Page MenuHome GnuPG

smartcard V2 => impossible to generate key on it on linux
Closed, ResolvedPublic

Description

Hi,

I'm on debian squeeze (and I used and cherry keyboard 14601 with reader xx44)
with gpg version 1.4.9-3 and gnupg2 version 2.0.11-1.
But with these two versions I can't generate key on my smartcard V2 ...

I can change : Name of cardholder, Language prefs, sex, but I've an error when I
generate my keys.

with gpg :
Changer le (N)om, le (C)ommentaire, l'(E)-mail ou (O)K/(Q)uitter ? O
gpg: la clé existante sera remplacée
gpg: attendez que la clé se génère...
gpg: la génération de la clé a échoué
gpg: key generation failed: erreur générale
La génération de clé a échoué: erreur générale

with gpg2 :
Changer le (N)om, le (C)ommentaire, l'(E)-mail ou (O)K/(Q)uitter ? O
gpg: key generation failed: Erreur de carte
La génération de clé a échoué: Erreur de carte

I've make some tests on Ubuntu, mandriva, knoppix, but I've also the same issue.

I've only successfull generate my key on windows xp with gpg 1.4.9, but I'm work
on debian not windows.

And on my debian, I can manage my keys (generate on windows xp).
And on windows xp, I can't generate key more than 2048 bit, not 3072.

Thanks for your help

Event Timeline

werner added a subscriber: werner.

This version does not support the v2 smartcard.

You need to use 2.0.12 plus a few of patches I posted to gnupg-users.
1.4.9 does not support the card at all. We are working on 2.0.13 and 1.4.10.

In addition all Omnikey based readers (e.g. the Cherry keyboard) can't cope with
2048 bit keys. The Omnikey windows driver has a workaround. I reversed
engineered parts of that protocol, so that 2.0.13 works a little bit with these
readers if use with the internal ccid driver (i.e. w/o pcscd).

Hi,

Many thanks for your answers.

I've verify I'am on gnupg2 version 2.0.12 (Gp4win 2.0.0rc1) on windows xp, but
I've make an update yesterday.

So if I understand, I need to upgrade my GnuPG version, on my debian to 2.0.12
with a compilated your package here : ftp://ftp.gnupg.org/gcrypt/gnupg. But
where can I download your patches ?

I try this and I give my return as soon as possible.

Thanks again.

I posted them to the mailing list but there are no direct links. Thus I add
them to this bug report.

These are the non Windows patches we are going to use in gpg4win 2.0.0. They
can be applied to a plain 2.0.12.

Hi,

Thanks, werner for patchs, I'm on debian, so I think I need it.
Windows xp was just to tested, because generate key doesn't work on my debian,
I'm work on debian squeeze.

I look for that as soon as possible

Hi,

I've compiled and installed the new 2.0.12 gnupg version.

gpg2 --version :
gpg (GnuPG) 2.0.12
libgcrypt 1.4.4

with gpg2 --card-status, I can see two new lines

Manufacturer .....: ZeitControl before Manufacturer was unkown
Key attributes ...: 2048R 2048R 2048R

But now when I try to generate my key, I've a new error :
Remplacer les clés existantes ? (o/N) o
gpg: error clearing forced signature PIN flag: Pas de pinentry

So, I prefered to make a new install for all OS debian and new gnupg 2.0.12 package.
I tell you after if it's good or not.

You need to install the pinentry package as weel.

Hi,

When I've done my tests yesterday, pinentry-gtk2 (0.7.5-3) was installed, and
version 2.0.11 of gnupg2 worked fine with it.

werner claimed this task.

Hi,

I've done news tests on a "fresh" debian install, I've installed gnupg2 2.0.12,
gpg-agent 2.0.12, gpgsm 2.0.12, pinentry-curses 0.7.5-3 and pinentry-gtk2 0.7.3-3.

I've done :

eval $(gpg-agent --daemon)

gpg2 --version

gpg (GnuPG) 2.0.12
libgcrypt 1.4.4

gpg2 --card-edit :

pinentry PIN Admin and PIN => OK

but I've always the same error when I generate my keys :

Changer le (N)om, le (C)ommentaire, l'(E)-mail ou (O)K/(Q)uitter ? O
gpg: key generation failed: Erreur de carte
La génération de clé a échoué: Erreur de carte

I see smartcard led activity before failed.

Do you have an other gnupg2 version to solve this ?

Thanks in advanced

Hi,

Yes I've do it, but I've an error for the third :

sh ./01-scd-pw2.patch

patching file scd/app-openpgp.c

sh ./03-opgp-writekey.patch

patching file scd/app-openpgp.c
patching file g10/card-util.c

sh ./06-opgp-sign3072.patch

./06-opgp-sign3072.patch: line 2: ./06-opgp-sign3072.patch: Aucun fichier ou
dossier de ce type

but scd repertory is there ....

Hi,

To solve the third error I've done that :

  1. cd scd (I've delete cd scd && on 06-opgp-sign3072.patch file)
  2. sh ./06-opgp-sign3072.patch

patching file iso7816.c
patching file app-openpgp.c
patching file iso7816.h
patching file app-dinsig.c
patching file app-nks.c
patching file app-p15.c

I make a new debian package version for gnupg2; gpg-agent, gpgsm and I tell you
after if there is some changes

Hi,

I've make again my package gnupg2 and installed it, this time all patchs was
applied, but I've always the same error :

Changer le (N)om, le (C)ommentaire, l'(E)-mail ou (O)K/(Q)uitter ? O
gpg: key generation failed: Erreur de carte
La génération de clé a échoué: Erreur de carte

What can I do now ?

Hi,

I've some good news for you and me :-)

Now I can generate keys on my debian with my smartcard GnuPG V2 (but not all
works fine, I can't make backup, in same time I generate my keys).
The only change I've done is to upgrade libgpgme11 1.1.8 to 1.2.0 (compiled and
installed).

After this good news, I've also compiled and installed gpa 0.9.0 (it works also
fine except if I ask to make a backup when I generate my keys, it don't give me
"my hand" in this case).

It's same with gpg2, it works fine only if I don't want a keys backup else I've
this error :
Changer le (N)om, le (C)ommentaire, l'(E)-mail ou (O)K/(Q)uitter ? O
gpg: écriture de l'auto-signature
gpg: la signature a échoué: Mauvais PIN
gpg: make_keysig_packet failed: Mauvais PIN
La génération de clé a échoué: Mauvais PIN

But code PIN is good.

I've always :
PIN retry counter : 3 0 3

Other differences beetween linux and windows xp than I've see :

keys generate on linux :

  • with gpg2 -card-status I see more keys details on linux, less keys details on

windows xp

  • with gpa I can see my keys details on linux, not on windows xp.

That all for the moment, there are always some bugs to solved (key backup for
exemple), but it's better.

Hi,

In fact, with more tests, I can't read on Windows XP my keys generated on my
linux ...
I can only see the fingerprint nothing else.

I'd say the problems are due to the Cherry XX44. We need to contact the vendor.
I'll try it again this week.

H,

I've done a support request to cherry and omnikey, but actually I've no answer
about it ... :-(

If I anderstand, if I take a SCM SCR 3340 ExpressCard54 for exemple, there is no
problem with it ?

I have not seen that card yet. Thus I can't tell.

Hi,

Do you've also a patch for backup failure when generate key on smartcard ?

I am not sure I understand this. Do you mean a failure while writing an
off-card generated key to the card? That is fixed with 03-opgp-writekey.patch .

Hi,

I've said that on T1094 (tsndcb on Jul 30 2009, 12:35 AM / Roundup), when I generate directly my keys by the smartcard, It
ask me if I want to backup it, if I answer yes => failure (and no generate keys
are done), If I answer no, my key are generated but I've no keys backup.

gnupg2 2.0.13 svn version included the three patchs I think, no ?

I've forgotten, just for your information, I've no cherry or omnikey support
request answer at this time.

Hi,

I can now make gpg key backup during generated key directly on the opengpg V2
smartcard.

Hi,

I close this issue, thanks again