Yubico Forum
https://forum.yubico.com/

[SOLVED] Problems generating keys for YK-KSM
https://forum.yubico.com/viewtopic.php?f=5&t=2605
Page 1 of 1

Author:  drcheese [ Sun Mar 19, 2017 6:03 am ]
Post subject:  [SOLVED] Problems generating keys for YK-KSM

So I have a gpg key generated per the tutorial here: https://developers.yubico.com/yubikey-ksm/Generate_KSM_Key.html

However gpg does not request my passphrase when I try to generate KSM keys via:

Code:
ykksm-gen-keys --urandom 1 5 | gpg -a --encrypt -r XXXXXXXX -s > keys.txt


The output ends as follows:

Code:
gpg: cancelled by user
gpg: no default secret key: Operation cancelled
gpg: [stdin]: sign+encrypt failed: Operation cancelled


I found a possible workaround by using the following:

Code:
gpg -r XXXXXXXX--output keys.txt.gpg --encrypt keys.txt


But then the importer gives me a similar error, expecting a passphrase to unlock the secret key and it never prompting for one:
Code:
[GNUPG:] ENC_TO XXXXXXXXXXXXXXXX 1 0
[GNUPG:] USERID_HINT XXXXXXXXXXXXXXXX YK-KSM Import Key
[GNUPG:] NEED_PASSPHRASE XXXXXXXXXXXXXXXX YYYYYYYYYYYYYYYYYYY 1 0
gpg: cancelled by user
[GNUPG:] MISSING_PASSPHRASE
gpg: encrypted with 2048-bit RSA key, ID ZZZZZZZZZ, created 2017-03-19
      "YK-KSM Import Key"
gpg: public key decryption failed: Operation cancelled
[GNUPG:] ERROR pkdecrypt_failed 99
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_FAILED
gpg: decryption failed: No secret key
[GNUPG:] END_DECRYPTION
encrypted to: XXXXXXXXXXXXXXXX
signed by:
Input not signed? at /usr/bin/ykksm-import line 122.


I realize this may be a specific issue with gpg2 configuration in CentOS 7, but thought someone else may have run into this issue too. Any help is greatly appreciated.

Author:  drcheese [ Sun Mar 19, 2017 6:16 am ]
Post subject:  Re: Problems generating keys for YK-KSM

Okay, so that was quick. I have half of my solution.

Basically the gpg2 does not allow forcing entry of the passphrase all the time so you have to cache it somehow. I did this by creating a dummy file called test.txt and creating a signature for it via the command:

Code:
gpg --clearsign test.txt


That caused the passphrase prompt:

Code:
   lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
   x Please enter the passphrase to unlock the secret key for the OpenPGP  x
   x certificate:                                                          x
   x "YK-KSM Import Key"                                                   x
   x 2048-bit RSA key, ID XXXXXXXX,                                        x
   x created 2017-03-19.                                                   x
   x                                                                       x
   x                                                                       x
   x Passphrase __________________________________________________________ x
   x                                                                       x
   x          <OK>                                         <Cancel>        x
   mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj


However this did not fix the importer issue where it did not prompt for the passphrase a second time. Any help on this? I can't seem to get around this issue.

Author:  drcheese [ Sun Mar 19, 2017 6:43 am ]
Post subject:  Re: Problems generating keys for YK-KSM

Solved...

Create ~/.gnupg/gpg-agent.conf and add this one line:

Code:
max-cache-ttl 0

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/