Re: One Key, multiple Smartcards not working anymore
Hello, Thank you for the fast reply and the solution. I can confirm, that this works. Also I switched to GPG 2.1 on my notebook (also Windows) and the bug doesn't exist in that version. Best regards, Josef On 29.07.2015, 06:02 NIIBE Yutaka wrote: Hello, I forgot to address some way to recover. On 07/28/2015 04:09 AM, Josef Schneider wrote: I insert the other card and do a card-status: [...] General key info..: pub 2048R/988E7DDD 2015-07-07 Josef Schneider jo...@schneider.wf sec 4096R/9BE45ED0 erzeugt: 2012-12-10 verfällt: 2017-04-13 Kartennummer:0005 ssb 4096R/B641DD11 erzeugt: 2012-12-10 verfällt: niemals Kartennummer:0005 ssb 4096R/CA02F8EA erzeugt: 2012-12-10 verfällt: niemals Kartennummer:0005 ssb# 2048R/988E7DDD erzeugt: 2015-07-07 verfällt: 2017-07-06 ssb# 2048R/03E021FE erzeugt: 2015-07-07 verfällt: 2017-07-06 ssb# 2048R/8B406748 erzeugt: 2015-07-07 verfällt: 2017-10-24 In this situation, you have a stub for RSA 4096-bit keys. 4096R/9BE45ED0 - Kartennummer:0005 4096R/B641DD11 - Kartennummer:0005 4096R/CA02F8EA - Kartennummer:0005 With GnuPG 2.0, you can export stub (it's not possible for GnuPG 2.1). $ gpg -a -o 9BE45ED0-stub.asc --export-secret-keys 9BE45ED0 $ gpg -a -o B641DD11-stub.asc --export-secret-subkeys B641DD11 $ gpg -a -o CA02F8EA-stub.asc --export-secret-subkeys CA02F8EA Then, General key info..: pub 2048R/988E7DDD 2015-07-07 Josef Schneider jo...@schneider.wf sec# 4096R/9BE45ED0 erzeugt: 2012-12-10 verfällt: 2017-04-13 ssb# 4096R/B641DD11 erzeugt: 2012-12-10 verfällt: niemals ssb# 4096R/CA02F8EA erzeugt: 2012-12-10 verfällt: niemals ssb 2048R/988E7DDD erzeugt: 2015-07-07 verfällt: 2017-07-06 Kartennummer:0006 ssb 2048R/03E021FE erzeugt: 2015-07-07 verfällt: 2017-07-06 Kartennummer:0006 ssb 2048R/8B406748 erzeugt: 2015-07-07 verfällt: 2017-10-24 Kartennummer:0006 When you have this configuration ('#' means no secret key), import *-stub.asc by gpg --import. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: One Key, multiple Smartcards not working anymore
Hello, Thank you for the report describing complicated issue. Your detailed description helps me understand the situation. On 07/28/2015 04:09 AM, Josef Schneider wrote: I have a problem with my Key. I have a 4096bit RSA key since 2012 and it is stored on a OpenPGP smartcard. Recently I added three new 2048bit subkeys, because I bought a Yubikey NEO device and want to use PGP on my phone/tablet with Android and NFC. This worked as expected. I created the new subkeys on my PC, saved a backup and then moved them to the card. PGP showed me correctly that the first three keys are on card 1 and the second three are on card 2. If the wrong card was inserted, it asked me to insert the correct one. I then wanted to create one key backup with all six private keys to print using PaperBack and store in a safe place. I was able to merge all the private keys with gpgsplit and moving/renaming files and created that backup. After that, I deleted the whole key, got my public key from the keyservers and tried to use it with the card (after gpg2 --card-status). Here is now my problem: GPG adds the key stub for the smartcard keys only for the first card! If I delete the key, import, use card-status, then I can usse the three keys from that smartcard. If I insert the second smartcard and do a card-status, nothing changes! If I import the full key with all private keys, I can then replace the keys on the card and move all keys to smartcards. Then I get a key working with both smartcards again. But of course I don't want to touch the key backup. It's printed on paper and stored in a safe location for a reason. Am I doing something wrong, or is that a bug? [...] All with gpg (GnuPG) 2.0.28 (Gpg4win 2.2.5) This is a bug in 2.0. (I think it works well (or better) on 2.1.) In gnupg/g10/card-utilc, we have a function card_status, which corresponds --card-status option. It goes to the block of line 590, when there is no secret keys available but public key is available (let's call THE CONDITION). In this specific case, the function auto_create_card_key_stub will be called to create the stub. In your case, secret key stub is not available but public key is available. The calculation of THE CONDITION is somehow wrong for subkeys sharing primary key when the subkey is not available but another subkey is available. This is because of the lookup is basically based on primary key. I'm going to look in detail, and I will fix. -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: One Key, multiple Smartcards not working anymore
Hello, I forgot to address some way to recover. On 07/28/2015 04:09 AM, Josef Schneider wrote: I insert the other card and do a card-status: [...] General key info..: pub 2048R/988E7DDD 2015-07-07 Josef Schneider jo...@schneider.wf sec 4096R/9BE45ED0 erzeugt: 2012-12-10 verfällt: 2017-04-13 Kartennummer:0005 ssb 4096R/B641DD11 erzeugt: 2012-12-10 verfällt: niemals Kartennummer:0005 ssb 4096R/CA02F8EA erzeugt: 2012-12-10 verfällt: niemals Kartennummer:0005 ssb# 2048R/988E7DDD erzeugt: 2015-07-07 verfällt: 2017-07-06 ssb# 2048R/03E021FE erzeugt: 2015-07-07 verfällt: 2017-07-06 ssb# 2048R/8B406748 erzeugt: 2015-07-07 verfällt: 2017-10-24 In this situation, you have a stub for RSA 4096-bit keys. 4096R/9BE45ED0 - Kartennummer:0005 4096R/B641DD11 - Kartennummer:0005 4096R/CA02F8EA - Kartennummer:0005 With GnuPG 2.0, you can export stub (it's not possible for GnuPG 2.1). $ gpg -a -o 9BE45ED0-stub.asc --export-secret-keys 9BE45ED0 $ gpg -a -o B641DD11-stub.asc --export-secret-subkeys B641DD11 $ gpg -a -o CA02F8EA-stub.asc --export-secret-subkeys CA02F8EA Then, General key info..: pub 2048R/988E7DDD 2015-07-07 Josef Schneider jo...@schneider.wf sec# 4096R/9BE45ED0 erzeugt: 2012-12-10 verfällt: 2017-04-13 ssb# 4096R/B641DD11 erzeugt: 2012-12-10 verfällt: niemals ssb# 4096R/CA02F8EA erzeugt: 2012-12-10 verfällt: niemals ssb 2048R/988E7DDD erzeugt: 2015-07-07 verfällt: 2017-07-06 Kartennummer:0006 ssb 2048R/03E021FE erzeugt: 2015-07-07 verfällt: 2017-07-06 Kartennummer:0006 ssb 2048R/8B406748 erzeugt: 2015-07-07 verfällt: 2017-10-24 Kartennummer:0006 When you have this configuration ('#' means no secret key), import *-stub.asc by gpg --import. -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
One Key, multiple Smartcards not working anymore
Hello, I have a problem with my Key. I have a 4096bit RSA key since 2012 and it is stored on a OpenPGP smartcard. Recently I added three new 2048bit subkeys, because I bought a Yubikey NEO device and want to use PGP on my phone/tablet with Android and NFC. This worked as expected. I created the new subkeys on my PC, saved a backup and then moved them to the card. PGP showed me correctly that the first three keys are on card 1 and the second three are on card 2. If the wrong card was inserted, it asked me to insert the correct one. I then wanted to create one key backup with all six private keys to print using PaperBack and store in a safe place. I was able to merge all the private keys with gpgsplit and moving/renaming files and created that backup. After that, I deleted the whole key, got my public key from the keyservers and tried to use it with the card (after gpg2 --card-status). Here is now my problem: GPG adds the key stub for the smartcard keys only for the first card! If I delete the key, import, use card-status, then I can usse the three keys from that smartcard. If I insert the second smartcard and do a card-status, nothing changes! If I import the full key with all private keys, I can then replace the keys on the card and move all keys to smartcards. Then I get a key working with both smartcards again. But of course I don't want to touch the key backup. It's printed on paper and stored in a safe location for a reason. Am I doing something wrong, or is that a bug? Here are some gpg outputs: At the moment, I have it here on my notebook working with the 4096bit keys: sec 4096R/9BE45ED0 2012-12-10 [verfällt: 2017-04-13] Kartenseriennr. = 0005 uid Josef Schneider jo...@netpage.dk uid Josef Schneider jo...@schneider.wf ssb 4096R/B641DD11 2012-12-10 ssb 4096R/CA02F8EA 2012-12-10 ssb# 2048R/988E7DDD 2015-07-07 ssb# 2048R/03E021FE 2015-07-07 ssb# 2048R/8B406748 2015-07-07 I insert the other card and do a card-status: C:\Users\Josef Schneidergpg --card-status Application ID ...: DXXX Version ..: 2.0 Manufacturer .: Yubico Serial number : Name of cardholder: Josef Schneider Language prefs ...: de Sex ..: männlich URL of public key : https://j0s.at/gpg.asc Login data ...: [nicht gesetzt] Signature PIN : zwingend Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 39 Signature key : 50FD 3663 AB67 A8FD 64BD C208 1272 58BE 988E 7DDD created : 2015-07-07 11:34:08 Encryption key: 88FA 7314 795F 5F19 F258 3B70 E18B C1D9 03E0 21FE created : 2015-07-07 11:38:08 Authentication key: E0E5 13F9 AA97 8C8E 1BF5 27FB B6BF D0F7 8B40 6748 created : 2015-07-07 20:15:08 General key info..: pub 2048R/988E7DDD 2015-07-07 Josef Schneider jo...@schneider.wf sec 4096R/9BE45ED0 erzeugt: 2012-12-10 verfällt: 2017-04-13 Kartennummer:0005 ssb 4096R/B641DD11 erzeugt: 2012-12-10 verfällt: niemals Kartennummer:0005 ssb 4096R/CA02F8EA erzeugt: 2012-12-10 verfällt: niemals Kartennummer:0005 ssb# 2048R/988E7DDD erzeugt: 2015-07-07 verfällt: 2017-07-06 ssb# 2048R/03E021FE erzeugt: 2015-07-07 verfällt: 2017-07-06 ssb# 2048R/8B406748 erzeugt: 2015-07-07 verfällt: 2017-10-24 I can't use this key. After deleting it and import https://j0s.at/gpg.asc : C:\Users\Josef Schneidergpg --card-status Application ID ...: DXXX Version ..: 2.0 Manufacturer .: Yubico Serial number : Name of cardholder: Josef Schneider Language prefs ...: de Sex ..: männlich URL of public key : https://j0s.at/gpg.asc Login data ...: [nicht gesetzt] Signature PIN : zwingend Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 40 Signature key : 50FD 3663 AB67 A8FD 64BD C208 1272 58BE 988E 7DDD created : 2015-07-07 11:34:08 Encryption key: 88FA 7314 795F 5F19 F258 3B70 E18B C1D9 03E0 21FE created : 2015-07-07 11:38:08 Authentication key: E0E5 13F9 AA97 8C8E 1BF5 27FB B6BF D0F7 8B40 6748 created : 2015-07-07 20:15:08 General key info..: pub 2048R/988E7DDD 2015-07-07 Josef Schneider jo...@schneider.wf sec# 4096R/9BE45ED0 erzeugt: 2012-12-10 verfällt: 2017-04-13 ssb# 4096R/B641DD11 erzeugt: 2012-12-10 verfällt: niemals ssb# 4096R/CA02F8EA erzeugt: 2012-12-10 verfällt: niemals ssb 2048R/988E7DDD erzeugt: 2015-07-07 verfällt: 2017-07-06 Kartennummer:0006 ssb 2048R/03E021FE erzeugt: 2015-07-07 verfällt: 2017-07-06 Kartennummer:0006 ssb 2048R/8B406748 erzeugt: 2015-07-07 verfällt: 2017-10-24 Kartennummer:0006 I can use the 2048bit keys, but not the