Page MenuHome GnuPG
Create Task
Maniphest T5086

GnuPG fails to generate keys on-card in versions 2.2.22 and 2.2.23
Closed, ResolvedPublic
Actions

Description

In versions 2.2.22 and 2.2.23 of GPG, generating keys on-card with a YubiKey (or possibly any other OpenPGP smart card), will fail.

To reproduce, install either of these versions of GPG, insert a YubiKey, and run the following:

$ gpg --edit-card
gpg/card> admin
gpg/card> generate

After answering whether to store an off-card backup of the encryption key, the process will fail without ever prompting for a PIN.

On Windows 10 2004 (19041.508), the error message will be:

gpg: error checking the PIN: Invalid value

On Manjaro Linux 20.1 however, the error will be:

gpg: error checking the PIN: End of file
  • This issue was reproduced under Windows 10 with GPG 2.2.23 (via Gpg4win 3.1.13) and GPG 2.2.22 (via https://files.gpg4win.org/). Since the problem did not occur with GPG 2.2.21 (installed via Gpg4win 3.1.12), it seems the problem started in .22.
  • This issue was only reproduced with GPG 2.2.23 (installed via native repositories) under Manjaro Linux 20.1. Downgrading to version 2.2.20 resolved the issue.

Details

Version
2.2.22, 2.2.23

Related Objects

Event Timeline

dlbucy created this task.Sep 30 2020, 12:32 AM
gniibe claimed this task.Sep 30 2020, 1:19 AM
gniibe triaged this task as High priority.

Thanks for your report.

I think that it is a regression introduced in 2.2.22 (the check of available keys when PIN verification). I'm going to fix.

dlbucy added a comment.Sep 30 2020, 1:25 AM

Great, thank you @gniibe.

gniibe added a comment.Sep 30 2020, 4:04 AM

I think that rG61aea64b3c17: scd: Fix the use case of verify_chv2 by CHECKPIN. fixes this issue.

faultylee added a subscriber: faultylee.EditedOct 1 2020, 3:36 PM

We encountered the same issue today, and below is the debug messages. It works as expected once we downgraded to 2.2.21. We're on Arch Linux.

gpg/card> generate
gpg: DBG: chan_4 -> SCD GETATTR SERIALNO
gpg: DBG: chan_4 <- S SERIALNO xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> SCD GETATTR KEY-FPR
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> SCD GETATTR CHV-STATUS
gpg: DBG: chan_4 <- S CHV-STATUS +255+127+127+127+3+0+3
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> SCD GETATTR DISP-NAME
gpg: DBG: chan_4 <- S DISP-NAME
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> SCD GETATTR EXTCAP
gpg: DBG: chan_4 <- S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=1+kdf=1
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> SCD GETATTR KEY-ATTR
gpg: DBG: chan_4 <- S KEY-ATTR 1 1 rsa2048 17 1
gpg: DBG: chan_4 <- S KEY-ATTR 2 1 rsa2048 17 1
gpg: DBG: chan_4 <- S KEY-ATTR 3 1 rsa2048 17 1
gpg: DBG: chan_4 <- OK
Make off-card backup of encryption key? (Y/n) n
Please note that the factory settings of the PINs are
   PIN = '123456'     Admin PIN = '12345678'
You should change them using the command --change-pin
gpg: DBG: chan_4 -> SCD CHECKPIN xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
gpg: DBG: chan_4 <- ERR 67125247 End of file <GPG Agent>
gpg: error checking the PIN: End of file
vist added a subscriber: vist.Oct 27 2020, 9:36 PM
gniibe changed the task status from Open to Testing.Nov 10 2020, 6:15 AM
gniibe added projects: gnupg, Restricted Project.

For 2.2, rG61aea64b3c17: scd: Fix the use case of verify_chv2 by CHECKPIN. fixed this problem.

gniibe closed this task as Resolved.Nov 18 2020, 7:03 AM