Page MenuHome GnuPG

Kleopatra: Brainpool key can not be moved to smart card
Closed, ResolvedPublic

Description

Moving a (VS-NfD compliant) Brainpool key is not possible with Kleopatra. The option "Transfer to smartcard" is greyed out.
Moving the same key on the command line works fine. (At least if the card is empty beforehand.)

Details

Version
3.1.26, 3.2.0.0

Event Timeline

Which algorithms are offered when you use "Regenerate Key"? What's the output of gpg -K --with-colon <key_id>?

werner triaged this task as High priority.Feb 17 2023, 7:54 AM

I'm sorry, I got a bit confused, it works in Kleopatra on 3.2.0, but not in 3.2.26

On 3.2.0 for "Regenerate Key" and "Generate Key" 7 algorithms are offered (one to many?):


On 3.1.26, only RSA Algorithms are offered:

This is on 3.1.26 after I moved the first subkey to the card via command line keytocard:

gpg -K --with-colon 595E61FF0929ED7584BA140D13B6ADCFDDDC9206
sec:u:256:19:13B6ADCFDDDC9206:1676545638:1739703600::u:::scESC:::D2760001240103040006154932980000::brainpoolP256r1:23::0:
fpr:::::::::595E61FF0929ED7584BA140D13B6ADCFDDDC9206:
grp:::::::::3CFD6A7640BE496C00CE2BF879B79AC981DCDB44:
uid:u::::1676545638::7084D80B57C334CE1A0C2A7C3E9A54FE9A12DBFE::test_Brainpool::::::::::0:
ssb:u:256:18:2237C4F898D4BE00:1676545638:1739703600:::::e:::+::brainpoolP256r1:23:
fpr:::::::::E74545CD33CC0B0F3800E4D72237C4F898D4BE00:
grp:::::::::ECA8237AF7D895D884FC7332CEB2AEB752C66E2E:

If 3.1.26 only offers RSA algos, then Kleopatra obviously assumes that the smart card only supports RSA and therefore doesn't offer the transfer of Brainpool keys.

We got a user report that the issue did not occur before their update from 3.1.25 to 3.1.26

It effects Yubikeys and ZeitControl cards (version 3.4)

ikloecker changed the task status from Open to Testing.Mar 16 2023, 10:43 AM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

I think Werner backported some missing functionality to GnuPG 2.2. Please retest with the next version.

ebo claimed this task.

For Testversion 3.1.27.0-beta44 for "Regenerate key" now the same algorithms as in 3.2.0 are offered for a Yubikey and it is possible to move them to the smart card.
This is fine even for not VSD-compliant keys, as they are marked as such.

For ZeitControl card (version 3.4) it is not possible to move 25519 keys to the card, as the card does not support it.

ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 5 2023, 1:51 PM