GnuPG fails to generate keys on-card in versions 2.2.22 and 2.2.23
Open, HighPublic

Description

In versions 2.2.22 and 2.2.23 of GPG, generating keys on-card with a YubiKey (or possibly any other OpenPGP smart card), will fail.

To reproduce, install either of these versions of GPG, insert a YubiKey, and run the following:

$ gpg --edit-card
gpg/card> admin
gpg/card> generate

After answering whether to store an off-card backup of the encryption key, the process will fail without ever prompting for a PIN.

On Windows 10 2004 (19041.508), the error message will be:

gpg: error checking the PIN: Invalid value

On Manjaro Linux 20.1 however, the error will be:

gpg: error checking the PIN: End of file
  • This issue was reproduced under Windows 10 with GPG 2.2.23 (via Gpg4win 3.1.13) and GPG 2.2.22 (via https://files.gpg4win.org/). Since the problem did not occur with GPG 2.2.21 (installed via Gpg4win 3.1.12), it seems the problem started in .22.
  • This issue was only reproduced with GPG 2.2.23 (installed via native repositories) under Manjaro Linux 20.1. Downgrading to version 2.2.20 resolved the issue.

Details

Version
2.2.22, 2.2.23
dlbucy created this task.Wed, Sep 30, 12:32 AM
gniibe claimed this task.Wed, Sep 30, 1:19 AM
gniibe triaged this task as High priority.

Thanks for your report.

I think that it is a regression introduced in 2.2.22 (the check of available keys when PIN verification). I'm going to fix.

Great, thank you @gniibe.

faultylee added a subscriber: faultylee.EditedThu, Oct 1, 3:36 PM

We encountered the same issue today, and below is the debug messages. It works as expected once we downgraded to 2.2.21. We're on Arch Linux.

gpg/card> generate
gpg: DBG: chan_4 -> SCD GETATTR SERIALNO
gpg: DBG: chan_4 <- S SERIALNO xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> SCD GETATTR KEY-FPR
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> SCD GETATTR CHV-STATUS
gpg: DBG: chan_4 <- S CHV-STATUS +255+127+127+127+3+0+3
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> SCD GETATTR DISP-NAME
gpg: DBG: chan_4 <- S DISP-NAME
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> SCD GETATTR EXTCAP
gpg: DBG: chan_4 <- S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=1+kdf=1
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> SCD GETATTR KEY-ATTR
gpg: DBG: chan_4 <- S KEY-ATTR 1 1 rsa2048 17 1
gpg: DBG: chan_4 <- S KEY-ATTR 2 1 rsa2048 17 1
gpg: DBG: chan_4 <- S KEY-ATTR 3 1 rsa2048 17 1
gpg: DBG: chan_4 <- OK
Make off-card backup of encryption key? (Y/n) n
Please note that the factory settings of the PINs are
   PIN = '123456'     Admin PIN = '12345678'
You should change them using the command --change-pin
gpg: DBG: chan_4 -> SCD CHECKPIN xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
gpg: DBG: chan_4 <- ERR 67125247 End of file <GPG Agent>
gpg: error checking the PIN: End of file