Page MenuHome GnuPG

Yubikey 5C 'not available: card error' regression
Open, HighPublic

Description

Some, but not all, Yubikeys cannot be read by e.g. gpg --card-status (nor any operation using it) as of 2.2.36:

gpg: OpenPGP card not available: Card error

  • Yubikey 5C NFC is affected;
  • Yubikey 4 Nano is not;
  • v2.2.35 works with both.

In the linked Reddit thread, one user confirms my (broken) experience with the 5C and another (working) with the 4.

Event Timeline

I can confirm this issue with a 5C Nano returning the error, but a 4C working successfully. Downgrading to 2.2.35 does resolve the issue.

Please let us know, your firmware version number (in bcdDevice) by lsusb.

In my case, it's 5.24, like:

$ lsusb -d 1050:0407 -v

Bus 001 Device 009: ID 1050:0407 Yubico.com Yubikey 4/5 OTP+U2F+CCID
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x1050 Yubico.com
  idProduct          0x0407 Yubikey 4/5 OTP+U2F+CCID
  bcdDevice            5.24
  iManufacturer           1 Yubico
  iProduct                2 YubiKey OTP+FIDO+CCID
  iSerial                 0 
  bNumConfigurations      1
gniibe triaged this task as Normal priority.

@gniibe Thanks - mine's 5.43. (And the working 4Nano is 4.34.)

$ lsusb -d 1050:0406 -v

Bus 005 Device 002: ID 1050:0406 Yubico.com Yubikey 4/5 U2F+CCID
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x1050 Yubico.com
  idProduct          0x0406 Yubikey 4/5 U2F+CCID
  bcdDevice            5.43
  iManufacturer           1 Yubico
  iProduct                2 YubiKey FIDO+CCID
  iSerial                 0 
  bNumConfigurations      1

Thank you. I learned that there is new firmware, version 5.4 series.

https://www.yubico.com/blog/yubikey-firmware-update-yubikey-5-series-with-firmware-5-4/
https://docs.yubico.com/hardware/yubikey/yk-5/tech-manual/yk5-overview-5.4.html

It will be soon delivered to me.

IIUC, it's an issue for ECC keys on Yubikey (with newer firmware).

Yes, I am using ECC keys:

Key attributes ...: ed25519 cv25519 ed25519

Do you know what changed between gpg versions to introduce the problem? I'm not familiar with the project, but naively https://dev.gnupg.org/rG53eddf9b9ea01210f71b851b5cb92a5f1cdb6f7d seems more like the problem than the solution?

I'm not sure if we're possibly at cross purposes on the version at fault here - I think [what Arch calls 2.2.36](https://github.com/archlinux/svntogit-packages/blob/packages/gnupg/trunk/PKGBUILD#L33=) is actually 2.3.6 here? (Since that's the recent release, and there's no 2.2.{35,36} in https://dev.gnupg.org/source/gnupg/browse/master/NEWS.)

Hi there!
I can confirm this regression on my yubikey 5 Nano with 2.2.36 (2.2.35 works) - on archlinux. Yubikey firmware 5.4.3, ed25519 keys too. Some more info:

$ gpg --card-status
gpg: OpenPGP card not available: Card error

and syslog shows:

gpg-agent[33974]: scdaemon[33974]: response does not contain the RSA modulus
gpg-agent[33972]: DBG: agent_card_learn failed: Card error
gpg-agent[33972]: command 'LEARN' failed: Card error <SCD>
$ ykman info
WARNING: PC/SC not available. Smart card protocols will not function.
Device type: YubiKey 5 Nano
Serial number: ********
Firmware version: 5.4.3
Form factor: Nano (USB-A)
Enabled USB interfaces: FIDO, CCID

Applications
FIDO2       	Enabled 	
OTP         	Disabled	
FIDO U2F    	Enabled 	
OATH        	Disabled	
YubiHSM Auth	Disabled	
OpenPGP     	Enabled 	
PIV         	Disabled
$ lsusb -d 1050:0406 -v
Bus 001 Device 011: ID 1050:0406 Yubico.com Yubikey 4/5 U2F+CCID
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x1050 Yubico.com
  idProduct          0x0406 Yubikey 4/5 U2F+CCID
  bcdDevice            5.43
  iManufacturer           1 Yubico
  iProduct                2 YubiKey FIDO+CCID
  iSerial                 0 
  bNumConfigurations      1
[...]

Thank you for your confirmation.

I pushed two changes for GnuPG 2.2, and one change for GnuPG 2.3.

2.2:

2.3:

I only tested with firmware 5.2.3. As soon as I get a device with new firmware, I'll test.

I haven't had a chance to try it myself yet, but another user writes in the Reddit thread linked above:

I and several coworkers have seen similar problems with GnuPG 2.3.7 and YubiKey 5C on MacOS. The Yubikey is found by gpg --card-status, but none of the keys on the card are.
Backing out the change from commit https://dev.gnupg.org/rG054d14887ef8fa1cbadef4ed2ea28213f25f5d25 seems to fix it on my machine.

I'm the user OJFord referred to above (my access to this bugtracker just got approved this morning). I tested the rGf34b9147eb30 change on my Mac, and it does indeed resolve the issue there.

Output from before the change:

❯ gpg --card-status
Reader ...........: Yubico YubiKey FIDO CCID
Application ID ...: D2760001240100000006159684210000
Application type .: OpenPGP
Version ..........: 1.0
Manufacturer .....: ?
Serial number ....: 15968421
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Max. PIN lengths .: 3 -2 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Output after the change:

❯ gpg --card-status
Reader ...........: Yubico YubiKey FIDO CCID
Application ID ...: D2760001240100000006159684210000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 15968421
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 9
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: <redacted>
      created ....: 2022-07-11 22:10:13
Encryption key....: <redacted>
      created ....: 2022-07-11 22:10:13
Authentication key: <redacted>
      created ....: 2022-07-11 22:10:13
General key info..: pub  ed25519/09EAF97E0838CAA7 2022-07-11 Jason Hoos <jason.hoos@shopify.com>
sec>  ed25519/09EAF97E0838CAA7  created: 2022-07-11  expires: never
                                card-no: 0006 15968421
ssb>  ed25519/F5FD0B8349B427A3  created: 2022-07-11  expires: never
                                card-no: 0006 15968421
ssb>  cv25519/7ED9B810A759C76C  created: 2022-07-11  expires: never
                                card-no: 0006 15968421

I've confirmed the patch fixes the issue. I'm planning to backport it to a revision of 2.3.7 in the Homebrew package manager.

Thank you all for your quick feedback.

To summarize:

  • I fixed a problem of Yubikey firmware of version 5.2 series in T5963 (the issue was: first time, it works. But second time, it fails).
  • The "fix" actually affects other versions of Yubikey firmware, unfortunately.
  • Specifically, the fix was not good for newer Yubikey firmware (like 5.4 series) which doesn't have "pubkey required"-byte at all.
  • The change rGf34b9147e fixed the issue.

Well, Yubikey with new firmware is on the way from Germany to Japan. I'll continue to support those devices (both of 5.2 and 5.4).

gniibe raised the priority of this task from Normal to High.Thu, Jul 14, 9:00 AM

Thanks @gniibe. Does Yubico furnish you with devices for test, or did you have to order that at your own/the project's expense?

Does Yubico furnish you with devices for test...

When ECC Ed25519 was firstly implemented on Yubikey firmware (the time of 5.2 series), Yubico kindly sent me devices for test. That's I have now at hand.

This time, it is g10code which sent me newer ones (those are on the way to my place now).

( Obviously, my major token is Gnuk Token. Unfortunately, Gnuk Token has an issue of distribution/supply-chain. See: T4363 )

I just confirmed that firmware 5.4.3 works fine with the changes (to be 2.2.37 and 2.3.8).

I can't find a url to download gnupg 2.3.8 for windows is it possible to know when gpg4win v.4.0.4 is out which fixes this bug? because currently on windows systems I am stuck using yubikey.

thank you so much

@tigernero 2.3.8 is not yet released. Pretty sure gpg4win is a separate project, presumably you'll see a changelog entry here (as there is bumping to 2.3.7 in the latest 4.0.3) when it's in:
https://www.gpg4win.org/change-history.html
https://www.gpg4win.org/support.html

I have exactly this problem with yubikey here,
since i upgraded to gpg4win version 4.0.3 which contains gnupg 2.3.7 i get the same error as openpgp key not recognized.

I think the gpg4win group is up to you to integrate gnupg 2.3.8 because currently with gpg4win the yubikey with openpgp on windows are unusable due to this regression, this bug.

Hi lovely people,

I get a similar issue. I just add my findings here in case it helps.

On fedora 36, when it updated to gnupg 2.3.7, my yubikey 5 NFC and yubikey 5 nano both stopped being recognized.

When I downgraded back to 2.3.4 it came back.

See the details:

➜  ~ gpg --version                       
gpg (GnuPG) 2.3.7
libgcrypt 1.10.1-unknown
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/sylvain/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
➜ gpg --card-status 
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Application type .: OpenPGP
Version ..........: 1.0
Manufacturer .....: ?
Serial number ....: xxxxxxxx
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Max. PIN lengths .: -3 -2 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
➜ sudo dnf install gnupg2-2.3.4-2.fc36
[sudo] password for sylvain: 
Fedora 36 - x86_64 - Updates                                                                                                                                                                                                                                                                                                                                                                                 39 kB/s |  19 kB     00:00    
Fedora 36 - x86_64 - Updates                                                                                                                                                                                                                                                                                                                                                                                307 kB/s | 2.2 MB     00:07    
Fedora Modular 36 - x86_64 - Updates                                                                                                                                                                                                                                                                                                                                                                         89 kB/s |  18 kB     00:00    
Dependencies resolved.
============================================================================================================================================================================================================================================================================================================================================================================================================================================
 Package                                                                                                     Architecture                                                                                          Version                                                                                                      Repository                                                                                             Size
============================================================================================================================================================================================================================================================================================================================================================================================================================================
Downgrading:
 gnupg2                                                                                                      x86_64                                                                                                2.3.4-2.fc36                                                                                                 fedora                                                                                                2.5 M
 gnupg2-smime                                                                                                x86_64                                                                                                2.3.4-2.fc36                                                                                                 fedora                                                                                                246 k

Transaction Summary
============================================================================================================================================================================================================================================================================================================================================================================================================================================
Downgrade  2 Packages

Total download size: 2.7 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): gnupg2-smime-2.3.4-2.fc36.x86_64.rpm                                                                                                                                                                                                                                                                                                                                                                  71 kB/s | 246 kB     00:03    
(2/2): gnupg2-2.3.4-2.fc36.x86_64.rpm                                                                                                                                                                                                                                                                                                                                                                       177 kB/s | 2.5 MB     00:14    
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                                                                                                                                                                                                       191 kB/s | 2.7 MB     00:14     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                                                                                                                                                                                                                    1/1 
  Downgrading      : gnupg2-smime-2.3.4-2.fc36.x86_64                                                                                                                                                                                                                                                                                                                                                                                   1/4 
  Downgrading      : gnupg2-2.3.4-2.fc36.x86_64                                                                                                                                                                                                                                                                                                                                                                                         2/4 
  Cleanup          : gnupg2-2.3.7-1.fc36.x86_64                                                                                                                                                                                                                                                                                                                                                                                         3/4 
  Cleanup          : gnupg2-smime-2.3.7-1.fc36.x86_64                                                                                                                                                                                                                                                                                                                                                                                   4/4 
  Running scriptlet: gnupg2-smime-2.3.7-1.fc36.x86_64                                                                                                                                                                                                                                                                                                                                                                                   4/4 
  Verifying        : gnupg2-2.3.4-2.fc36.x86_64                                                                                                                                                                                                                                                                                                                                                                                         1/4 
  Verifying        : gnupg2-2.3.7-1.fc36.x86_64                                                                                                                                                                                                                                                                                                                                                                                         2/4 
  Verifying        : gnupg2-smime-2.3.4-2.fc36.x86_64                                                                                                                                                                                                                                                                                                                                                                                   3/4 
  Verifying        : gnupg2-smime-2.3.7-1.fc36.x86_64                                                                                                                                                                                                                                                                                                                                                                                   4/4 

Downgraded:
  gnupg2-2.3.4-2.fc36.x86_64                                                                                                                                                                                        gnupg2-smime-2.3.4-2.fc36.x86_64                                                                                                                                                                                       

Complete!
➜ sudo killall gpg-agent                         
➜ unset SSH_AGENT_PID
➜ export GPG_TTY="$(tty)"
➜ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
➜ gpgconf --launch gpg-agent
➜ gpg --card-status     
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Application type .: OpenPGP
Version ..........: 0.0
Manufacturer .....: Yubico
Serial number ....: xxxxxxxxx
Name of cardholder: xxxxxx xxxxx
Language prefs ...: xx
Salutation .......: 
URL of public key : [not set]
Login data .......: xxxxx.xxxxx
Signature PIN ....: forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 757
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: xxxx xxxx xxxx xxxx xxxx  xxxx xxxx xxxx xxxx xxxx
      created ....: xxxx-07-27 10:01:07
Encryption key....: xxxx xxxx xxxx xxxx xxxx  xxxx xxxx xxxx xxxx xxxx
      created ....: xxxx-07-27 09:57:10
Authentication key: xxxx xxxx xxxx xxxx xxxx  xxxx xxxx xxxx xxxx xxxx
      created ....: xxxx-07-27 10:02:13
General key info..: sub  ed25519/xxxxxxxx 2021-07-27 xxxxxxx xxxxxx (xxxxxx) <xxxxx.xxxxx@xxxxx.com>
sec#  ed25519/xxxxxxxxxxxxxxxxxx  created: xxxx-07-27  expires: xxxx     
ssb>  cv25519/xxxxxxxxxxxxxxxxxx  created: xxxx-07-27  expires: xxxx     
                                  card-no: xxxx xxxx
ssb>  ed25519/xxxxxxxxxxxxxxxxxx  created: xxxx-07-27  expires: xxxx     
                                  card-no: xxxx xxxx
ssb>  ed25519/xxxxxxxxxxxxxxxxxx  created: xxxx-07-27  expires: xxxx     
                                  card-no: xxxx xxxx

If you need help testing let me know. Happy to support.

Best,

edit:
details on the nano one:

Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x1050 Yubico.com
  idProduct          0x0407 Yubikey 4/5 OTP+U2F+CCID
  bcdDevice            5.43
  iManufacturer           1 Yubico
  iProduct                2 YubiKey OTP+FIDO+CCID
  iSerial                 0 
  bNumConfigurations      1

For the firmware 5.4.3, I confirmed that it works well with the changes:
https://dev.gnupg.org/T6070#160150

@gniibe Perfect, I got the update during the night actually. Thanks a lot for your work 🙏 .