How to reproduce:
-> Error message "Failed to generate new key: General error" is shown.
| rKLEOPATRA Kleopatra | |||
| rKLEOPATRA36e30726103b Switch to correct card and app before generating card keys | |||
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Resolved | ikloecker | T5130 Kleopatra: Generating OpenPGP keys on Yubikey (with PIV enabled) fails with "General error" | ||
| Resolved | • gniibe | T5100 OpenPGP app overwrites Yubikey serial number |
This is a regression of the multi-card, multi-app support in Kleopatra, i.e. T5066. Generating OpenPGP keys fails because the PIV app is active on the card and the code does not switch to the OpenPGP app. (It also does not switch to the correct card if multiple cards are inserted which could result in the destruction of keys on the wrong card.)
Fixed.
Note that Kleopatra verifies the currently active card before starting the generation of new keys. This prevents the destruction of keys on the wrong card.
Re-opening. Now trying to generate new keys fails with a "Wrong card" error.
This error is caused by the different serial numbers used for the same card (see T5100). We pass the canonical serial number to GpgME::GpgGenCardKeyInteractor, but gpg --card-edit reports the app specific serial number in the CARDCTRL status line. This breaks the confirmation of the serial number in GpgME::GpgGenCardKeyInteractor (which prevents the destruction of keys on the wrong card) and makes the interactor bail out.
This is blocked by T5100.
Alternatively, we could rewrite the generation of new keys on OpenPGP cards using the same approach as for PIV cards, i.e. by talking directly to scdaemon.