I failed to export the public part of an ED22519 key generated on a SmartCard for SSH usage.
These are the steps to reproduce the error.
- I am using a YubiKey with 5.7.1 firmware.
$ gpg-card Reader ...........: Yubico YubiKey OTP FIDO CCID 01 00 Card type ........: yubikey Card firmware ....: 5.7.1 Application type .: OpenPGP Version ..........: 3.4 [...]
- Generate the key
gpg/card> generate --algo=ed25519 OPENPGP.3
OpenPGP card no. 30 220 318 detected
gpg/card> list
[...]
Signature key ....: [none]
keyref .....: OPENPGP.1
algorithm ..: rsa2048
Encryption key....: [none]
keyref .....: OPENPGP.2
algorithm ..: rsa2048
Authentication key: 194459B63E0611BCBB194C0DFE93045CF66E6104
keyref .....: OPENPGP.3 (sign,auth)
algorithm ..: ed25519
stored fpr .: AFDB92C7832F093570322ED0D1DEA97D05F46C0B
created ....: 2025-03-27 10:16:38
gpg/card> quit- Create the GPG key block with the authentication key usage flag.
$ gpg --expert --full-generate-key gpg (GnuPG) 2.4.7; Copyright (C) 2024 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (14) Existing key from card Your selection? 14 Serial number of the card: D2760001240100000006302203180000 Available keys: (1) 194459B63E0611BCBB194C0DFE93045CF66E6104 OPENPGP.3 ed25519 (sign,auth*) Your selection? 1 Possible actions for this ECC key: Sign Authenticate Current allowed actions: Sign Authenticate (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? s Possible actions for this ECC key: Sign Authenticate Current allowed actions: Authenticate (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? q Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Test Email address: Comment: SSH You selected this USER-ID: "Test (SSH)" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o gpg: revocation certificate stored as '.../.gnupg/openpgp-revocs.d/AFDB92C7832F093570322ED0D1DEA97D05F46C0B.rev' public and secret key created and signed. pub ed25519 2025-03-27 [SCA] AFDB92C7832F093570322ED0D1DEA97D05F46C0B uid Test (SSH)
Please mind the key usage was just set to "Authenticate", but the create key block has the S, C and A flags set.
Eporting the SSH key fails.
$ gpg --export-ssh-key AFDB92C7832F093570322ED0D1DEA97D05F46C0B gpg: key "AFDB92C7832F093570322ED0D1DEA97D05F46C0B" not found: Unusable public key gpg: export as ssh key failed: Unusable public key
Ignoring the key usage flag by adding ! to the fingerprint exports the public key. It works well together with the GnuPG SSH agent when added to the authorized_keys file.
$ gpg --export-ssh-key AFDB92C7832F093570322ED0D1DEA97D05F46C0B! ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINFxhOM2mqvHw3sHp2S+ydgwf9CxfpBqOnlXvq5bS2wB openpgp:0x05F46C0B
I was able to figure out, the following check bails out in export_ssh_key() in g10/export.c.
else if (!pk->flags.valid)
{
if (DBG_LOOKUP)
log_debug ("\tprimary key not valid\n");
}It seems the key signature is corrupt.
$ gpg --expert --edit-key AFDB92C7832F093570322ED0D1DEA97D05F46C0B! gpg (GnuPG) 2.4.7; Copyright (C) 2024 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: key D1DEA97D05F46C0B: 1 bad signature gpg: key D1DEA97D05F46C0B: Warning: errors found and only checked self-signatures, run 'check' to check all signatures. Secret key is available. sec ed25519/D1DEA97D05F46C0B created: 2025-03-27 expires: never usage: SCA card-no: 0006 30220318 trust: ultimate validity: ultimate [ultimate] (1). Test (SSH) gpg> check key D1DEA97D05F46C0B: 1 bad signature
Creating a key outside the SmartCard works well
$ gpg --expert --full-generate-key gpg (GnuPG) 2.4.7; Copyright (C) 2024 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (11) ECC (set your own capabilities) Your selection? 11 Possible actions for this ECC key: Sign Certify Authenticate Current allowed actions: Sign Certify (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? s Possible actions for this ECC key: Sign Certify Authenticate Current allowed actions: Certify (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? a Possible actions for this ECC key: Sign Certify Authenticate Current allowed actions: Certify Authenticate (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? q Please select which elliptic curve you want: (1) Curve 25519 *default* (2) Curve 448 (3) NIST P-256 (4) NIST P-384 (5) NIST P-521 (6) Brainpool P-256 (7) Brainpool P-384 (8) Brainpool P-512 (9) secp256k1 Your selection? 1 Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Test Email address: Comment: SSH You selected this USER-ID: "Test (SSH)" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: revocation certificate stored as '.../.gnupg/openpgp-revocs.d/620D895C25DF5F862213ED20AD85622B0D05F070.rev' public and secret key created and signed. pub ed25519 2025-03-27 [CA] 620D895C25DF5F862213ED20AD85622B0D05F070 uid Test (SSH)
In this case the key usage flags C and A are consistent and the export works as expected.
$ gpg --export-ssh-key 620D895C25DF5F862213ED20AD85622B0D05F070 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFp3pLO20FLKMs3AcygHeVWxQ/i6rdXpsxZZt2XXv1dT openpgp:0x0D05F070
It is even possible to move the key to the SmartCard and use it from there.
$ gpg --expert --edit-key 620D895C25DF5F862213ED20AD85622B0D05F070 gpg (GnuPG) 2.4.7; Copyright (C) 2024 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. sec ed25519/AD85622B0D05F070 created: 2025-03-27 expires: never usage: CA trust: ultimate validity: ultimate [ultimate] (1). Test (SSH) gpg> check gpg> keytocard OPENPGP.3 Really move the primary key? (y/N) y Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 3 gpg: WARNING: such a key has already been stored on the card! Replace existing key? (y/N) y sec ed25519/AD85622B0D05F070 created: 2025-03-27 expires: never usage: CA trust: ultimate validity: ultimate [ultimate] (1). Test (SSH) Note: the local copy of the secret key will only be deleted with "save". gpg> save
This problem seems to be specific to ED255519 keys as it doesn't happen for ECDSA or RSA keys.