with 4096-bit RSA key, ID 1632F70C0F463100, created
> 2015-08-24 "Heiko Carrasco 
> gpg: public key decryption failed: Invalid ID
> gpg: decryption failed: No secret key

>From the release notes for GnuPG 2.2.25 ([1]):
=
Noteworthy changes in version 2.2.25


  * scd: Fix regression in 2.2.24 requiring gpg --card-status before
signing or decrypting.  [#5065]
=

Regards,
Ingo

[1] https://lists.gnupg.org/pipermail/gnupg-announce/2020q4/000450.html

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Smartcard not initialized automatically on GnuPG 2.2.24

[Heiko Carrasco via Gnupg-users]

Hello,

I recently got the "new" version of GnuPG 2.2.24 through my distribution
and noticed some form of bug together with my smartcard.

When I attempt to use gpg to decrypt something I get the following
error:
$ gpg -d test.gpg
gpg: encrypted with 4096-bit RSA key, ID 1632F70C0F463100, created 2015-08-24
  "Heiko Carrasco 
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key

I have to manually run some command which interacts with the smartcard
such as gpg --card-status for it to show a pinentry to enter my
smartcard pin.
This was not the case with 2.2.23, which automatically asks me for my
pin when executing the above command.

There wasn't anything regarding this in the changelog as far as I can see,
so this might be a bug?

Cheers,

Heiko


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Specifying smartcard reader when multiple readers attached

[Jared Vacanti via Gnupg-users]

Using gpg (GnuPG) 2.2.19, is there a way to specify a reader when multiple
readers are available? For example:

$ gpg --card-status --reader FEITIAN
gpg: WARNING: "--reader-port" is an obsolete option - it has no effect
except on scdaemon

I seem to only be able to interact with smartcards or the Yubikey 5 NFC
OpenPGP applet when the device is the only one available.

Any feedback would be really appreciated.

Jared
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Broken / lost smartcard

[Matthias Apitz]

El día domingo, marzo 08, 2020 a las 09:11:49a. m. +0100, Andreas K. Huettel 
via Gnupg-users escribió:

> [changing the subject since this is quite a different topic]
> 
> > What I would like to know how people handle the case when a SmardCard gets
> > lost, broken or maybe confiscicated at an Airport etc.?
> 
> Well, that's the argument for having at least primary/cert key and encryption 
> subkey not *only* on the smartcard but also in a safe place somewhere.
> 
> For a signature subkey it doesnt matter then if you lose it (just make a new 
> one), and for an authentication subkey you need to prepare to have some 
> alternative means of access (or also a backup).

For me the bigger problem would be the stored crypted data in the
password-store where I have nearly 300 credentials:

$ find .password-store -type f | wc -l
 282

I wrote a script which decrypts all these files to STDOUT in a form which
could be fed again into the pass(1) command and stores this
in some secure place from time to time.

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

Deutschland raus aus der NATO! NATO raus aus Deutschland! Frieden mit Russland!
Germany out of NATO! NATO out of Germany! Peace with Russia!
¡Alemania fuera de OTAN! ¡OTAN fuera de Alemania! ¡Paz con Rusia!


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Broken / lost smartcard

[Stefan Claas via Gnupg-users]

Andreas K. Huettel via Gnupg-users wrote:

> [changing the subject since this is quite a different topic]
> 
> > What I would like to know how people handle the case when a SmardCard gets
> > lost, broken or maybe confiscicated at an Airport etc.?
> 
> Well, that's the argument for having at least primary/cert key and encryption 
> subkey not *only* on the smartcard but also in a safe place somewhere.
> 
> For a signature subkey it doesnt matter then if you lose it (just make a new 
> one), and for an authentication subkey you need to prepare to have some 
> alternative means of access (or also a backup).
> 

Yes, I only asked because it sounded like you don't have a back-up, after
creating the key-pair.

Regards
Stefan

-- 
Signal (Desktop) +4915172173279
https://keybase.io/stefan_claas
   

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Broken / lost smartcard

[Andreas K. Huettel via Gnupg-users]

[changing the subject since this is quite a different topic]

> What I would like to know how people handle the case when a SmardCard gets
> lost, broken or maybe confiscicated at an Airport etc.?

Well, that's the argument for having at least primary/cert key and encryption 
subkey not *only* on the smartcard but also in a safe place somewhere.

For a signature subkey it doesnt matter then if you lose it (just make a new 
one), and for an authentication subkey you need to prepare to have some 
alternative means of access (or also a backup).

-- 
Andreas K. Hüttel
dilfri...@gentoo.org
Gentoo Linux developer 
(council, qa, toolchain, base-system, perl, libreoffice)


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Sunset of a smartcard encryption key

[Andrew Gallagher]

> On 7 Mar 2020, at 23:13, Stefan Claas via Gnupg-users  
> wrote:
> 
> What I would like to know how people handle the case when a SmardCard gets 
> lost,
> broken or maybe confiscicated at an Airport etc.?

I generate my keys in a copy of Tails and then copy to smartcard without saving 
changes on disk; that way I have a backup of all key material. I’ve never lost 
a smartcard but last year I had to factory reset one and restore from the 
backup when it went a little haywire.

Andrew Gallagher
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Sunset of a smartcard encryption key

[Stefan Claas via Gnupg-users]

Andreas K. Huettel via Gnupg-users wrote:

> Hi all, 
> 
> so here's a question that I'm sure people here have already been thinking 
> about... Like probably many others here I have a gpg smartcard with three 
> subkeys Sign, Encrypt, Authenticate, and an offline Certify master key at a
> safe place. 
> 
> * If I want to let my Signature subkey expire and generate a new one, that's 
> not a big problem for me, since the public key is still available to everyone 
> on the keyservers for verifying sigs.
> * If I want to let my Auth subkey expire and generate a new one, well I just 
> need to add the new one to all authorized_keys files in time.
> 
> But how do I sensibly handle a graceful sunset of an encryption key? If I 
> replace the subkey on my card, I immediately can't read old e-mails anymore.
> 
> If I had the key in a file, I could keep the old, expired subkey around and 
> still decrypt the data, but that would kinda defy the security provided by
> the card...
> 
> My best idea so far is to generate a second token (Nitrokey, Yubikey or 
> similar) *only* for old encryption subkeys, and additionally plug that in if
> I need to read an old message. Does anyone already have experience with such
> a setup?

What I would like to know how people handle the case when a SmardCard gets lost,
broken or maybe confiscicated at an Airport etc.?

Why not using an encrypted harddisk (VeraCrypt etc.), for important documents,
files, which could be mounted on a dedicated offline computer (or maybe used
with an online computer) and when not used put in a safe place?

Regards
Stefan

-- 
Signal (Desktop) +4915172173279
https://keybase.io/stefan_claas
   

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Sunset of a smartcard encryption key

[Andreas K. Huettel via Gnupg-users]

Hi all, 

so here's a question that I'm sure people here have already been thinking 
about... Like probably many others here I have a gpg smartcard with three 
subkeys Sign, Encrypt, Authenticate, and an offline Certify master key at a 
safe 
place. 

* If I want to let my Signature subkey expire and generate a new one, that's 
not a big problem for me, since the public key is still available to everyone 
on the keyservers for verifying sigs.
* If I want to let my Auth subkey expire and generate a new one, well I just 
need to add the new one to all authorized_keys files in time.

But how do I sensibly handle a graceful sunset of an encryption key? If I 
replace the subkey on my card, I immediately can't read old e-mails anymore.

If I had the key in a file, I could keep the old, expired subkey around and 
still decrypt the data, but that would kinda defy the security provided by the 
card...

My best idea so far is to generate a second token (Nitrokey, Yubikey or 
similar) *only* for old encryption subkeys, and additionally plug that in if I 
need to read an old message. Does anyone already have experience with such a 
setup?

Best, 
Andreas

-- 
Andreas K. Hüttel
dilfri...@gentoo.org
Gentoo Linux developer 
(council, qa, toolchain, base-system, perl, libreoffice)


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: private data objects on smartcard

[mailing list via Gnupg-users]

> (...)
> If no PIN has been verified, the --card-status command will only ever
> print out the contents of private DOs #1 and #2.
> 
> While we are at it, *writing* to the private DOs #1 and #3 requires the
> user PIN, and writing to the private DOs #2 and #4 requires the admin PIN.
> 
> You can find the details about those DOs and all the other features of
> the OpenPGP smart card in the specifications for the different versions,
> which are all available on GnuPG's site [1].
> 

Thanks a lot for the support!


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: private data objects on smartcard

[Damien Goutte-Gattat via Gnupg-users]

On Fri, Jan 31, 2020 at 12:55:05AM +0100, mailing list wrote:

I hoped these objects may have been (read) protected by the PIN, but
they´re world readable if you have the card, a bit sad...


Only Private DOs #1 and #2 are readable without any PIN. Reading the 
private DO #3 requires the user PIN, and reading the private DO #4 
requires the admin PIN.


If no PIN has been verified, the --card-status command will only ever 
print out the contents of private DOs #1 and #2.


While we are at it, *writing* to the private DOs #1 and #3 requires the 
user PIN, and writing to the private DOs #2 and #4 requires the admin 
PIN.


You can find the details about those DOs and all the other features of 
the OpenPGP smart card in the specifications for the different versions, 
which are all available on GnuPG's site [1].



Cheers,

- Damien


[1] https://gnupg.org/ftp/specs/


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: private data objects on smartcard

[Damien Goutte-Gattat via Gnupg-users]

On Fri, Jan 31, 2020 at 12:39:11AM +0100, mailing list wrote:

By the way, is mcl3 the length of the key currently living on the
smartcard or the maximum key length supported by this card?


Neither of those. It's the maximum length of the "Cardholder certificate 
DO". This is another data object available on a OpenPGP smart card, 
intended to store a X.509 certificate.


You can write to that DO using the (undocumented) writecert command. For 
example, assumimg the cert.der file contains a DER-encoded X.509 
certificate:


 $ gpg --card-edit
 gpg/card> writecert 3 < cert.der

GnuPG allows to write into that DO but does not actually use it. As far 
as I know the only component that makes use of the Cardholder 
certificate DO is Scute [1], for TLS client authentication (and even for 
that the DO is actually dispensable: if Scute does not find the desired 
certificate in that DO, it will obtain it from GpgSM.)




I just play with a card version 1.1 and mcl3 is 0 there.


The Cardholder certificate DO was added in version 2.0 of the 
specification, so nothing surprising here.



Cheers,

- Damien


[1] http://scute.org/


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: private data objects on smartcard

[mailing list via Gnupg-users]

> (...)

> You can use the (undocumented) command "privatedo" from GnuPG's
> --card-edit menu. For example, to write into the private DO #1:
> (...)
>> And can GnuPG read these objects?
> 
> Yes. If a private DO contains a value, it will be listed in the output
> from the --card-status command.

I hoped these objects may have been (read) protected by the PIN, but
they´re world readable if you have the card, a bit sad...




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: private data objects on smartcard

[mailing list via Gnupg-users]

On 31.01.20 at 00:14 it was said by Damien Goutte-Gattat:

> On Thu, Jan 30, 2020 at 11:24:54PM +0100, mailing list via Gnupg-users
> wrote:
>> How do you write to these objects? Can GnuPG do this? I didn´t found
>> any way with --card-edit or --card-status.
> 
> You can use the (undocumented) command "privatedo" from GnuPG's
> --card-edit menu. For example, to write into the private DO #1:

Great, thanks!


>  S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=1+kdf=1

By the way, is mcl3 the length of the key currently living on the
smartcard or the maximum key length supported by this card?
I just play with a card version 1.1 and mcl3 is 0 there. Version 1.1
support 1024 RSA AFAIK.

Thanks!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: private data objects on smartcard

[Damien Goutte-Gattat via Gnupg-users]

Hi,

On Thu, Jan 30, 2020 at 11:24:54PM +0100, mailing list via Gnupg-users wrote:
How do you write to these objects? Can GnuPG do this? I didn´t found 
any way with --card-edit or --card-status.


You can use the (undocumented) command "privatedo" from GnuPG's 
--card-edit menu. For example, to write into the private DO #1:


 $ gpg --card-edit
 gpg/card> privatedo 1
 Private DO data: [enter whatever value you want to store into the DO]

Or, to write the contents of a file into the private DO #2:

 $ gpg --card-edit
 gpg/card> privatedo 2 < [filename]



And can GnuPG read these objects?


Yes. If a private DO contains a value, it will be listed in the output 
from the --card-status command.



I read somewhere, the size of these objects is 2048 bytes each. How 
many of these objects do exist on a smartcard?


First, note that private DOs are an optional feature of the OpenPGP 
smart card; not all implementations support them.


You can use the following command to check if an OpenPGP smart card 
supports private DOs:


 $ gpg-connect-agent 'SCD LEARN --force' /bye | grep EXTCAP
 S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=1+kdf=1

Here, "pd=1" means the card does have private DOs. "pd=0" would indicate 
that private DOs are not supported.


When private DOs are supported, there are four of them. For cards 
compatible with versions 1.x or 2.x of the specification, they have a 
size of 254 bytes. For 3.x cards, the size of the private DOs is defined 
by the implementation (the OpenPGP smart card from FLOSS Shop [1] has 
indeed 2048-bytes private DOs).


Cheers,

- Damien


[1] 
https://www.floss-shop.de/en/security-privacy/smartcards/13/openpgp-smart-card-v3.3?c=40


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

private data objects on smartcard

[mailing list via Gnupg-users]

Hi there,

The opnPGP smartcards seem to have private data objects to store
arbitrary data, right? It seems even the old 1.1 version cards feature
these objects.

How do you write to these objects? Can GnuPG do this? I didn´t found any
way with --card-edit or --card-status. And can GnuPG read these objects?

I read somewhere, the size of these objects is 2048 bytes each. How many
of these objects do exist on a smartcard?

Thanks!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

local key as smartcard *fallback*

[Raph via Gnupg-users]

Hi,

When using keytocard, the keyring is informed that the key is now
stored on a smartcard... only (unless removed explicitly).

If the smartcard is unavailable (lost or whatever), is there an *easy*
way to tell the agent to automatically use the local key, if present ?


Basically:
*If* the smartcard is not present,
*Then*
  *If* a local and password-protected version exists,
  *Then* use it as a fallback.


I do understand that smartcard security depends on *not* having the
local key present.
But such a (more flexible) key lookup policy would still be useful in
some situations like for a smoother transition to smartcard or smartcard
used optionally on several computers, ...


Thank you.


Related question:
https://security.stackexchange.com/questions/183226/how-to-force-gpg-to-use-a-keycard-when-it-is-available

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: v2.1 openpgp smartcard -- packing in after a `key to card'

[NIIBE Yutaka]

Dirk-Willem van Gulik wrote:
> During a pretty standard create key; key to card cycle (scripted) - I got an 
> error
>
>   gpg: OpenPGP card not available: Card removed
>
> just after the ‘save’ in the —edit-key. A subsequent status check gives me:
>
>   gpg2 --card-status
>   gpg: OpenPGP card not available: Card removed
>
> with below scdaemon log information.

Unfortunately, your log only includes information _after_ the failure.

So, I could only guess about failure.  I guess that "key to card" was
failed for some reason.

> 2019-12-09 18:15:06 scdaemon[47159] detected reader 'SCM Microsystems Inc. 
> SPR 532'
> 2019-12-09 18:15:06 scdaemon[47159] detected reader 'ACS ACR122U PICC 
> Interface'
> 2019-12-09 18:15:06 scdaemon[47159] detected reader 'OMNIKEY AG CardMan 3121'

While you have three card readers...

> 2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S READER OMNIKEY AG 
> CardMan 3121

What you were using was "OMNIKEY AG CardMan 3121", which only supports
short APDU level exchange.

It is listed in this list: https://ccid.apdu.fr/ccid/supported.html
It should work for 1024-bit key.

However, I'm afraid that probably, it doesn't work well with recent
PC/SC lite, because readers with short APDU level exchange only are
getting uncommon.

SCM SPR 532 works better, because it supports TPDU level exchance (lower
level).
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

v2.1 openpgp smartcard -- packing in after a `key to card'

[Dirk-Willem van Gulik]

During a pretty standard create key; key to card cycle (scripted) - I got an 
error

gpg: OpenPGP card not available: Card removed 

just after the ‘save’ in the —edit-key. A subsequent status check gives me:

gpg2 --card-status 
gpg: OpenPGP card not available: Card removed

with below scdaemon log information. The key moved onto it was a rsa1024 key:

gpg2 --homedir . --batch --passphrase “$TEMP_PASSWD" --quick-add-key 
$FPR2 rsa1024

i.e the second of (key 1):

sec  ed25519/F93BF2C7E09FEDC0
 created: 2019-12-09  expires: 2021-12-08  usage: SC  
 trust: ultimate  validity: ultimate
ssb  rsa1024/3341725A21249687
 created: 2019-12-09  expires: never   usage: E   

Does this ring a bell with anyone ? 

With kind regards,

Dw.



2019-12-09 18:15:06 scdaemon[47159] DBG: chan_7 <- GETINFO version
2019-12-09 18:15:06 scdaemon[47159] DBG: chan_7 -> D 2.2.17
2019-12-09 18:15:06 scdaemon[47159] DBG: chan_7 -> OK
2019-12-09 18:15:06 scdaemon[47159] DBG: chan_7 <- SERIALNO openpgp
2019-12-09 18:15:06 scdaemon[47159] ccid open error: skip
2019-12-09 18:15:06 scdaemon[47159] ccid open error: skip
2019-12-09 18:15:06 scdaemon[47159] ccid open error: skip
2019-12-09 18:15:06 scdaemon[47159] detected reader 'SCM Microsystems Inc. SPR 
532'
2019-12-09 18:15:06 scdaemon[47159] detected reader 'ACS ACR122U PICC Interface'
2019-12-09 18:15:06 scdaemon[47159] detected reader 'OMNIKEY AG CardMan 3121'
2019-12-09 18:15:06 scdaemon[47159] reader slot 0: not connected
2019-12-09 18:15:07 scdaemon[47159] pcsc_control failed: not transacted 
(0x80100016)
2019-12-09 18:15:07 scdaemon[47159] pcsc_vendor_specific_init: 
GET_FEATURE_REQUEST failed: 65547
2019-12-09 18:15:07 scdaemon[47159] reader slot 0: active protocol: T1
2019-12-09 18:15:07 scdaemon[47159] slot 0: ATR=3B DA 18 FF 81 B1 FE 75 1F 03 
00 31 C5 73 C0 01 40 00 90 00 0C
2019-12-09 18:15:07 scdaemon[47159] AID: D2 76 00 01 24 01 02 01 00 05 00 00 57 
2D 00 00
2019-12-09 18:15:07 scdaemon[47159] Historical Bytes: 00 31 C5 73 C0 01 40 05 
90 00
2019-12-09 18:15:07 scdaemon[47159] Version-2+ .: yes
2019-12-09 18:15:07 scdaemon[47159] Extcap-v3 ..: no
2019-12-09 18:15:07 scdaemon[47159] Button .: no
2019-12-09 18:15:07 scdaemon[47159] SM-Support .: no
2019-12-09 18:15:07 scdaemon[47159] Get-Challenge ..: yes (2048 bytes max)
2019-12-09 18:15:07 scdaemon[47159] Key-Import .: yes
2019-12-09 18:15:07 scdaemon[47159] Change-Force-PW1: yes
2019-12-09 18:15:07 scdaemon[47159] Private-DOs : yes
2019-12-09 18:15:07 scdaemon[47159] Algo-Attr-Change: yes
2019-12-09 18:15:07 scdaemon[47159] Symmetric Crypto: no
2019-12-09 18:15:07 scdaemon[47159] KDF-Support : no
2019-12-09 18:15:07 scdaemon[47159] Max-Cert3-Len ..: 2048
2019-12-09 18:15:07 scdaemon[47159] Cmd-Chaining ...: no
2019-12-09 18:15:07 scdaemon[47159] Ext-Lc-Le ..: yes
2019-12-09 18:15:07 scdaemon[47159] Status-Indicator: 05
2019-12-09 18:15:07 scdaemon[47159] GnuPG-No-Sync ..: no
2019-12-09 18:15:07 scdaemon[47159] GnuPG-Def-PW2 ..: no
2019-12-09 18:15:07 scdaemon[47159] Key-Attr-sign ..: RSA, n=2048, e=32, fmt=std
2019-12-09 18:15:07 scdaemon[47159] Key-Attr-encr ..: RSA, n=1024, e=32, fmt=std
2019-12-09 18:15:07 scdaemon[47159] Key-Attr-auth ..: RSA, n=2048, e=32, fmt=std
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S SERIALNO 
D2760001240102010005572D
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> OK
2019-12-09 18:15:07 scdaemon[47159] sending signal 31 to client 47158
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 <- LEARN --force
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S READER OMNIKEY AG CardMan 
3121
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S SERIALNO 
D2760001240102010005572D
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S APPTYPE OPENPGP
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S EXTCAP 
gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=0+kdf=0
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S DISP-NAME
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S DISP-LANG de
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S DISP-SEX 9
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S KEY-FPR 2 
26CFCE98D4681687B9665A273341725A21249687
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S KEY-TIME 2 1575909434
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S CHV-STATUS 
+0+32+32+32+3+0+3
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S SIG-COUNTER 0
2019-12-09 18:15:07 scdaemon[47159] pcsc_transmit failed: not transacted 
(0x80100016)
2019-12-09 18:15:07 scdaemon[47159] apdu_send_simple(0) failed: general error
2019-12-09 18:15:07 scdaemon[47159] reading public key failed: General error
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S KEYPAIRINFO 
2AF8CE28A1F0B6E3194C2505C682357407ACC3B3 OPENPGP.2
2019-12-09 18:15:07 scdaemon[47159] pcsc_transmit failed: not transacted 
(0x80100016)
2019-12-09 18:15:07 

Re: gpg-agent only checks for smartcard not for local keys [ ref:_00D58dJQM._5004IusfwI:ref ]

[Informa D via Gnupg-users]

Exmos. Senhores,

Recebemos a informação que tiveram hoje a amabilidade de nos transmitir e que 
muito agradecemos.

Vamos imediatamente analisar o caso e responderemos com a máxima brevidade 
possível ao vosso pedido. Assim que for possível, o Serviço de Apoio ao Cliente 
entrará em contacto convosco.

No entanto, caso o vosso contacto esteja relacionado com a necessidade de 
atualizar os dados da vossa empresa na nossa base de dados, notem que poderão 
fazê-lo diretamente e sem demoras.

De facto, as entidades empresariais cujos dados constem da nossa base de dados 
podem consultar, acrescentar e modificar on-line as informações que lhes digam 
respeito, sendo para tal apenas necessário que disponham de uma senha de acesso 
exclusivo a uma zona reservada do nosso site.

Sublinhamos que este acesso para atualização on-line é totalmente gratuito e 
muito fácil, bastando entrar em www.informadb.pt e selecionar, em Feed´Back , " 
Para consultar atualizar os dados de uma empresa diretamente na nossa base de 
dados".

Se necessitarem de mais esclarecimentos sobre o Feed’Back – Serviço de 
Atualização de Dados, estaremos inteiramente disponíveis para os prestar.

Atenciosamente,

Serviço de Apoio ao Cliente

(+351) 213 500 389 - Fax: (+351) 213 151 658
vipclien...@informadb.pt
www.informadb.pt

CONFIDENCIAL. Esta mensagem destina-se a uso exclusivo do(s) destinatário(s) e 
poderá conter informação privada ou confidencial. A leitura, retenção, 
divulgação, cópia, distribuição ou reencaminhamento são proíbidas. Caso a 
receba por engano, solicitamos que nos comunique por e-mail e elimine a 
mensagem do seu sistema sem a reproduzir. Os dados pessoais constantes do 
presente e-mail estão ou serão adicionados à lista de contactos da INFORMA D, 
responsável pelo tratamento de dados, para o podermos contactar sempre que 
necessário . O direito de acesso, retificação, oposição e apagamento, deverá 
ser exercido através do e-mail: protecaodeda...@informadb.pt. Consulte o nosso 
compromisso de privacidade em www.informadb.pt.

CONFIDENTIAL. This message is intended for the exclusive use of the named 
addressee(s) and it may contain private or confidential information. Any 
reading, retention, disclosure, copying, distribution or redirection is 
prohibited. If you are not the intended recipient, please notify us by e-mail 
and delete this message from your system without retaining a copy. The personal 
data included in this e-mail is or will be added to the contact list of INFORMA 
D, acting as data controller, to contact you whenever necessary. You have the 
right of access and the rights to rectification, to object and to erasure 
through the e-mail: protecaodeda...@informadb.pt___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent only checks for smartcard not for local keys

[Werner Koch via Gnupg-users]

On Sat,  2 Nov 2019 12:20, Horst Skatmus said:

> I do not understand how the gpg-agent determines where to look for the
> private key (disk or smartcard) and where this is configured. I can switch
> off the scdaemon via --disable-scdaemon but this has no effect.

At the time you use ssh-add (putty has a similar feature iirc) the key
is copied to GnuPG's private key store and added to the file sshcontrol
in GnuPG home directory ("gpgconf --list-dirs" shows this).

You can add the key also manuualy to the file.  An entry there looks
like:

  # Ed25519 key added on: 2016-11-29 10:28:00
  # MD5 Fingerprint:  b5:f9:23:5f:b2:8c:b2:58:7d:b3:1e:f4:7e:26:33:7c
  1934563577D9EDA59D3CC74B0CF9C630EA3F302D 0

The header of the sshcontrol file has comments on the syntax.
In short you put the keygrip (as show in the KEYINFO lines or in
"gpg -k --with-keygrip") followed by the TTL for the cache
(0 for the default).

gpg-agend access the smartcard because the authenticstion key of an
inserted card is implicitly enabled for ssh.  Which key this is depends
on the card and gpg-agent knows how to query this.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent only checks for smartcard not for local keys

[Niibe Yutaka]

Hello,

Horst Skatmus wrote:
> The only problem I have is that the gpg-agent always checks for the
> smartcard even when keys are not stored on a smartcard.

When gpg-agent works as ssh-agent, it always checks (possible)
authentication key on smartcard, so that the authenticaiton key (when
available) can be used.

Specifically, SSH client askes ssh-agent about available keys by
REQUEST_IDENTITIES command.  When gpg-agent (as ssh-agent) gets
REQUEST_IDENTITIES command, it checks scdaemon about possible
authentication keys.  Let's call those key(s) "active smartcard key(s)".
There are also keys recorded under ~/.gnupg/private-keys-v1.d/.  Let's
call those keys "recorded keys".  Those "recorded keys" can be private
keys on disk, or keys on smartcard (reference to smartcard, not private
key secret).  For response to REQUEST_IDENTITIES command, gpg-agent
answers SSH "active smartcard key(s)" + "recorded keys".
(Here, "recorded keys" may include "active smartcard key(s)".)

After that, SSH server + client negotiate about keys and select a key.
Then, SSH client asks gpg-agent (as ssh-agent) a challenge-response
authentication by signing with SIGN_REQUEST command.


> I can switch off the scdaemon via --disable-scdaemon but this has no
> effect.

With --disable-scdaemon, gpg-agent should stop accessing scdaemon.
Do you reload setting (gpgconf --reload gpg-agent) after changing
your gpg-agent.conf?
--

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg-agent only checks for smartcard not for local keys

[Horst Skatmus]

I have installed GnuPG Windows on a Windows 10 machine and I'd like to use
it with Putty as key based ssh authentication together with a smartcard. I
got everything working fine.

The only problem I have is that the gpg-agent always checks for the
smartcard even when keys are not stored on a smartcard.

 

gpg-connect-agent "keyinfo --list" /bye

 

S KEYINFO 16F96695784023BBD32BE7D9F8320568156CB76A D - - - P - - -

S KEYINFO 3D3DE2508675ECE9856242056D8A5956E35B056E D - - - P - - -

S KEYINFO C8316A470CEB466B4565C55B7FB8A98BA10BB558 D - - - P - - -

S KEYINFO C9376FD06A963284ADC1EF46861EC611C5D780B7 D - - - P - - -

 

This shows that all keys are located on the disk (column with the "D") but
the gpg-agent log shows that the agent get a request from putty via the
"Pageant" options and he checks for a SC via the scdaemon.

 

2019-11-01 19:44:18 gpg-agent[6304] DBG: ssh map file
'PageantRequest3d68'
2019-11-01 19:44:18 gpg-agent[6304] DBG: ssh map handle 0x0338
2019-11-01 19:44:18 gpg-agent[6304] DBG:   my sid:
'S-1-5-21-2710969852-3158981170-84828875-1001'
2019-11-01 19:44:18 gpg-agent[6304] DBG: ssh map file sid:
'S-1-5-21-2710969852-3158981170-84828875-1001'
2019-11-01 19:44:18 gpg-agent[6304] DBG: ssh IPC buffer at 0x0067
2019-11-01 19:44:18 gpg-agent[6304] ssh request handler for
request_identities (11) started
2019-11-01 19:44:18 gpg-agent[6304] new connection to SCdaemon established
(reusing)
2019-11-01 19:44:18 gpg-agent[6304] DBG: chan_0x0314 -> SERIALNO
2019-11-01 19:44:18 gpg-agent[6304] DBG: chan_0x0314 <- ERR 100696144 No
such device 
2019-11-01 19:44:18 gpg-agent[6304] ssh request handler for
request_identities (11) ready
2019-11-01 19:44:18 gpg-agent[6304] DBG: chan_0x0314 -> RESTART
2019-11-01 19:44:18 gpg-agent[6304] DBG: chan_0x0314 <- OK

 

I do not understand how the gpg-agent determines where to look for the
private key (disk or smartcard) and where this is configured. I can switch
off the scdaemon via --disable-scdaemon but this has no effect.

When I copy the secret key to the smartcard via keytocard in gpg everything
works fine.

 

 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt from smartcard using gnupg-2.2, can from 2.0

[alejandro Cortez via Gnupg-users]

On Tue, Oct 15, 2019 at 10:52 PM NIIBE Yutaka  wrote:

> Hello,
>
> I think that your configuration of smartcard is somehow broken.
>

The only thing I have been able to confirm is that gpg, at some point after
2.0.22, stopped allowing the use of the same subkey in multiple slots. As
soon as I created a new signing subkey and put that one into the signing
slot and the SEA subkey into the encryption slot, everything started
working.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Fwd: Cannot decrypt from smartcard using gnupg-2.2, can from 2.0

[alejandro Cortez via Gnupg-users]

I just realized my reply did not go to the list.

-- Forwarded message -
From: alejandro Cortez 
Date: Tue, Oct 15, 2019 at 9:43 AM
Subject: Re: Cannot decrypt from smartcard using gnupg-2.2, can from 2.0
To: Niibe Yutaka 


On Mon, Oct 14, 2019 at 12:18 AM Niibe Yutaka  wrote:

> $ gpg-connect-agent "KEYINFO --list" /bye
>

On 2.0, this only prints OK. On 2.2, only one KEYINFO line is printed and
the 4th to final column looks like:
D - - - P - - -

I have two different smartcards (both nitrokey pro). One of them is for a
different key and does not experience any problems (it is loaded with a
master key instead of a subkey). The output of KEYINFO is two lines and the
4th - final column looks like this:

T  OPENPGP.3 - - - - -
D - - - P - - -

So neither a working nor broken smartcard shows output like yours. Are
there any other methods to debug this perhaps?
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt from smartcard using gnupg-2.2, can from 2.0

[Niibe Yutaka]

alejandro Cortez wrote:
> gpg: public key decryption failed: Invalid ID

This means that something goes wrong in your private key file for
your token, I suppose.

> Can anyone help debug this?

You can see more information, by following command line:

$ gpg-connect-agent "KEYINFO --list" /bye

This doesn't reveal secret (but your serial number).

The example output (of mine) is like:

==
$ gpg-connect-agent "KEYINFO --list" /bye
S KEYINFO A97A7983102513844456E5B687E46B936B14155C D - - - P - - -
S KEYINFO 65F67E742101C7FE6D5B33FCEFCF4F65EAF0688C T 
D276000124010200F5170001 OPENPGP.2 - - - - -
S KEYINFO 101DE7B639FE29F4636BDEECF442A9273AFA6565 T 
D276000124010200F5170001 OPENPGP.1 - - - - -
S KEYINFO 5D6C89682D07CCFC034AF508420BF2276D8018ED T 
D276000124010200F5170001 OPENPGP.3 - - - - -
OK
$
==

The third column is a keygrip.  The fifth column is an application ID
(vendor id + serial number) of the card.  The sixth column is the key
identifier.

The key identifier "OpenPGP.2" is used for decription process.

I suspect you have some different string there, for some reason.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Cannot decrypt from smartcard using gnupg-2.2, can from 2.0

[alejandro Cortez via Gnupg-users]

Working version:
Ubuntu-14.04
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3

Not working version:
Ubuntu-18.04
gpg (GnuPG) 2.2.4
libgcrypt 1.8.1

I put the same subkey on all 3 slots of a Nitrokey Pro maybe about a year
ago and have been encrypting/decrypting (sometimes signing, sometimes not)
for myself and for/from other people during that time. I've used the
smartcard on 3 different hosts (also 14.04) by using fetch and running
card-status. On gnupg-2.2, whether signed or not, attempting to decrypt a
file with me as the recipient fails with:

gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key

It shows that the file was encrypted with my subkey fingerprint. I can
encrypt and sign with gnupg-2.2, just not the reverse. It does not matter
if the file I am trying to decrypt was created from one of my 14.04 hosts
or with the 18.04 host. The 18.04 host simply cannot decrypt it.

To be complete about how I set up the card: I imported the subkey into a
fresh .gnupg, ran card-edit, toggle, key 1, keytocard, chose the slot,
saved, wiped .gnupg (and restarted the agent) and repeated the process for
the other 2 slots and finally wiping .gnupg and using card-edit, fetch, and
card-status to re-initialize.

Both 2.0 and 2.2 show sec#, uid, and ssb> when running -K.
show-unusable-uids,show-unusable-subkeys does not change the output. There
are no other UIDs or subkeys and both master and sub are set to never
expire.

If I import the master or the detached subkey by themselves into a clean
18.04 environment, it works. Only the smartcard does not work. Can anyone
help debug this?
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Smartcard operation

[Peter Lebbing]

On 17/09/2019 18:59, Stefan Claas via Gnupg-users wrote:
> I assume that in order to decrypt a message the secret key data must be
> unlocked and loaded for a very short time into the computers RAM, in order
> to perform the decryption, or am I wrong with my assumption?

OpenPGP messages encrypted to a public key are hybrid encryption: the
asymmetric (public/private) crypto is used to establish a per-message
shared secret. This shared secret is used by a symmetric encryption
algorithm to encrypt the actual data.

The smartcard does the asymmetric part of it all by itself, the computer
just asks it to decrypt something and gets the per-message shared secret
back from the card.

Then the PC will do the symmetric decryption of the actual data.

During regular use, knowledge about the private key contents never
leaves the smartcard, not for the briefest period.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: card-sized 4 Kbit RSA Smartcard recommendation with 3 slots

[Andrew Gallagher]

On 04/04/2019 16:10, Peter Lebbing wrote:
> I don't expect 4k RSA to be very snappy, though. You might want to
> reconsider your choice of algorithm and/or length.

On the v2.1 Zeitcontrol cards, 4096 bit RSA takes a couple of seconds
per operation. This is fine if you're just doing bits and pieces, but
when using it heavily, e.g. as an ssh auth method over ansible, it can
get *very* sluggish.

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: card-sized 4 Kbit RSA Smartcard recommendation with 3 slots

[Peter Lebbing]

On 04/04/2019 14:06, Thomas Glanzmann wrote:
> I'm looking for a recommendation for a cardsized 4 kbit RSA smartcard
> with 3 keyslots

Well, the ZeitControl card, which was the first OpenPGP Card on the
market, is now at version 3.3 which would seem to support what you ask
for.[1] I have no personal experience, I do have v2.0 cards (and v1.1).

I don't expect 4k RSA to be very snappy, though. You might want to
reconsider your choice of algorithm and/or length.

> At the moment I use yubikey but I aquired a laptop with a smartcard
> reader that I would like to use in order to free up an USB slot.

Be warned that there are many cardreaders that will not work with larger
keys (where "larger" can already mean 2k) or even work reliably at all
with free software. So your mileage may vary a lot.

HTH,

Peter.

[1] 
<https://www.floss-shop.de/en/security-privacy/smartcards/13/openpgp-smart-card-v3.3>

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

card-sized 4 Kbit RSA Smartcard recommendation with 3 slots

[Thomas Glanzmann]

Hello,
I'm looking for a recommendation for a cardsized 4 kbit RSA smartcard
with 3 keyslots which works with Linux und Windows and gnupg. Has anyone
a recommendation. At the moment I use yubikey but I aquired a laptop
with a smartcard reader that I would like to use in order to free up an
USB slot.

Cheers,
Thomas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: First smartcard operation always fails

[Andrew Gallagher]

On 04/09/18 11:01, Peter Lebbing wrote:
> On 04/09/18 10:17, Andrew Gallagher wrote:
>> And I have just confirmed (by sending that mail) that both the first
>> auth operation AND the first signing operation fail, separately.
> 
> I have no idea, it's quite curious. As an added bread crumb to follow:
> what do the PIN retry counters say after the failure? gpg --card-status.
> 
> Do you always use the same reader? Perhaps it is the reader.

On further experimentation, it turns out it only happens with one of my
two cards, but does happen on multiple machines with multiple readers.
The signature counter increases every time. I can reproduce the sig
operation failure consistently, but not the auth operation.

Does this mean the card is unwittingly producing bad output on the first
attempt, and gpg (or scdaemon) is automatically retrying? Could this be
a manufacturing flaw in the card?

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: First smartcard operation always fails

[Peter Lebbing]

On 04/09/18 10:17, Andrew Gallagher wrote:
> And I have just confirmed (by sending that mail) that both the first
> auth operation AND the first signing operation fail, separately.

I have no idea, it's quite curious. As an added bread crumb to follow:
what do the PIN retry counters say after the failure? gpg --card-status.

Do you always use the same reader? Perhaps it is the reader.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: First smartcard operation always fails

[Andrew Gallagher]

On 04/09/18 09:11, Andrew Gallagher wrote:
> Hi, all.
> 
> I've had a pgp smartcard v2.1 for years now (two, actually), and I've
> noticed that no matter what operation I perform, the first attempt after
> inserting the card, or waking from sleep with the card inserted, fails.

And I have just confirmed (by sending that mail) that both the first
auth operation AND the first signing operation fail, separately.

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

First smartcard operation always fails

[Andrew Gallagher]

Hi, all.

I've had a pgp smartcard v2.1 for years now (two, actually), and I've
noticed that no matter what operation I perform, the first attempt after
inserting the card, or waking from sleep with the card inserted, fails.

Example:

```
andrewg@fred:~$ ssh my.server
sign_and_send_pubkey: signing failed: agent refused operation
andrewg@my.server's password: ^C

andrewg@fred:~$ ssh my.server
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-92-lowlatency x86_64)
```

A similar thing happens with signing emails, and my signing and
authentication subkeys are distinct.

This has been bugging me for as long as I can remember, across different
machines, different software versions and OSes (Linux and Mac), and
using both smartcards.

Does anyone have any idea what's going on?

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: revocation troubles & smartcard troubles

[Dirk Gottschalk via Gnupg-users]

As long as you did not publish reports revocation, delete the key and re-import 
it without the revocation cert. 

Am 3. September 2018 17:03:19 MESZ schrieb "Roland Siemons (P)" 
:
>Dear GnuPG,
>
>I am already using GnuPG for a long time. But try to improve my
>understanding of and working with it.
>I became a member of Free Software Foundation Europe, and got a
>smartcard. I wanted to use it.
>
>And that is where the trouble started:
>I intended to copy all my personal keys to the smart card.
>In Kleopatra, I selected "Tools/Manage smartcards"
>Then I selected "Import a certificate from a file", and selected files
>from my laptop.
>I was under the impression that I was copying files to the smartcard.
>By doing so, I not only selected my private key but also my revocation
>key (because, why should I enable a thief of my laptop to revoke my
>key?).
>And then it appeared that I had revoked my entire key pair. Unintended!
>Apparently, under smartcard management, I was not at all copying files
>to the smartcard. Apparently, I was doing something else. Did I at all
>copy files to the smartcard?
>
>Questions:
>Can I UNrevoke that key?
>How can I see what is on the smartcard?
>How can I copy files to the smartcard?
>
>I studied the GnuPG Smartcard How-To
>(www.gnupg.org/howtos/card-howto/en/smartcard-howto.html), but that is
>entirely linux oriented.
>I am working on a win7 system.
>
>Can anyone help me further?
>
>Thanks!
>
>Roland

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

revocation troubles & smartcard troubles

[Roland Siemons (P)]

Dear GnuPG,

I am already using GnuPG for a long time. But try to improve my
understanding of and working with it.
I became a member of Free Software Foundation Europe, and got a
smartcard. I wanted to use it.

And that is where the trouble started:
I intended to copy all my personal keys to the smart card.
In Kleopatra, I selected "Tools/Manage smartcards"
Then I selected "Import a certificate from a file", and selected files
from my laptop.
I was under the impression that I was copying files to the smartcard.
By doing so, I not only selected my private key but also my revocation
key (because, why should I enable a thief of my laptop to revoke my key?).
And then it appeared that I had revoked my entire key pair. Unintended!
Apparently, under smartcard management, I was not at all copying files
to the smartcard. Apparently, I was doing something else. Did I at all
copy files to the smartcard?

Questions:
Can I UNrevoke that key?
How can I see what is on the smartcard?
How can I copy files to the smartcard?

I studied the GnuPG Smartcard How-To
(www.gnupg.org/howtos/card-howto/en/smartcard-howto.html), but that is
entirely linux oriented.
I am working on a win7 system.

Can anyone help me further?

Thanks!

Roland


0xAEEC5E2ED87628F5.asc
Description: application/pgp-keys
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

ECC smartcard (was: Cannot decrypt file encrypted with enQsig)

[Peter Lebbing]

On 16/08/18 07:52, Felix E. Klee wrote:
> PS: I’m toying with the idea of switching from my smart card to a
> Trezor hardware token. This would mean generating an entirely new key
> (only 256 bit ECC supported).

I didn't look at the Trezor to check, but I'll assume it allows usage
with GnuPG based on the context you brought it up in.

Note that many OpenPGP peers might not support ECC. You could add ECC
subkeys to your current key, and arrange for peers that support them to
prefer those. That way, anybody able to send you an ECC-encrypted
document could do so, and others could fall back to the RSA encryption
subkey.

For signatures, you'd either still use RSA or accept the fact that only
people with ECC-supporting clients could verify your signatures. The
alternative is signing with both keys; if both are on cards/tokens, that
becomes tiresome really quickly, I'd imagine.

If you add ECC subkeys to your current key, you'd still use an RSA
primary key, without anything elliptic about it.

> OTOH there are several advantages such as the Trezor being a well
> documented open source device

There's also the GnuK, which is free software.

My 2 cents,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

[Ciprian Dorin Craciun]

On Wed, Aug 15, 2018 at 1:57 PM Peter Lebbing  wrote:
> >   https://gist.github.com/cipriancraciun/c8a0dfb973b586053c167fec91093d9c
>
> Hey, that systemd service file seems to basically grab cryptsetup
> handling from the clutches of systemd, enabling all sorts of operations
> not possible with systemd's cryptsetup handling! That's really clever!


Basically I just looked at how a similar file was generated by systemd
for other `/etc/crypttab` targets and adapted.

Ciprian.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

[Peter Lebbing]

On 06/08/18 08:38, Ciprian Dorin Craciun wrote:
> My script and systemd service file can be found at the following link:
> 
>   https://gist.github.com/cipriancraciun/c8a0dfb973b586053c167fec91093d9c

Hey, that systemd service file seems to basically grab cryptsetup
handling from the clutches of systemd, enabling all sorts of operations
not possible with systemd's cryptsetup handling! That's really clever!

I'm saving this for future reference, thanks.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

[Ciprian Dorin Craciun]

On Wed, Aug 1, 2018 at 7:32 PM Peter Lebbing  wrote:
> AFAIK, this is just systemd delegating passphrase querying to the
> physically present user. I suppose if you could somehow influence where
> it got the passphrase from, there might be a way to achieve it, but I
> have no idea how. That's all the direction I can provide.


I have a similar setup where at boot time I use GnuPG to decrypt my
drive with keys protected by GnuPG (instead of using LUKS).

I have managed to instruct GnuPG to use `systemd-ask-password` to
retrieve the password.  However I imagine that with some "tinkering"
one can implement a simple PIN-entry application to use
`systemd-ask-password`, and thus manage to make the whole setup work
with a smart card.

My script and systemd service file can be found at the following link:

  https://gist.github.com/cipriancraciun/c8a0dfb973b586053c167fec91093d9c

You just need to place these somewhere, update your paths (especially
in the `.service` file by replacing `store` and `lvm` with appropriate
tokens), and it should work by just updating your `/etc/fstab`.
(These were developed and tested only on OpenSUSE.)

Hope it helps,
Ciprian.


P.S.:  I really love GnuPG for its crypto-related features, but on the
flip-side I really hate it for it's "integration" related features
within environments where it shouldn't double fork processes (like its
agent), muck with the TTY (like when reading passwords by the agent),
and in general just be "well behaved"...

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

[Damien Cassou]

Dirk Gottschalk via Gnupg-users  writes:
> Is it possible to encrypt an external USB drive in LUKS format with an
> OpenPGP smartcard? The device is, until now, only passphrase encrypted
> and mounted on detect.
>
> Would it be possible to let gpg ask for the PIN of the card, it it's in
> locket state?

what I do is to have the external HDD encryption passphrase in a GnuPG
encrypted file of my main hard disk. Then, a bash script takes care of
(1) getting the passphrase from the encrypted file, (2) mount the
external disk with the passphrase. That way, you can use your smartcard.

All my passwords are in GnuPG encrypted files and handled by
https://www.passwordstore.org/.

-- 
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

[Peter Lebbing]

On 01/08/18 18:16, Dirk Gottschalk wrote:
> Coult this be raplaces by the smartcard
> to use the gpg key in some way?

AFAIK, this is just systemd delegating passphrase querying to the
physically present user. I suppose if you could somehow influence where
it got the passphrase from, there might be a way to achieve it, but I
have no idea how. That's all the direction I can provide.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

[Dirk Gottschalk via Gnupg-users]

Hi,

Am Mittwoch, den 01.08.2018, 18:06 +0200 schrieb Peter Lebbing:
> On 01/08/18 17:41, Dirk Gottschalk via Gnupg-users wrote:
> > Is it possible to encrypt an external USB drive in LUKS format with
> > an
> > OpenPGP smartcard?
> 
> On a system with systemd: no, I don't think this can be done. Systemd
> doesn't want to implement cryptsetup keyscripts, and those would be
> needed.
> 
> On a different system: it depends. What system are we talking about?
> :-)

I am using Fedora and it uses SystemD. On the other hanjd, the HDD is
mounted when plugged in via GVFS and Gnome asks for the passphrase or
reads it from gnome's keyring. Coult this be raplaces by the smartcard
to use the gpg key in some way?

I tried to use g13 with dm-crypt, but this seems not to work on Frdora
for an unknown reason.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

[Peter Lebbing]

On 01/08/18 17:41, Dirk Gottschalk via Gnupg-users wrote:
> Is it possible to encrypt an external USB drive in LUKS format with an
> OpenPGP smartcard?

On a system with systemd: no, I don't think this can be done. Systemd
doesn't want to implement cryptsetup keyscripts, and those would be needed.

On a different system: it depends. What system are we talking about? :-)

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Encrypt USB-HDD with LUKS using OpenPGP smartcard?

[Dirk Gottschalk via Gnupg-users]

Hi.

Is it possible to encrypt an external USB drive in LUKS format with an
OpenPGP smartcard? The device is, until now, only passphrase encrypted
and mounted on detect.

Would it be possible to let gpg ask for the PIN of the card, it it's in
locket state?

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Pinentry does not show "please insert smartcard" dialog

[Sebastian Wiesinger]

* GnuPG Users  [2018-06-30 13:22]:
> > What doesn't work is the "please insert smartcard" dialog when the
> > key
> > is not plugged in. I manually added the correct keygrip to the
> > sshcontrol file but this does not work. On my MacOS the same config
> > does display the "insert smartcard" dialog.
> > 
> > Any idea why it doesn't work on my Linux system or how to find out? I
> > already tried multiple debug options but no helpful info showed up in
> > the logs.
> 
> There is no card reader available, when yubikey is not plugged in. I
> use the smartcard with a external reader. I also do not see this dialof
> when the Reader is not connected.
> 
> I think, there is a dependence to a connected reader to schow this
> dialog.

I don't think this is the reason because the same setup works under
OSX.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Pinentry: Inappropriate ioctl for device when getting smartcard PIN

[Jacob Adams]

On 07/04/2018 01:23 PM, Werner Koch wrote:
> Hi!
> 
> Are you setting the homedir in your code also for the Assuan context?
> That might explain the behaviour.

I had been manually setting the Assuan context's homedir to ~/.gnupg by
accident (Was originally using a temporary directory, but that caused
all kinds of issues). Setting it to NULL instead appears to have fixed
the problem.

Thanks,
Jacob



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Pinentry: Inappropriate ioctl for device when getting smartcard PIN

[Werner Koch]

Hi!

Are you setting the homedir in your code also for the Assuan context?
That might explain the behaviour.


Shalom-Salam,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpGNpv0Jj7Xp.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Pinentry: Inappropriate ioctl for device when getting smartcard PIN

[Werner Koch]

On Wed, 27 Jun 2018 22:50, tookm...@gmail.com said:

> I have two gpgme contexts, one for openpgp and another for assuan
> commands to the smartcard. Pinentry triggered by the openpgp context
> works perfectly, but any pinentry launched in service of the assuan
> context fails with the error in the subject. They're both using the same

The gpg-agent log shows that the pinentry started on behalf of the "SCD
PASSWD 1" does not send the ttyname to pinentry.  I will do some code
staring ...


Salam-Shalom,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpaIpAkt7x7c.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Pinentry: Inappropriate ioctl for device when getting smartcard PIN

[Jacob Adams]

On 06/29/2018 07:45 PM, Jacob Adams wrote:
> On 06/27/2018 04:50 PM, Jacob Adams wrote:
>> I've got another pinentry problem unfortunately.
>> The tty is owned by the correct user this time and $GPG_TTY is set
>> correctly.
>>
>> I have two gpgme contexts, one for openpgp and another for assuan
>> commands to the smartcard. Pinentry triggered by the openpgp context
>> works perfectly, but any pinentry launched in service of the assuan
>> context fails with the error in the subject. They're both using the same
>> gpg-agent launched shortly after the creation of the openpgp context
>> with gpgconf --launch gpg-agent.
>>
>> The relevant logs are available at:
>> https://salsa.debian.org/tookmund-guest/pgpcr/issues/10
>>

> It appears that tty_name is not being set, despite the fact that GPG_TTY
> is set and thus gpg-agent has this information from the previous Context.
> 
>> I'm really not sure what's going wrong here and any insight would be
>> much appreciated.

I have a solution for this but it's definitely the wrong solution.

I've applied the following patch to pinentry to fix this problem:

--- a/pinentry/pinentry-curses.c
+++ b/pinentry/pinentry-curses.c
@@ -1187,7 +1187,8 @@
   alarm (pinentry->timeout);
 }
 #endif
-
+  if (pinentry->ttyname == NULL)
+pinentry->ttyname = getenv("GPG_TTY");
   rc = dialog_run (pinentry, pinentry->ttyname, pinentry->ttytype);
   do_touch_file (pinentry);
   return rc;

Clearly this is not the right approach as it appears that gpg-agent is
supposed to handle the GPG_TTY variable. For some reason, it is simply
not passing it on to pinentry in this one case.

I've tried to reproduce this issue in a separate program but have been
unsuccessful. However it's consistently reproducible without this patch
in my program. Does anyone have an insight into why this patch would be
required?

Thanks,
Jacob



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Pinentry: Inappropriate ioctl for device when getting smartcard PIN

[Jacob Adams]

On 06/27/2018 04:50 PM, Jacob Adams wrote:
> I've got another pinentry problem unfortunately.
> The tty is owned by the correct user this time and $GPG_TTY is set
> correctly.
> 
> I have two gpgme contexts, one for openpgp and another for assuan
> commands to the smartcard. Pinentry triggered by the openpgp context
> works perfectly, but any pinentry launched in service of the assuan
> context fails with the error in the subject. They're both using the same
> gpg-agent launched shortly after the creation of the openpgp context
> with gpgconf --launch gpg-agent.
> 
> The relevant logs are available at:
> https://salsa.debian.org/tookmund-guest/pgpcr/issues/10
> 

I've now done a bit of poking around into this.
Attached is the patch I used to try and get some information out of
pinentry-curses.

It appears that tty_name is not being set, despite the fact that GPG_TTY
is set and thus gpg-agent has this information from the previous Context.

> I'm really not sure what's going wrong here and any insight would be
> much appreciated.

The above is still definitely true.

Thanks,
Jacob


--- a/pinentry/pinentry-curses.c
+++ b/pinentry/pinentry-curses.c
@@ -26,6 +26,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -820,6 +821,16 @@
 dialog_run (pinentry_t pinentry, const char *tty_name, const char *tty_type)
 {
   int confirm_mode = !pinentry->pin;
+  FILE *log = fopen("/tmp/pinentry-curses.log", "a");
+  if (log == NULL)
+  {
+pinentry->specific_err = gpg_error_from_syserror ();
+pinentry->specific_err_loc = "log_setup";
+return confirm_mode? 0 : -1;
+  }
+  fputs("Pinentry\n", log);
+  fprintf(log, "TTY Name: %s\nTTY Type: %s\n", tty_name, tty_type);
+  fprintf(log, "Title: %s\nDescription: %s\n", pinentry->title, 
pinentry->description);
   struct dialog diag;
   FILE *ttyfi = NULL;
   FILE *ttyfo = NULL;
@@ -853,6 +864,7 @@
   pinentry->specific_err_loc = "open_tty_for_read";
   return confirm_mode? 0 : -1;
 }
+ fputs("Open TTY for reading\n", log);
   ttyfo = fopen (tty_name, "w");
   if (!ttyfo)
{
@@ -863,15 +875,19 @@
   pinentry->specific_err_loc = "open_tty_for_write";
  return confirm_mode? 0 : -1;
}
+ fputs("Open TTY for writing\n", log);
   screen = newterm (tty_type, ttyfo, ttyfi);
   set_term (screen);
+ fputs("Setup screen\n", log);
 }
   else
 {
   if (!init_screen)
{
+   fputs("No init screen\n", log);
   if (!(isatty(fileno(stdin)) && isatty(fileno(stdout
 {
+ fputs("ENOTTY\n", log);
   errno = ENOTTY;
   pinentry->specific_err = gpg_error_from_syserror ();
   pinentry->specific_err_loc = "isatty";
@@ -879,6 +895,7 @@
 }
  init_screen = 1;
  initscr ();
+ fputs("Setup ncurses\n", log);
}
   else
clear ();
@@ -921,10 +938,11 @@
}
 }
   refresh ();
-
+fputs("Create dialog\n", log);
   /* Create the dialog.  */
   if (dialog_create (pinentry, ))
 {
+   fputs("Failed to create dialog\n", log);
   /* Note: pinentry->specific_err has already been set.  */
   endwin ();
   if (screen)
@@ -951,6 +969,7 @@
 
   do
 {
+ fputs("Made it to event loop\n", log);
   int c;
 
   c = wgetch (stdscr); /* Refresh, accept single keystroke of input.  
*/
--- a/curses/pinentry-curses.c
+++ b/curses/pinentry-curses.c
@@ -34,8 +34,17 @@
 int
 main (int argc, char *argv[])
 {
+  FILE *log = fopen("/tmp/pinentry-args.log", "a");
+  if (log == NULL)
+  {
+   return 1;
+  }
+  fputs("Begin Pinentry\n", log);
   pinentry_init ("pinentry-curses");
-
+  for (int i = 0; i < argc; i++)
+  {
+ fprintf(log, "%d: %s\n", i, argv[i]);
+  }
   pinentry_parse_opts (argc, argv);
 
   if (pinentry_loop ())


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Pinentry: Inappropriate ioctl for device when getting smartcard PIN

[Jacob Adams]

I've got another pinentry problem unfortunately.
The tty is owned by the correct user this time and $GPG_TTY is set
correctly.

I have two gpgme contexts, one for openpgp and another for assuan
commands to the smartcard. Pinentry triggered by the openpgp context
works perfectly, but any pinentry launched in service of the assuan
context fails with the error in the subject. They're both using the same
gpg-agent launched shortly after the creation of the openpgp context
with gpgconf --launch gpg-agent.

The relevant logs are available at:
https://salsa.debian.org/tookmund-guest/pgpcr/issues/10

I'm really not sure what's going wrong here and any insight would be
much appreciated.

Thanks,
Jacob



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Pinentry does not show "please insert smartcard" dialog

[Sebastian Wiesinger]

Hello,

I'm using pinentry (GTK2) on my Xubuntu. My authentication key is
saved on a Yubikey4. Pinentry does work when the key is inserted and
displays the PIN entry dialog just fine.

What doesn't work is the "please insert smartcard" dialog when the key
is not plugged in. I manually added the correct keygrip to the
sshcontrol file but this does not work. On my MacOS the same config
does display the "insert smartcard" dialog.

Any idea why it doesn't work on my Linux system or how to find out? I
already tried multiple debug options but no helpful info showed up in
the logs.

Version:

Xubuntu 17.10

ii  pinentry-gtk2 1.0.0-2 amd64
$ gpg --version
gpg (GnuPG) 2.1.15
libgcrypt 1.7.8

Kind Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users