Decryption with smartcard keys broken
Open, Needs TriagePublic
Actions

Assigned To

None

Authored By

	timegrid
	Mon, Jun 30, 1:08 PM

Description

Decryption with smartcard keys are currently failing (tested: notepad, encrypt/decrypt workflow).

I created a new key on the smartcard (tested: brainpoolP256r1, nist256) and also ensured, that this is not related to stale smartcard/key data (tested: generation with no backup, restarted all gpg related processes) or other artifacts (tested: new clean gnupghome dir).

To reproduce e.g. in notepad:

Generate a key on smartcard (e.g. with default settings)
Encrypt some text in the notepad (encrypt for & sign with new key)
Decrypt again

audit log:

gpg: verschlüsselt mit brainpoolP256r1 Schlüssel, ID E2C4E1CFE5027094, erzeugt 2025-06-30
      "sc"
gpg: Entschlüsselung mit Public-Key-Verfahren fehlgeschlagen: Ungültige Daten
gpg: Entschlüsselung fehlgeschlagen: Ungültige Daten

debugview output:

[8936] org.kde.pim.kleopatra: GpgME::DecryptionResult(
[8936]  error:                GpgME::Error(67108943 (Ungültige Daten))
[8936]  fileName:             <null>
[8936]  unsupportedAlgorithm: <null>
[8936]  isWrongKeyUsage:      0
[8936]  isDeVs:               0
[8936]  isBetaCompliance:     0
[8936]  legacyCipherNoMDC:    0
[8936]  symkeyAlgo:           ?.?
[8936]  recipients:
[8936] GpgME::DecryptionResult::Recipient(
[8936]  keyID:              6F16E23204466286
[8936]  shortKeyID:         04466286
[8936]  publicKeyAlgorithm: ECDH
[8936]  status:             GpgME::Error(117440529 (Kein geheimer Schlüssel)))
[8936] )
[8936] GpgME::VerificationResult(
[8936]  error:      GpgME::Error(67108943 (Ungültige Daten))
[8936]  fileName:
[8936]  signatures:
[8936] )

gpgme log (decryption started 14:21:55)

gpgme_log.txt910 KBDownload

Details

Version: gpg4win-5.0.0-beta336 @ win10

Event Timeline

timegrid created this task.Mon, Jun 30, 1:08 PM

timegrid created this object with edit policy "Contributor (Project)".

I can't reproduce. Please check whether this works if you use gpg directly; it's a bit unlikely that this is kleopatra-specific, since kleopatra doesn't really care whether the key is on a smartcard or not.

gpgsm log

That's just for S/MIME, not openpgp

You're right, it also errors on gpg directly:

C:\Users\g10\Desktop\tmp\scdecrypt>gpg --encrypt --sign --recipient sc --sign-with sc test.txt
C:\Users\g10\Desktop\tmp\scdecrypt>gpg --decrypt test.txt.gpg
gpg: verschlüsselt mit brainpoolP256r1 Schlüssel, ID FA2BF0F52BE05D89, erzeugt 2025-07-01
      "sc"
gpg: Entschlüsselung mit Public-Key-Verfahren fehlgeschlagen: Ungültige Daten
gpg: Entschlüsselung fehlgeschlagen: Ungültige Daten

timegrid updated the task description. (Show Details)Tue, Jul 1, 12:45 PM

gpg --version?
gpg -K?

version

C:\Users\g10\Desktop\tmp\scdecrypt>gpg --version
gpg (GnuPG) 2.5.8
libgcrypt 1.11.1
Copyright (C) 2025 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:\Users\g10\AppData\Roaming\gnupg
Unterstützte Verfahren:
Öff. Schlüssel: RSA, Kyber, ELG, DSA, ECDH, ECDSA, EDDSA
Verschlü.: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
           CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Komprimierung: nicht komprimiert, ZIP, ZLIB, BZIP2

secret keys

[keyboxd]
---------
sec   rsa3072 2023-03-08 [SC]
      11A9C6D06717C4E284960BA906E28F5FB5297489
uid        [vollständig] Edward Tester <Edward.Tester@demo.gnupg.com>
ssb   rsa3072 2023-03-08 [E]
      756613A147108F13282B8B7B037BFD4B2C571A9E

sec   ed25519 2023-05-09 [SC] [verfallen: 2023-05-10]
      1AF2E0899B2741E58487ACC132F17CC07C6B182F
uid        [ verfallen ] Ali-abgelaufen

sec   rsa3072 2023-03-08 [SC] [verfallen: 2023-03-09]
      1B7724C95351B75394303415C2577F23F8E93418
uid        [ verfallen ] Xena-expired

sec   ed25519 2023-03-08 [SC]
      5563BF178A9ADB8AF41F9DDA08F8682320DEDDB9
uid        [vollständig] Conny-cv25519
ssb   cv25519 2023-03-08 [E]
      C5C08C2A043D628C5A30EC69EFB23BB2F1DA0599

sec   ed25519 2023-03-09 [SC] [widerrufen: 2023-03-13]
      5D73251BA326024602696FD87CA8B3C25843D5D3
      Grund für Widerruf: Kein Grund angegeben
         Widerruf-Bemerkung: Testgrund
uid        [ widerrufen] Ron-revoked

sec   brainpoolP256r1 2025-06-28 [SC] [verfällt: 2028-06-28]
      64687A787374DE2BD77EF6BC82D01B98E9AEDE58
uid        [ ultimativ ] soon expires
ssb   brainpoolP256r1 2025-06-28 [E] [verfällt: 2028-06-28]
      A8E14BF41EF3607A09BAB2AB11A5FE186C620257

sec   rsa3072 2023-03-08 [SC]
      98111E67AE06F2BEFD2BDE10C5D6C919005F36A4
uid        [ ultimativ ] Ted Tester <Ted.Tester@demo.gnupg.com>
ssb   rsa3072 2023-03-08 [E]
      CC5274CB8072E9778DADD15BCD573B2B0736643A

sec   ed448 2025-06-28 [SC] [verfällt: 2028-06-28]
      A474EEE9493BCC406EC144176DE2F2D0081ECB984E14D1491FE0F99E0252604F
uid        [ ultimativ ] v5 key
uid        [vollständig] v5 uid
ssb   cv448 2025-06-28 [E] [verfällt: 2028-06-28]
      7964E5E34D6AD3F70A7CA006D9225EB8FECD3EF4F35538C701A8E2BE1600752B

sec   rsa2048 2023-03-08 [SC]
      A6F76A4C451F0319AEB3B2FEDD4A11F368DAF68F
uid        [vollständig] Rita-RSA2048
ssb   rsa2048 2023-03-08 [E]
      BB5E9C0603A9D1743F4EA951BA9A98374E6575EF

sec   rsa4096 2023-07-24 [SC]
      B2247C8918F42958722AB17651F15155D5EB6F1E
uid        [vollständig] Rena-RSA4096
ssb   rsa4096 2023-07-24 [E]
      13FE109D705B1BA07DD1B7589A04B8E7237CCB62

sec   dsa2048 2023-03-08 [SC]
      C00AE5DF1A9033B0BA112C32F6AA692505C0227E
uid        [vollständig] Dan-DSA2048
ssb   elg2048 2023-03-08 [E]
      890D6B4C74AFD7AE54EE57ECAB8057F7EBCE6B9A

sec>  brainpoolP256r1 2025-07-01 [SC] [verfällt: 2028-07-01]
      CD6B0ACDAAC5EB090B99AE8C1BA7A5FD943C1129
      Kartenseriennr. = 0005 00009D59
uid        [ ultimativ ] sc
ssb>  brainpoolP256r1 2025-07-01 [A] [verfällt: 2028-07-01]
      AAE624062270EA70ABF7A0461DD570FC663FBF6A
      Kartenseriennr. = 0005 00009D59
ssb>  brainpoolP256r1 2025-07-01 [E] [verfällt: 2028-07-01]
      E0DBE7209AE340947C7C00A6FA2BF0F52BE05D89
      Kartenseriennr. = 0005 00009D59

sec   brainpoolP256r1 2025-06-30 [SC] [verfällt: 2028-06-30]
      E412A9C3F6CDE8D50BF7166CCC8086B9FEAE19D0
uid        [ ultimativ ] ky768_bp256
ssb   ky768_bp256 2025-06-30 [E] [verfällt: 2028-06-30]
      48C0EEB570315B183D9D7E786E2970BE6C0C184073FFEA0E23CB58BD7AB7FB31

sec   brainpoolP384r1 2023-03-08 [SC]
      F8D51DE0EE16E9B57009B8DE458612006D8E6F0D
uid        [vollständig] Berta Boss <Berta.Boss@demo.gnupg.com>
ssb   brainpoolP384r1 2023-03-08 [E]
      46ED5D7758C1BD71C27AF928FFA2FCCB2EC589F8

sec   ed25519 2023-03-08 [SC]
      FADC4675146CFAF3D86F137E1D3C5E6E3DB3C71D
uid        [vollständig] Udo-UID
uid        [ ultimativ ] Udo-Nutzerkennung
ssb   cv25519 2023-03-08 [E]
      1D14E3C986AF431ED3034C70E736A70AFD0F1520

• TobiasFella renamed this task from Kleopatra: Decryption with smartcard keys broken to Decryption with smartcard keys broken.Wed, Jul 2, 12:40 PM

• TobiasFella removed a project: kleopatra.

Please always add -v t commands like "gpg --decrypt test.txt.gpg". To decide whether this is smartcard or gpg-agent releated, I need to see a log file form gpg-agent and scdaemon. The latter is more important. I would suggest "debug ipc,app,cardio"

commands with -v

C:\Users\g10\Desktop\tmp\scdecrypt>gpg -K CD6B0ACDAAC5EB090B99AE8C1BA7A5FD943C1129
sec>  brainpoolP256r1 2025-07-01 [SC] [verfällt: 2028-07-01]
      CD6B0ACDAAC5EB090B99AE8C1BA7A5FD943C1129
      Kartenseriennr. = 0005 00009D59
uid        [ ultimativ ] sc
ssb>  brainpoolP256r1 2025-07-01 [A] [verfällt: 2028-07-01]
      AAE624062270EA70ABF7A0461DD570FC663FBF6A
      Kartenseriennr. = 0005 00009D59
ssb>  brainpoolP256r1 2025-07-01 [E] [verfällt: 2028-07-01]
      E0DBE7209AE340947C7C00A6FA2BF0F52BE05D89
      Kartenseriennr. = 0005 00009D59

C:\Users\g10\Desktop\tmp\scdecrypt>gpg -v --encrypt --sign --recipient CD6B0ACDAAC5EB090B99AE8C1BA7A5FD943C1129 --sign-with CD6B0ACDAAC5EB090B99AE8C1BA7A5FD943C1129 test.txt
gpg: enabled compatibility flags:
gpg: der Unterschlüssel FA2BF0F52BE05D89 wird anstelle des Hauptschlüssels 1BA7A5FD943C1129 verwendet
gpg: verwende Vertrauensmodell pgp
gpg: Dieser Schlüssel gehört uns (da wir nämlich den geheimen Schlüssel dazu haben)
gpg: Schreiben nach 'test.txt.gpg'
gpg: ECDH/AES256.OCB verschlüsselt für: "FA2BF0F52BE05D89 sc"
gpg: pinentry launched (7444 qt 1.3.1 - - - - 0/0 -)
gpg: ECDSA/SHA256 Signatur von: "1BA7A5FD943C1129 sc"

C:\Users\g10\Desktop\tmp\scdecrypt>gpg -v --decrypt test.txt.gpg
gpg: enabled compatibility flags:
gpg: Öffentlicher Schlüssel ist FA2BF0F52BE05D89
gpg: Kein aktiver keyboxd - `C:\\Program Files\\Gpg4win\\..\\GnuPG\\bin\\keyboxd.exe' wird gestartet
gpg: Warte bis der Keyboxd bereit ist ... (8s)
gpg: Verbindung zum Keyboxd aufgebaut
gpg: der Unterschlüssel FA2BF0F52BE05D89 wird anstelle des Hauptschlüssels 1BA7A5FD943C1129 verwendet
gpg: verschlüsselt mit brainpoolP256r1 Schlüssel, ID FA2BF0F52BE05D89, erzeugt 2025-07-01
      "sc"
gpg: Kein aktiver gpg-agent - `C:\\Program Files\\Gpg4win\\..\\GnuPG\\bin\\gpg-agent.exe' wird gestartet
gpg: Warte bis der gpg-agent bereit ist ... (8s)
gpg: Verbindung zum gpg-agent aufgebaut
gpg: pinentry launched (1264 qt 1.3.1 - - - - 0/0 -)
gpg: Hinweis: Signaturschlüssel 32F17CC07C6B182F ist am 2023-05-10 10:00:00 verfallen
gpg: Hinweis: Signaturschlüssel C2577F23F8E93418 ist am 2023-03-09 11:00:00 verfallen
gpg: Entschlüsselung mit Public-Key-Verfahren fehlgeschlagen: Ungültige Daten
gpg: Entschlüsselung fehlgeschlagen: Ungültige Daten

scdaemon log (debug ipc,app,cardio)

scdaemon.log31 KBDownload

Decryption with smartcard keys brokenOpen, Needs TriagePublicActions

Description

Details

Event Timeline

Decryption with smartcard keys broken
Open, Needs TriagePublic
Actions