Yubico Forum ...visit our web-store at 2017-03-19T06:44:16+01:00 https://forum.yubico.com/feed.php?f=5&t=2605 2017-03-19T06:43:43+01:00 2017-03-19T06:43:43+01:00 https://forum.yubico.com/viewtopic.php?t=2605&p=9480#p9480 <![CDATA[Re: Problems generating keys for YK-KSM]]>
Create ~/.gnupg/gpg-agent.conf and add this one line:

Code:
max-cache-ttl 0

Statistics: Posted by drcheese — Sun Mar 19, 2017 6:43 am

]]> 2017-03-19T06:16:33+01:00 2017-03-19T06:16:33+01:00 https://forum.yubico.com/viewtopic.php?t=2605&p=9479#p9479 <![CDATA[Re: Problems generating keys for YK-KSM]]>
Basically the gpg2 does not allow forcing entry of the passphrase all the time so you have to cache it somehow. I did this by creating a dummy file called test.txt and creating a signature for it via the command:

Code:
gpg --clearsign test.txt


That caused the passphrase prompt:

Code:
   lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
   x Please enter the passphrase to unlock the secret key for the OpenPGP  x
   x certificate:                                                          x
   x "YK-KSM Import Key"                                                   x
   x 2048-bit RSA key, ID XXXXXXXX,                                        x
   x created 2017-03-19.                                                   x
   x                                                                       x
   x                                                                       x
   x Passphrase __________________________________________________________ x
   x                                                                       x
   x          <OK>                                         <Cancel>        x
   mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj


However this did not fix the importer issue where it did not prompt for the passphrase a second time. Any help on this? I can't seem to get around this issue.

Statistics: Posted by drcheese — Sun Mar 19, 2017 6:16 am

]]> 2017-03-19T06:44:16+01:00 2017-03-19T06:03:59+01:00 https://forum.yubico.com/viewtopic.php?t=2605&p=9478#p9478 <![CDATA[[SOLVED] Problems generating keys for YK-KSM]]> https://developers.yubico.com/yubikey-ksm/Generate_KSM_Key.html

However gpg does not request my passphrase when I try to generate KSM keys via:

Code:
ykksm-gen-keys --urandom 1 5 | gpg -a --encrypt -r XXXXXXXX -s > keys.txt


The output ends as follows:

Code:
gpg: cancelled by user
gpg: no default secret key: Operation cancelled
gpg: [stdin]: sign+encrypt failed: Operation cancelled


I found a possible workaround by using the following:

Code:
gpg -r XXXXXXXX--output keys.txt.gpg --encrypt keys.txt


But then the importer gives me a similar error, expecting a passphrase to unlock the secret key and it never prompting for one:
Code:
[GNUPG:] ENC_TO XXXXXXXXXXXXXXXX 1 0
[GNUPG:] USERID_HINT XXXXXXXXXXXXXXXX YK-KSM Import Key
[GNUPG:] NEED_PASSPHRASE XXXXXXXXXXXXXXXX YYYYYYYYYYYYYYYYYYY 1 0
gpg: cancelled by user
[GNUPG:] MISSING_PASSPHRASE
gpg: encrypted with 2048-bit RSA key, ID ZZZZZZZZZ, created 2017-03-19
      "YK-KSM Import Key"
gpg: public key decryption failed: Operation cancelled
[GNUPG:] ERROR pkdecrypt_failed 99
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_FAILED
gpg: decryption failed: No secret key
[GNUPG:] END_DECRYPTION
encrypted to: XXXXXXXXXXXXXXXX
signed by:
Input not signed? at /usr/bin/ykksm-import line 122.


I realize this may be a specific issue with gpg2 configuration in CentOS 7, but thought someone else may have run into this issue too. Any help is greatly appreciated.

Statistics: Posted by drcheese — Sun Mar 19, 2017 6:03 am

]]>