Smartcard's secret key cannot be found for decryption
Closed, ResolvedPublic

Description

Hi all,

thank you for gpg 2.2! I am not sure if I should retry with the current version: I am now on ubuntu 20.04.

Test steps:

  • "gpg2 --card-status" works fine
  • encrypt file with public key from smartcard/public key server
  • enter new setup w/ working "gpg2 --card-status"
  • try to decrypt file with secret key on smartcard

Expected result:

  • file is decrypted with secret key

Actual result:


(base) leder@home-ryzen-desktop:~/!SAFE!$ gpg2 --decrypt Crypted.tar.bz2.gpg 
gpg: verschlüsselt mit RSA Schlüssel, ID B77D8380BB961919
gpg: Entschlüsselung fehlgeschlagen: Kein geheimer Schlüssel
(base) leder@home-ryzen-desktop:~/!SAFE!$

Please help me out here!

leder created this task.Mon, Sep 7, 4:18 PM
leder set External Link to https://askubuntu.com/questions/1022982/gpg2-is-unaware-of-secret-and-public-key-on-smartcard.Mon, Sep 7, 4:26 PM
leder added a comment.Mon, Sep 7, 4:44 PM

Now I changed the gpg2 keyserver and can see my public keys on the public key server:

    (base) leder@home-ryzen-desktop:~$ gpg2 --search-keys gerrit.leder@gmail.com
    gpg: data source: http://[2001:4c80:40:628:5c70:d1ff:fe44:1424]:80
    (1)	Gerrit Leder (tester) <gerrit.leder@gmail.com>
	  2048 bit RSA key 9E4B8FB2811ADE38, erzeugt: 2013-09-20
    (2)	Gerrit Leder <gerrit.leder@gmail.com>
	  2048 bit RSA key B704CAFD04ED510D, erzeugt: 2013-07-17, verfällt: 2018-07-16 (verfallen)
    Keys 1-2 of 2 for "gerrit.leder@gmail.com".  Eingabe von Nummern, Nächste (N) oder Abbrechen (Q) > 1
    gpg: Keine gültigen OpenPGP-Daten gefunden.
    gpg: Anzahl insgesamt bearbeiteter Schlüssel: 0
    (base) leder@home-ryzen-desktop:~$

But I cannot do --receive-keys!

(base) leder@home-ryzen-desktop:~$ gpg2 --receive-keys 9E4B8FB2811ADE38
gpg: Keine gültigen OpenPGP-Daten gefunden.
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 0
(base) leder@home-ryzen-desktop:~$
werner added a subscriber: werner.Tue, Sep 8, 8:22 AM

Your problem seems to be that you don't have a copy of your public key anymore. The uni-mainz keyserver might be configured not to return expired keys (if I read the output above correctly). I was able to to retrieve your key using the standard pool (in particular from the server sks.pod02.fleetstreetops.com). The key is expired but that does hinder you to decrypt. Run "gpg --card-status" once tomake sure a stub file is available.

I wonder how you encrypted to that key in the first place, encryption is always to the public key - but that one is expired and gpg won't let you encrypt in this case.

I can't see a bug; If the ubuntu list does not help you you may want to ask the gnupg-users list at gnupg.org.

leder added a comment.Tue, Sep 8, 9:42 AM

Hello Werner,

Thank you for your opinion!

I am not using the expired public key no. 2, but the smart card key no. 1.

I did --card-status already.

I think it is a usability bug, if after system renewal the connection to
the secret key is lost.

Best regards
Gerrit

werner (Werner Koch) <noreply@dev.gnupg.org> schrieb am Di., 8. Sept. 2020,
08:22:

werner added a comment.

Your problem seems to be that you don't have a copy of your public key
anymore. The uni-mainz keyserver might be configured not to return expired
keys (if I read the output above correctly). I was able to to retrieve your
key using the standard pool (in particular from the server
sks.pod02.fleetstreetops.com). The key is expired but that does hinder
you to decrypt. Run "gpg --card-status" once tomake sure a stub file is
available.

I wonder how you encrypted to that key in the first place, encryption is
always to the public key - but that one is expired and gpg won't let you
encrypt in this case.

I can't see a bug; If the ubuntu list does not help you you may want to
ask the gnupg-users list at gnupg.org.

*TASK DETAIL*
https://dev.gnupg.org/T5057

*EMAIL PREFERENCES*
https://dev.gnupg.org/settings/panel/emailpreferences/

*To: *werner
*Cc: *werner, leder, Rafixmod, srgblnchtrn, gp_ast

  • This is an automated email from the GnuPG development hub. If you have registered in the past at https://bugs.gnupg.org/ your account was migrated automatically. You can visit https://dev.gnupg.org/ to set a new password and update your email preferences.
werner added a comment.Tue, Sep 8, 4:54 PM

On an OpenPGP card the key no 1 (OPENPGP.1) is a sign-only key - you can't use it for decryption even if you somehow managed to encrypt to that key. That restriction is enforced by the card.

leder added a comment.Tue, Sep 8, 6:20 PM

Now I am even more confused! This is key No. 1 - the number on the keyserver w/ --search-keys:

    (1)	Gerrit Leder (tester) <gerrit.leder@gmail.com>
	  2048 bit RSA key 9E4B8FB2811ADE38, erzeugt: 2013-09-20

That public key is impossible to import w/ --receive-keys!

And this is my output of --card-status from the openPGP card: it says "Signature key, Encryption key and Authentication key" there:

(base) leder@home-ryzen-desktop:~/!SAFE!$ gpg2 --card-status
Reader ...........: REINER SCT cyberJack RFID komfort (4749884291) 00 00
Application ID ...: D276000124010200000500001D6E0000
Application type .: OpenPGP
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 00001D6E
Name of cardholder: Gerrit Leder
Language prefs ...: de
Salutation .......: Hr.
URL of public key : [nicht gesetzt]
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 2 3 3
Signature counter : 70
Signature key ....: 7FA2 30ED A448 DCF1 A26B  0272 9E4B 8FB2 811A DE38
      created ....: 2013-09-20 07:45:25
Encryption key....: 262D AFF9 2E18 1672 A148  EA44 B77D 8380 BB96 1919
      created ....: 2013-09-20 07:45:25
Authentication key: 9CDE 63D6 F0CC C6D9 5CF8  CB9A 21EF 2290 DC48 3345
      created ....: 2013-09-20 07:45:25
General key info..: [none]
(base) leder@home-ryzen-desktop:~/!SAFE!$

How come?

gniibe added a subscriber: gniibe.Wed, Sep 9, 3:08 AM

Please note that your private keys are on your card, together with finger print information. But there is no place to have OpenPGP public keys on the card. I guess that this is a possible cause of confusion.

When using the card with GnuPG, you need public keys on the host (usually, it is under ~/.gnupg/ directory).

I think that you don't have your public key, because the output of --card-status shows:

General key info..: [none]

When there are public keys, it should show public key information.

BTW, I managed to receive your public key by:

gpg --keyserver sks.pod02.fleetstreetops.com --recv-keys 9E4B8FB2811ADE38
leder closed this task as Resolved.Wed, Sep 9, 7:19 AM
leder claimed this task.

Thank you, gniibe!

I managed to receive the public key, as you have said, and now I have General key info:

(base) leder@home-ryzen-desktop:~/!SAFE!$ gpg2 --card-status
Reader ...........: REINER SCT cyberJack RFID komfort (4749884291) 00 00
Application ID ...: D276000124010200000500001D6E0000
Application type .: OpenPGP
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 00001D6E
Name of cardholder: Gerrit Leder
Language prefs ...: de
Salutation .......: Hr.
URL of public key : [nicht gesetzt]
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 3 3
Signature counter : 73
Signature key ....: 7FA2 30ED A448 DCF1 A26B  0272 9E4B 8FB2 811A DE38
      created ....: 2013-09-20 07:45:25
Encryption key....: 262D AFF9 2E18 1672 A148  EA44 B77D 8380 BB96 1919
      created ....: 2013-09-20 07:45:25
Authentication key: 9CDE 63D6 F0CC C6D9 5CF8  CB9A 21EF 2290 DC48 3345
      created ....: 2013-09-20 07:45:25
General key info..: pub  rsa2048/9E4B8FB2811ADE38 2013-09-20 Gerrit Leder (tester) <gerrit.leder@gmail.com>
sec>  rsa2048/9E4B8FB2811ADE38  erzeugt: 2013-09-20  verfällt: niemals     
                                Kartennummer: 0005 00001D6E
ssb>  rsa2048/21EF2290DC483345  erzeugt: 2013-09-20  verfällt: niemals     
                                Kartennummer: 0005 00001D6E
ssb>  rsa2048/B77D8380BB961919  erzeugt: 2013-09-20  verfällt: niemals     
                                Kartennummer: 0005 00001D6E
(base) leder@home-ryzen-desktop:~/!SAFE!$

Signing and decrypting now works fine!

I was unaware that the public key is not available on the smartcard, too!

I have one further idea: do you think it be useful to populate the .gnupg/pubring.kbx using the secret key on the smartcard additionally to receiving the public key from the given keyserver?

Thanks again!

Best regards
Gerrit

leder added a comment.Wed, Sep 9, 7:43 AM

One more idea: It is a riddle to me why I can configure keyserver http://pool.sks-keyservers.net/ and then do a --search-keys, but it is impossible to do --receive-keys with the following error:

(base) leder@home-ryzen-desktop:~$ gpg2 --receive-keys 9E4B8FB2811ADE38
gpg: Keine gültigen OpenPGP-Daten gefunden.
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 0
(base) leder@home-ryzen-desktop:~$

And with a verbally given different keyserver the operation works!

All the best
Gerrit

gniibe added a comment.Wed, Sep 9, 8:31 AM

@leder I agree that it is useful if OpenPGP public key can be (directly or indirectly) retrieved from a card.

With the current specification of the card, it is not possible, because OpenPGP public key includes self signature(s). It would be good if the specification (in future) will have a specific data object for public key.

Or, with a practice of using a data object for "Cardholder's certificate" (originally intended for X.509 key), it could be possible. We also consider this.

gniibe triaged this task as Normal priority.Wed, Sep 9, 8:32 AM
werner added a comment.Wed, Sep 9, 8:47 AM

@gniibe: Actually I implemented this recently. Support for this is in gpg-card

leder added a comment.Wed, Sep 9, 9:08 AM

@gniibe I wonder, if file --export with following --import would do the trick!?

@werner a quick google search for "gpg-card" did not find anything useful! Where can I download a binary or the sources?