Page MenuHome GnuPG

Unable to generate RSA4096 keys on Yubikey 4 on OSX Sierra
Closed, ResolvedPublic

Description

A co-worker has been unable to generate RSA4096 keys on their Yubikey 4 Nano on their OSX Sierra laptop with gnupg 2.2.5.

Key generation fails after the first of 3 subkey generation steps with:

gpg: key generation failed: End of file              
Key generation failed: End of file

"gpg --card-status" reveals a single subkey on the card and no public key for the chain at this point.

Proceeding with cycles of factory-reset and generating RSA2048 keychains works every time, but RSA4096 fails identically every time.

~/.gnupg was removed between runs and gpg-agent processes killed. One run was attempted with 'use-standard-socket' with no luck.

Also verified gpg-agent and gnupg are both 2.2.5 freshly installed via brew.

To rule out a hardware issue with the key, RSA4096 I inserted this key into an Arch Linux system running gnupg 2.2.5 as well and had no problem repeatedly generating RSA4096 keys.

I had the user add the following to their ~/.gnupg/gpg-agent.conf to obtain the attached log of another identical failure.

default-cache-ttl 300
max-cache-ttl 300
log-file /tmp/gpg-agent.log
debug 1024
verbose

Details

Version
2.2.5

Event Timeline

lrvick updated the task description. (Show Details)
gniibe added a subscriber: gniibe.

Since I don't have macOS environment and Yubikey 4 (I only have old Yubikey), I hesitated to claim this ticket. But it is me who should take this one.

I think that possibly, it's PC/SC service which need to be fixed. Key generation for 4096 takes long time, and it would be unusually long for PC/SC service.

It's good if we can configure PC/SC service for command which takes too long. Let me seek.

For a while, if possible, please generate on another machine.

It looks like something wrong happened in scdaemon. Could you please try with following? .gnupg/scdaemon.conf

debug-level guru
debug-all
verbose
verbose
log-file /SOME/WHERE/scdaemon-macos.log
gniibe added a project: MacOS.
gniibe added a project: Info Needed.

No more information, can't proceed, thus, closed.

I am the worst. I totally forgot about this.

For sure this should be closed.

The system of the user in question had yubioauth-desktop installed which at
the time included a loop that ran "killall scdaemon" every 30 seconds,
which didn't allow enough time for 4096 key generation to complete.