Page MenuHome GnuPG

Change Reset Code not working in Kleopatra
Testing, NormalPublic

Description

The current Kleopatra version has in the smartcard mode a button "Change Reset Code" . This does not work.
The button should also be renamed "Set Reset Code" and if possible moved to an Admin-only dialog.

The Reset Code is the same as a PUK mechanism. The idea here is that the holder of the card does not have access to the Admin PIN, so that the holder is not able to generate keys or change other properties. However in the case the holder mistype the PIN 3 times, the Reset Code can be used to set a new PIN without asking the admin to set a new PIN. To make this work the admin initially sets a Reset Code and tells the card holder the PIN along with the Reset Code. The button (or the admin->passwd dialog of gpg --card-edit) is used by the admin to set the Reset Code. The card holder uses a not yet available button (or "unblock" in gpg --card-edit) to set a new PIN.

Event Timeline

You write

This does not work.

Can you be more specific? What doesn't work? Which OS, which version of Kleopatra, what smartcard are you using?

I tried it with Kleopatra master (and gpgme+gpg master) on Linux with a (factory-resetted) Yubikey 5 (with PIV and OpenPGP enabled) and it does seem to work. At least, I was first asked for the admin PIN and then twice for the reset code.

For what it's worth, Kleopatra simply does

SCD PASSWD --reset OPENPGP.2

for OpenPGP v2+ cards.

Therefore, please try if

gpg-connect-agent "SCD PASSWD --reset OPENPGP.2" /bye

where necessary preceeded by SCD SWITCHAPP openpgp works for you.

As for renaming "Change Reset Code" to "Set Reset Code", what about "Change PIN" and "Change Admin PIN"? Should they also be renamed? If not, why not? Is there no default reset code? Is there a way to find out whether the reset code has already been set (in which case "change" would be more appropriate than "set")?

I think from a user perspective it makes little sense to use different verbs for PIN, admin PIN, and reset code. I'm totally okay with changing "Change" to "Set" for all three buttons, but I'm reluctant to change it only for the reset code button.

"Change Reset Code" should work in Kleopatra. At least for OpenPGP v2+ cards. Kleopatra simply does "SCD PASSWD --reset OPENPGP.2", i.e. the same as gpg-card. I have verified that it works with a Yubikey.

Note: Officially, Kleopatra does not support OpenPGP v1 cards. At least, according to the text that is displayed if no card is found.

ikloecker changed the task status from Open to Testing.Dec 18 2020, 12:19 PM
ikloecker reassigned this task from ikloecker to werner.
ikloecker added a subscriber: ikloecker.

Werner, please retest. If "Change Reset Code" still doesn't work for you, then please answer the questions in the first comment.

ebo added a project: Restricted Project.May 27 2024, 11:16 AM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.May 27 2024, 11:26 AM

As for renaming "Change Reset Code" to "Set Reset Code", what about "Change PIN" and "Change Admin PIN"? Should they also be renamed? If not, why not? Is there no default reset code? Is there a way to find out whether the reset code has already been set (in which case "change" would be more appropriate than "set")?

AFAIK you can not differentiate between a not set Reset Code (or PUK for the normal user) and one which has no retries left.
And I think "Change" is the best verb, as it is also a change if there was none set beforehand. And we have a tool tip now, anyway, saying "Set or change …"

And the button works for me, tested now with a Yubikey and Version 3.2.2.2405000+git~ (Gpg4win-4.3.2-beta41) but I did try the function on other occasions before.

The only thing which could be improved is the error message if one tries to set a Reset Code with less than 8 characters. "Bad reset code" is not very informative. The user is left to figure out herself what "Bad" means.