Page MenuHome GnuPG

yubikey nfc 5 key storage does not work with GnuPG when admin PIN is non-standard.
Open, NormalPublic


over in, Manoj reports:

I have a new Yubikey 5 NFC, and was using ‘gpg --card-edit’  and
  ‘gpg --edit-key --expert 0x123456789’ to move my gpg subkeys to the Yubikey.
   How to reproduce error mode:
   % gpg --card-edit
     > admin
     > passwd
       > change admin pin
       > change PIN

   % gpg --edit-key --expert 0x123456789’
     > key 7
     > keytocard
       > 1                    ## (signing key)
       <<gpg passphrese>>
       <<Yubikey Admin PIN>>
    Error failed to import key PIN failed
   Eventually this results in 3 failures for the ADMIN pin, locking the
  Yubikey.  Hypothesis: gpg2 and keytocard do not work with custom
  admin pins. Reversing the order of operations  worked:
    + add keys while the ADMIN PIN is 12345678
    + then change the PINs on the Yubikey
    + now signing with the gpg keys living on Yubikey works just fine.
   % gpg --card-edit
     > admin
     > factory-reset
        > y
        > yes
  % gpg --edit-key --expert 0x123456789’
     > key 7
     > keytocard
       > 1                    ## (signing key)
       <<gpg passphrese>>
       <<Yubikey Admin PIN>>
  % gpg --card-edit
     > admin
     > passwd
       > change admin pin
       > change PIN

  % lsusb | grep Yubikey
  [90587.275149] input: Yubico YubiKey OTP+FIDO+CCID as
  [90587.339153] hid-generic 0003:1050:0407.0009: input,hidraw8: USB HID
  v1.10 Keyboard [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-12/input0
  [90587.339962] hid-generic 0003:1050:0407.000A: hiddev2,hidraw9: USB HID
  v1.10 Device [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-12/input1

  % gpg --card-status
  Reader ...........: 1050:0407:X:0
  Application ID ...: D2760001240103040006247353380000
  Application type .: OpenPGP
  Version ..........: 3.4
  Manufacturer .....: Yubico
  Serial number ....: 24735338
  Name of cardholder: [not set]
  Language prefs ...: [not set]
  Salutation .......:
  URL of public key : [not set]
  Login data .......: [not set]
  Signature PIN ....: not forced
  Key attributes ...: rsa2048 rsa2048 rsa2048
  Max. PIN lengths .: 127 127 127
  PIN retry counter : 3 0 3
  Signature counter : 0
  KDF setting ......: off
  Signature key ....: [none]
  Encryption key....: [none]
  Authentication key: [none]
  General key info..: [none]


External Link

Event Timeline

aheinecke added a subscriber: aheinecke.

Eva can you please try to reproduce this? I can't really imagine that this is true since we have soooo many users with yubikeys and do a lot of internal testing on them. To be fair please try with your standard devuan GnuPG and not just with an up to date version.

werner triaged this task as Normal priority.Sep 26 2023, 11:43 AM
werner added a project: can't replicate.
werner added a subscriber: werner.


Eva and me tested this using our 2.2.42 release candidate on Linux and
on Windows and were not able to replicate your problem.

We are not aware of any fixes applied to this version since 2.2.41
which would affect the keytocard or PIN changing. I also doubt that
we had a problem in 2.2.40. Although quite unlikely I would suggest
to test with a vanilla 2.2.41 instead of the Debian versions with its
dozens of custom patches.

In any case we strongly suggest not to use a one year old LTS version
which we only maintain for the benefit of customers which need to use
a government approved version of the software.