Page MenuHome GnuPG
Create Task
Maniphest T3843

Unable to generate RSA4096 keys on Yubikey 4 on OSX Sierra
Closed, ResolvedPublic
Actions

Description

A co-worker has been unable to generate RSA4096 keys on their Yubikey 4 Nano on their OSX Sierra laptop with gnupg 2.2.5.

Key generation fails after the first of 3 subkey generation steps with:

gpg: key generation failed: End of file              
Key generation failed: End of file

"gpg --card-status" reveals a single subkey on the card and no public key for the chain at this point.

Proceeding with cycles of factory-reset and generating RSA2048 keychains works every time, but RSA4096 fails identically every time.

~/.gnupg was removed between runs and gpg-agent processes killed. One run was attempted with 'use-standard-socket' with no luck.

Also verified gpg-agent and gnupg are both 2.2.5 freshly installed via brew.

To rule out a hardware issue with the key, RSA4096 I inserted this key into an Arch Linux system running gnupg 2.2.5 as well and had no problem repeatedly generating RSA4096 keys.

I had the user add the following to their ~/.gnupg/gpg-agent.conf to obtain the attached log of another identical failure.

default-cache-ttl 300
max-cache-ttl 300
log-file /tmp/gpg-agent.log
debug 1024
verbose

gpg-agent.log44 KBDownload

Details

Version
2.2.5

Event Timeline

lrvick created this task.Mar 19 2018, 2:54 AM
lrvick updated the task description. (Show Details)
gniibe claimed this task.Mar 29 2018, 1:07 AM
gniibe added a subscriber: gniibe.

Since I don't have macOS environment and Yubikey 4 (I only have old Yubikey), I hesitated to claim this ticket. But it is me who should take this one.

I think that possibly, it's PC/SC service which need to be fixed. Key generation for 4096 takes long time, and it would be unusually long for PC/SC service.

It's good if we can configure PC/SC service for command which takes too long. Let me seek.

For a while, if possible, please generate on another machine.

gniibe added a comment.Mar 29 2018, 2:59 AM

It looks like something wrong happened in scdaemon. Could you please try with following? .gnupg/scdaemon.conf

debug-level guru
debug-all
verbose
verbose
log-file /SOME/WHERE/scdaemon-macos.log
werner added projects: scd, yubikey.Apr 5 2018, 5:22 PM
gniibe triaged this task as Normal priority.Apr 11 2018, 10:02 AM
gniibe added a project: MacOS.
gniibe added a project: Info Needed.
gniibe closed this task as Resolved.Aug 19 2020, 3:41 AM

No more information, can't proceed, thus, closed.

lrvick added a comment.Aug 19 2020, 4:04 AM

I am the worst. I totally forgot about this.

For sure this should be closed.

The system of the user in question had yubioauth-desktop installed which at
the time included a loop that ran "killall scdaemon" every 30 seconds,
which didn't allow enough time for 4096 key generation to complete.