Some, but not all, Yubikeys cannot be read by e.g. gpg --card-status (nor any operation using it) as of 2.2.36:
gpg: OpenPGP card not available: Card error
In the linked Reddit thread, one user confirms my (broken) experience with the 5C and another (working) with the 4.
| rG GnuPG | |||
| rG8c9f879d4aa0 scd:openpgp: Fix workaround for Yubikey heuristics. | |||
| rGf34b9147eb30 scd:openpgp: Fix workaround for Yubikey heuristics. | |||
I can confirm this issue with a 5C Nano returning the error, but a 4C working successfully. Downgrading to 2.2.35 does resolve the issue.
Please let us know, your firmware version number (in bcdDevice) by lsusb.
In my case, it's 5.24, like:
$ lsusb -d 1050:0407 -v Bus 001 Device 009: ID 1050:0407 Yubico.com Yubikey 4/5 OTP+U2F+CCID Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x1050 Yubico.com idProduct 0x0407 Yubikey 4/5 OTP+U2F+CCID bcdDevice 5.24 iManufacturer 1 Yubico iProduct 2 YubiKey OTP+FIDO+CCID iSerial 0 bNumConfigurations 1
$ lsusb -d 1050:0406 -v Bus 005 Device 002: ID 1050:0406 Yubico.com Yubikey 4/5 U2F+CCID Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x1050 Yubico.com idProduct 0x0406 Yubikey 4/5 U2F+CCID bcdDevice 5.43 iManufacturer 1 Yubico iProduct 2 YubiKey FIDO+CCID iSerial 0 bNumConfigurations 1
Thank you. I learned that there is new firmware, version 5.4 series.
https://www.yubico.com/blog/yubikey-firmware-update-yubikey-5-series-with-firmware-5-4/
https://docs.yubico.com/hardware/yubikey/yk-5/tech-manual/yk5-overview-5.4.html
It will be soon delivered to me.
IIUC, it's an issue for ECC keys on Yubikey (with newer firmware).
Perhaps, rG53eddf9b9ea0: scd: Fail when no good algorithm attribute. should be backported to 2.2.
Yes, I am using ECC keys:
Key attributes ...: ed25519 cv25519 ed25519
Do you know what changed between gpg versions to introduce the problem? I'm not familiar with the project, but naively https://dev.gnupg.org/rG53eddf9b9ea01210f71b851b5cb92a5f1cdb6f7d seems more like the problem than the solution?
I'm not sure if we're possibly at cross purposes on the version at fault here - I think [what Arch calls 2.2.36](https://github.com/archlinux/svntogit-packages/blob/packages/gnupg/trunk/PKGBUILD#L33=) is actually 2.3.6 here? (Since that's the recent release, and there's no 2.2.{35,36} in https://dev.gnupg.org/source/gnupg/browse/master/NEWS.)
Hi there!
I can confirm this regression on my yubikey 5 Nano with 2.2.36 (2.2.35 works) - on archlinux. Yubikey firmware 5.4.3, ed25519 keys too. Some more info:
$ gpg --card-status gpg: OpenPGP card not available: Card error
and syslog shows:
gpg-agent[33974]: scdaemon[33974]: response does not contain the RSA modulus gpg-agent[33972]: DBG: agent_card_learn failed: Card error gpg-agent[33972]: command 'LEARN' failed: Card error <SCD>
$ ykman info WARNING: PC/SC not available. Smart card protocols will not function. Device type: YubiKey 5 Nano Serial number: ******** Firmware version: 5.4.3 Form factor: Nano (USB-A) Enabled USB interfaces: FIDO, CCID Applications FIDO2 Enabled OTP Disabled FIDO U2F Enabled OATH Disabled YubiHSM Auth Disabled OpenPGP Enabled PIV Disabled
$ lsusb -d 1050:0406 -v Bus 001 Device 011: ID 1050:0406 Yubico.com Yubikey 4/5 U2F+CCID Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x1050 Yubico.com idProduct 0x0406 Yubikey 4/5 U2F+CCID bcdDevice 5.43 iManufacturer 1 Yubico iProduct 2 YubiKey FIDO+CCID iSerial 0 bNumConfigurations 1 [...]
Thank you for your confirmation.
I pushed two changes for GnuPG 2.2, and one change for GnuPG 2.3.
2.2:
2.3:
I only tested with firmware 5.2.3. As soon as I get a device with new firmware, I'll test.
I haven't had a chance to try it myself yet, but another user writes in the Reddit thread linked above:
I and several coworkers have seen similar problems with GnuPG 2.3.7 and YubiKey 5C on MacOS. The Yubikey is found by gpg --card-status, but none of the keys on the card are.
Backing out the change from commit https://dev.gnupg.org/rG054d14887ef8fa1cbadef4ed2ea28213f25f5d25 seems to fix it on my machine.
I'm the user OJFord referred to above (my access to this bugtracker just got approved this morning). I tested the rGf34b9147eb30 change on my Mac, and it does indeed resolve the issue there.
Output from before the change:
❯ gpg --card-status Reader ...........: Yubico YubiKey FIDO CCID Application ID ...: D2760001240100000006159684210000 Application type .: OpenPGP Version ..........: 1.0 Manufacturer .....: ? Serial number ....: 15968421 Name of cardholder: [not set] Language prefs ...: [not set] Salutation .......: URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Max. PIN lengths .: 3 -2 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none]
Output after the change:
❯ gpg --card-status
Reader ...........: Yubico YubiKey FIDO CCID
Application ID ...: D2760001240100000006159684210000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 15968421
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 9
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: <redacted>
created ....: 2022-07-11 22:10:13
Encryption key....: <redacted>
created ....: 2022-07-11 22:10:13
Authentication key: <redacted>
created ....: 2022-07-11 22:10:13
General key info..: pub ed25519/09EAF97E0838CAA7 2022-07-11 Jason Hoos <jason.hoos@shopify.com>
sec> ed25519/09EAF97E0838CAA7 created: 2022-07-11 expires: never
card-no: 0006 15968421
ssb> ed25519/F5FD0B8349B427A3 created: 2022-07-11 expires: never
card-no: 0006 15968421
ssb> cv25519/7ED9B810A759C76C created: 2022-07-11 expires: never
card-no: 0006 15968421I've confirmed the patch fixes the issue. I'm planning to backport it to a revision of 2.3.7 in the Homebrew package manager.
Thank you all for your quick feedback.
To summarize:
Well, Yubikey with new firmware is on the way from Germany to Japan. I'll continue to support those devices (both of 5.2 and 5.4).
Thanks @gniibe. Does Yubico furnish you with devices for test, or did you have to order that at your own/the project's expense?
Does Yubico furnish you with devices for test...
When ECC Ed25519 was firstly implemented on Yubikey firmware (the time of 5.2 series), Yubico kindly sent me devices for test. That's I have now at hand.
This time, it is g10code which sent me newer ones (those are on the way to my place now).
( Obviously, my major token is Gnuk Token. Unfortunately, Gnuk Token has an issue of distribution/supply-chain. See: T4363 )
I just confirmed that firmware 5.4.3 works fine with the changes (to be 2.2.37 and 2.3.8).
I can't find a url to download gnupg 2.3.8 for windows is it possible to know when gpg4win v.4.0.4 is out which fixes this bug? because currently on windows systems I am stuck using yubikey.
thank you so much
@tigernero 2.3.8 is not yet released. Pretty sure gpg4win is a separate project, presumably you'll see a changelog entry here (as there is bumping to 2.3.7 in the latest 4.0.3) when it's in:
https://www.gpg4win.org/change-history.html
https://www.gpg4win.org/support.html
I have exactly this problem with yubikey here,
since i upgraded to gpg4win version 4.0.3 which contains gnupg 2.3.7 i get the same error as openpgp key not recognized.
I think the gpg4win group is up to you to integrate gnupg 2.3.8 because currently with gpg4win the yubikey with openpgp on windows are unusable due to this regression, this bug.
Hi lovely people,
I get a similar issue. I just add my findings here in case it helps.
On fedora 36, when it updated to gnupg 2.3.7, my yubikey 5 NFC and yubikey 5 nano both stopped being recognized.
When I downgraded back to 2.3.4 it came back.
See the details:
➜ ~ gpg --version
gpg (GnuPG) 2.3.7
libgcrypt 1.10.1-unknown
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/sylvain/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
➜ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Application type .: OpenPGP
Version ..........: 1.0
Manufacturer .....: ?
Serial number ....: xxxxxxxx
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Max. PIN lengths .: -3 -2 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
➜ sudo dnf install gnupg2-2.3.4-2.fc36
[sudo] password for sylvain:
Fedora 36 - x86_64 - Updates 39 kB/s | 19 kB 00:00
Fedora 36 - x86_64 - Updates 307 kB/s | 2.2 MB 00:07
Fedora Modular 36 - x86_64 - Updates 89 kB/s | 18 kB 00:00
Dependencies resolved.
============================================================================================================================================================================================================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
============================================================================================================================================================================================================================================================================================================================================================================================================================================
Downgrading:
gnupg2 x86_64 2.3.4-2.fc36 fedora 2.5 M
gnupg2-smime x86_64 2.3.4-2.fc36 fedora 246 k
Transaction Summary
============================================================================================================================================================================================================================================================================================================================================================================================================================================
Downgrade 2 Packages
Total download size: 2.7 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): gnupg2-smime-2.3.4-2.fc36.x86_64.rpm 71 kB/s | 246 kB 00:03
(2/2): gnupg2-2.3.4-2.fc36.x86_64.rpm 177 kB/s | 2.5 MB 00:14
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 191 kB/s | 2.7 MB 00:14
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Downgrading : gnupg2-smime-2.3.4-2.fc36.x86_64 1/4
Downgrading : gnupg2-2.3.4-2.fc36.x86_64 2/4
Cleanup : gnupg2-2.3.7-1.fc36.x86_64 3/4
Cleanup : gnupg2-smime-2.3.7-1.fc36.x86_64 4/4
Running scriptlet: gnupg2-smime-2.3.7-1.fc36.x86_64 4/4
Verifying : gnupg2-2.3.4-2.fc36.x86_64 1/4
Verifying : gnupg2-2.3.7-1.fc36.x86_64 2/4
Verifying : gnupg2-smime-2.3.4-2.fc36.x86_64 3/4
Verifying : gnupg2-smime-2.3.7-1.fc36.x86_64 4/4
Downgraded:
gnupg2-2.3.4-2.fc36.x86_64 gnupg2-smime-2.3.4-2.fc36.x86_64
Complete!
➜ sudo killall gpg-agent
➜ unset SSH_AGENT_PID
➜ export GPG_TTY="$(tty)"
➜ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
➜ gpgconf --launch gpg-agent
➜ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Application type .: OpenPGP
Version ..........: 0.0
Manufacturer .....: Yubico
Serial number ....: xxxxxxxxx
Name of cardholder: xxxxxx xxxxx
Language prefs ...: xx
Salutation .......:
URL of public key : [not set]
Login data .......: xxxxx.xxxxx
Signature PIN ....: forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 757
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
created ....: xxxx-07-27 10:01:07
Encryption key....: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
created ....: xxxx-07-27 09:57:10
Authentication key: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
created ....: xxxx-07-27 10:02:13
General key info..: sub ed25519/xxxxxxxx 2021-07-27 xxxxxxx xxxxxx (xxxxxx) <xxxxx.xxxxx@xxxxx.com>
sec# ed25519/xxxxxxxxxxxxxxxxxx created: xxxx-07-27 expires: xxxx
ssb> cv25519/xxxxxxxxxxxxxxxxxx created: xxxx-07-27 expires: xxxx
card-no: xxxx xxxx
ssb> ed25519/xxxxxxxxxxxxxxxxxx created: xxxx-07-27 expires: xxxx
card-no: xxxx xxxx
ssb> ed25519/xxxxxxxxxxxxxxxxxx created: xxxx-07-27 expires: xxxx
card-no: xxxx xxxxIf you need help testing let me know. Happy to support.
Best,
edit:
details on the nano one:
Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x1050 Yubico.com idProduct 0x0407 Yubikey 4/5 OTP+U2F+CCID bcdDevice 5.43 iManufacturer 1 Yubico iProduct 2 YubiKey OTP+FIDO+CCID iSerial 0 bNumConfigurations 1
For the firmware 5.4.3, I confirmed that it works well with the changes:
https://dev.gnupg.org/T6070#160150
@gniibe Perfect, I got the update during the night actually. Thanks a lot for your work 🙏 .
Hi! I would like to add my experience about this issue.
First of all, I moved my 3 subkeys to a brand new Yubikey 5 NFC using GPG on a Linux machine and all worked well.
Then I plugged the Yubikey into my Windows computer where I have GPG v2.3.7 installed. In this case, the gpg --card-status returned erroneus data (version is 1, no manufacturer, no keys, etc. Same as here).
I tried all the steps in the Yubico Troubleshooting guide, but nothing worked.
Then I tried disabling the PIV interface using Yubikey Manager and at this point gpg --card-status showed No such device error. Basically it seems that somehow (tbh I don't know if it's actually possible) GPG 2.3.7 is trying to use the PIV interface instead of the OpenPGP one to connect to the Yubikey.
At the end, I downgraded to 2.3.6 and now it works perfectly.
exact v.2.3.8 is expected, generally I don't import Key on yubico I generate them directly from yubico itself in order to have the private Key created directly on yubico and not exportable.