Oct 29 2024
You should use gpg-agent's integrated ssh-agent. It is anyway much more convenient. I'll move this task to gnupg26, though.
Oct 4 2024
Porting to 2.2 was straightforward - we won't give it an extra QA run.
Sep 25 2024
Sep 3 2024
Jun 21 2024
May 31 2024
Thanks for your answer, @werner
Do not use the pcscd but the integrated CCID driver. This is actually the default form Unix. Or are you on Windows?
Hello all. I think I am affected by this problem (I get asked for the yubikey PIV pin every time I make a git commit).
Is there a known workaround?
May 1 2024
Seems it was a kernel / USB bug
Apr 22 2024
Please continue on T7041. This ticket is going to be closed (as the problem described was fixed already).
Apr 16 2024
Yes I have pcsc-shared in my scdaemon.conf.
I've just tried removing both pcsc-shared and disable-application piv and PIN caching worked as expected.
Are you using PC/SC shared mode? If so, it may be the case of T7041.
Apr 15 2024
I just wanted to report that I'm having this issue on Fedora 39, with GnuPG version 2.4.4.
I'm being asked for the PIN for every operation (Sign, Decrypt, Authenticate) I'm having this issue on 2 different laptops using YubiKey 5C NFC and YubiKey 5C Nano (Firmware version: 5.4.3).
I tried disabling PIV (disable-application piv) and then PIN caching started working again, so I just wanted to report this as it's marked as resolved.
Apr 9 2024
Mar 6 2024
See also rG40b85d8e8cecadf35e51e84b30de4fac820d714b for gnupg 2.4.
Jan 26 2024
We need to test the PIN, PUK and reset code stuff in 2.2
For the particular issue reopened for GnuPG 2.2.41 is fixed in GnuPG 2.2.42.
Please note that we can't fix the cause itself, the hardware problem.
Jan 12 2024
Jan 5 2024
Dec 27 2023
It would be good to apply this to 2.2, so adding "backport" tag.
Dec 22 2023
Thank you for the bug report. Although it's a corner case, it is a discrepancy in the implementation which results unrecoverable situation of the device.
Nov 28 2023
Nov 27 2023
Nov 7 2023
Applied a patch from 2.4/master to 2.2 for SEGV when card gives bogus data. rG600e69b46149: scd:openpgp: Fix a segv for cards supporting unknown curves.
Nov 6 2023
@desultory Thank you for your report.
Please open a new ticket for your problem. If you can, please show the result of https://dev.gnupg.org/T5963#157724
Nov 5 2023
This is still an issue for me:
Apr 21 2023
Mar 14 2023
Closing this one - see T6378
There is actually a regression wit Yubikeys. The fix for 2.2 is in T5100: rG08cc34911470 - for 2.4 I need to check
Mar 13 2023
I never made a threat model. But definitely *any* cracker, should be out of my system, either from governmental agencies or from a kiddo in Russia.
I know that I have someone that is remote accessing my machine, since I got some tells. And that this cracker have used my Emacs text editor.
Smartcard PINs are different from passphrase for on-disk keys. Once a PIN is entered the smartcard is unlocked as long as it is powered up. In theory we could power down and power up the card to lock it. The question here is what is your threat model? If you have malware on your system it could simply brick your token or, more common, peek at your PIN.
Mar 11 2023
Feb 26 2023
Feb 21 2023
The application probably doesn't support this curve, the changelog only mentions Curve25519 and NIST P-256. Also Kleopatra lists only these two curves when generating a key from the card. Upon further inspection, the 0xFA DO listing the supported algorithms only has RSA 2048, RSA 4096, nistp256, ed255519 and cv25519
This is a Nitrokey 3A with the firmware 1.2.2-alpha.20221130. I'll check with the vendor.
Sure that you specific card/implementation of Nitrokey supports this curve? The card application uses a vendor from the test card range - this it is likely that it is some Javacard implementaion or it is an old gnuk firmware on the nitrokey basic.
Changing the key attributes didn't help unfortunately:
There must be some regression in the code which changes the key attributes. Please try
"gpg --card-edit" admin, key-attr
and switch to nistp384.
I also tried to import the key with the gpg-card writekey command and I got the same error.
Same error message but probably a different cause, in this case the card was factory reset before importing.