Hi,
for some weeks I have used my Yubikey Neo now to sign my mails.
a gpg2.exe --card-status showed the following today:
Code:
Application ID ...: D2760001240102000006030165310000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 03016531
Name of cardholder: Hanno Wagner
Language prefs ...: de
Sex ..............: männlich
URL of public key : http://blog.rince.de/download/4cf2d85a.txt
Login data .......: rince
Signature PIN ....: zwingend
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 0 3 3
Signature counter : 42
Signature key ....: 069B C697 0BCB B079 D166 C0C4 3512 C2E2 3F4C 33A6
created ....: 2014-12-19 17:07:11
Encryption key....: FDB9 2670 3AF8 A7B8 3352 18EB 6033 BEFC 5A92 775A
created ....: 2014-12-19 17:07:40
Authentication key: F132 92A0 5884 5290 59CF 65F6 AEB2 C8E8 8651 4EAA
created ....: 2014-12-19 17:07:57
General key info..: pub 2048R/3F4C33A6 2014-12-19 Hanno 'Rince' Wagner <wagner@rince.de>
sec# 3744R/4CF2D85A erzeugt: 2014-12-19 verfällt: 2024-12-16
ssb> 2048R/3F4C33A6 erzeugt: 2014-12-19 verfällt: 2024-12-16
Kartennummer:0006 03016531
ssb> 2048R/5A92775A erzeugt: 2014-12-19 verfällt: 2024-12-16
Kartennummer:0006 03016531
ssb> 2048R/86514EAA erzeugt: 2014-12-19 verfällt: 2024-12-16
Kartennummer:0006 03016531
As you can see with the PIN retry counter, the normal PIN was at 0 - which means signing or decrypting wasn't possible anymore.
Luckily, I created the keys offline and used gpg2.exe keytocard to import the keys to the smartcard.
Since the PIN-retry count was at 0, I read in the forum that the best way would be to reset the Applet. So I checked the version - it is:
Code:
gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
D[0000] 01 00 08 90 00
Version 1.0.8.9 which seems to be the latest released version.
Now, after the reset I just put some infos on the card (name, language, sex), so --card-status shows the following:
Code:
gpg2.exe --card-status
Application ID ...: D2760001240102000006030165310000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 03016531
Name of cardholder: Hanno Wagner
Language prefs ...: de
Sex ..............: male
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
So, this looks like a new key. The Retry-Counter is at 3 again and this seems to be legit.
When I made the reset, of course also the keys were lost - which was accepted. I wanted to re-imort the keys from my secring which was stored somewhere else.
And since I had backups, I also had a version where the subkeys were still on the secring and not (yet) linked to the card.
I followed the howto on
http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ how to create these kind of keys. And it seemed to be fine:
Code:
gpg2.exe --list-secret-keys
--------------------
sec 3744R/4CF2D85A 2014-12-19 [expires: 2024-12-16]
uid Hanno 'Rince' Wagner <wagner@rince.de>
uid [jpeg image of size 5076]
uid Hanno 'Rince' Wagner (FITUG-Mailadresse) <wagner@fitug.de>
uid Hanno 'Rince' Wagner (CCCS-Mailadresse) <rince@cccs.de>
uid Hanno 'Rince' Wagner <rince@linux.de>
ssb 2048R/3F4C33A6 2014-12-19
ssb 2048R/5A92775A 2014-12-19
ssb 2048R/86514EAA 2014-12-19
So, the secret keys are there and not (yet) linked to the card.
But when I try to put these keys onto the card gpg2 fails:
Code:
gpg2.exe --edit-key 0x4CF2D85A
gpg (GnuPG) 2.0.17; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 3744R/4CF2D85A created: 2014-12-19 expires: 2024-12-16 usage: SC
trust: ultimate validity: ultimate
sub 2048R/3F4C33A6 created: 2014-12-19 expires: 2024-12-16 usage: S
sub 2048R/5A92775A created: 2014-12-19 expires: 2024-12-16 usage: E
sub 2048R/86514EAA created: 2014-12-19 expires: 2024-12-16 usage: A
[ultimate] (1). Hanno 'Rince' Wagner <wagner@rince.de>
[ultimate] (2) [jpeg image of size 5076]
[ultimate] (3) Hanno 'Rince' Wagner (FITUG-Mailadresse) <wagner@fitug.de>
[ultimate] (4) Hanno 'Rince' Wagner (CCCS-Mailadresse) <rince@cccs.de>
[ultimate] (5) Hanno 'Rince' Wagner <rince@linux.de>
gpg> toggle
sec 3744R/4CF2D85A created: 2014-12-19 expires: 2024-12-16
ssb 2048R/3F4C33A6 created: 2014-12-19 expires: never
ssb 2048R/5A92775A created: 2014-12-19 expires: never
ssb 2048R/86514EAA created: 2014-12-19 expires: never
(1) Hanno 'Rince' Wagner <wagner@rince.de>
(2) [jpeg image of size 5076]
(3) Hanno 'Rince' Wagner (FITUG-Mailadresse) <wagner@fitug.de>
(4) Hanno 'Rince' Wagner (CCCS-Mailadresse) <rince@cccs.de>
(5) Hanno 'Rince' Wagner <rince@linux.de>
gpg> key 1
sec 3744R/4CF2D85A created: 2014-12-19 expires: 2024-12-16
ssb* 2048R/3F4C33A6 created: 2014-12-19 expires: never
ssb 2048R/5A92775A created: 2014-12-19 expires: never
ssb 2048R/86514EAA created: 2014-12-19 expires: never
(1) Hanno 'Rince' Wagner <wagner@rince.de>
(2) [jpeg image of size 5076]
(3) Hanno 'Rince' Wagner (FITUG-Mailadresse) <wagner@fitug.de>
(4) Hanno 'Rince' Wagner (CCCS-Mailadresse) <rince@cccs.de>
(5) Hanno 'Rince' Wagner <rince@linux.de>
gpg> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
You need a passphrase to unlock the secret key for
user: "Hanno 'Rince' Wagner <wagner@rince.de>"
2048-bit RSA key, ID 3F4C33A6, created 2014-12-19
gpg: error writing key to card: Not supported
As you can see, suddenly this key is not supposed to go to that card. But why? This is the same key as there was before I had to reset the OpenGPG-Applet.
Unfortunately, I can not see what _exactly_ the card doesn't accept.
Is there another way to put the secret key on the card so I can use it again for signing or decrypting files?
Login
FAQ
Search
