Closed rejsmont closed 8 months ago
Bumping this issue as I'm running into it too. My setup is as follows (click on the ► to toggle details):
System Information ( ► About this Mac then click System Report…) identifies the Ledger Nano S as follows:
I've installed the OpenPGP.XL application version 1.4.3 via Ledger Live version 2.19.0 (with Experimental features enabled) on a Ledger Nano S with firmware version 1.6.1.
The scdaemon
is configured according to the documentation as follows:
% cat ~/.gnupg/scdaemon.conf
reader-port "Ledger Token [Nano S] (0001) 01 00"
allow-admin
enable-pinpad-varlen
log-file /tmp/scd.log
debug-level guru
debug-all
and it seems the Ledger Nano S is available as a CCID reader (command-line taken from scdaemon(1)
):
% echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print $2}'
2C97:0001:0001:0
I've also tried to use 2C97:0001:0001:0
as a reader-port
in the scdaemon.conf
, yet
with the OpenPGP.XL application open on the Ledger Nano S,
when running gpg --card-status
or gpg --card-edit
the scd.log
shows the following error: 2021-02-04 08:31:50 scdaemon[62863] pcsc_connect failed: unknown reader (0x80100009)
% gpg --card-status
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device
% cat /tmp/scd.log ~
2021-02-04 08:31:50 scdaemon[62863] DBG: chan_7 <- GETINFO version
2021-02-04 08:31:50 scdaemon[62863] DBG: chan_7 -> D 2.2.26
2021-02-04 08:31:50 scdaemon[62863] DBG: chan_7 -> OK
2021-02-04 08:31:50 scdaemon[62863] DBG: chan_7 <- SERIALNO
2021-02-04 08:31:50 scdaemon[62863] DBG: apdu_open_reader: BAI=140901
2021-02-04 08:31:50 scdaemon[62863] DBG: apdu_open_reader: new device=140901
2021-02-04 08:31:50 scdaemon[62863] ccid open error: skip
2021-02-04 08:31:50 scdaemon[62863] DBG: enter: apdu_open_reader: portstr=Ledger Token [Nano S] (0001)
01 00
2021-02-04 08:31:50 scdaemon[62863] reader slot 0: not connected
2021-02-04 08:31:50 scdaemon[62863] DBG: leave: apdu_open_reader => slot=0 [pc/sc]
2021-02-04 08:31:50 scdaemon[62863] DBG: enter: apdu_connect: slot=0
2021-02-04 08:31:50 scdaemon[62863] pcsc_connect failed: unknown reader (0x80100009)
2021-02-04 08:31:50 scdaemon[62863] reader slot 0: not connected
2021-02-04 08:31:50 scdaemon[62863] DBG: leave: apdu_connect => sw=0x1000c
2021-02-04 08:31:50 scdaemon[62863] DBG: enter: apdu_close_reader: slot=0
2021-02-04 08:31:50 scdaemon[62863] DBG: enter: apdu_disconnect: slot=0
2021-02-04 08:31:50 scdaemon[62863] DBG: leave: apdu_disconnect => sw=0x0
2021-02-04 08:31:50 scdaemon[62863] DBG: leave: apdu_close_reader => 0x0 (close_reader)
2021-02-04 08:31:50 scdaemon[62863] DBG: chan_7 -> ERR 100696144 Operation not supported by device <SCD
>
2021-02-04 08:31:50 scdaemon[62863] DBG: chan_7 <- RESTART
2021-02-04 08:31:50 scdaemon[62863] DBG: chan_7 -> OK
Any help would be very much appreciated as this is a great and versatile app for the Ledger Nano!
Quick update, that the Ledger Nano S is recognised correctly using OpenBSD 6.9. I do not seem to be able to verify the PIN, and hence change the PIN mode; trying to change the name results in Bad PIN when using the default PIN, yet this seems a different issue. I'll investigate more and file a new issue as needed.
By adding the lines below to ~/.gnupg/scdaemon.conf
I was able to verify and change the PIN on OpenBSD:
allow-admin
enable-pinpad-varlen
I've enabled enabled logging for the macOS' smart-card subsystem
% sudo defaults write /Library/Preferences/com.apple.security.smartcard Logging -bool yes
% sudo log stream --debug --info --source --style syslog --predicate '((subsystem == "com.apple.CryptoTokenKit") \|\| (process == "com.apple.ifdreader"))'
(see certgate)
and see the following messages when connecting the Ledger Nano S and opening the OpenPGP.XL app:
2021-02-09 20:16:35.771848+0100 localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] received new request 12 for peer REDACTED_PEER_1
2021-02-09 20:16:35.771957+0100 localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] answering operation 12, result 0
2021-02-09 20:16:35.772320+0100 localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] received new request 12 for peer REDACTED_PEER_1
2021-02-09 20:16:35.772496+0100 localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] answering operation 12, result 0
2021-02-09 20:16:35.981290+0100 localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] deviceRemovalHandler invoked (entryId=REDACTED_ENTRY_ID_1)
2021-02-09 20:16:35.981532+0100 localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] installed device removal notification
2021-02-09 20:16:35.981908+0100 localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] new device arrival: 2c97:1011 14400000 (entryId=REDACTED_ENTRY_ID_1)
2021-02-09 20:16:35.982021+0100 localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] unable to find bundle for device, aborting
2021-02-09 20:16:37.847766+0100 localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] received new request 12 for peer REDACTED_PEER_1
2021-02-09 20:16:37.847876+0100 localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] answering operation 12, result 0
2021-02-09 20:16:37.848170+0100 localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] received new request 12 for peer REDACTED_PEER_1
2021-02-09 20:16:37.848268+0100 localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] answering operation 12, result 0
2021-02-09 20:16:37.926937+0100 localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] deviceRemovalHandler invoked (entryId=REDACTED_ENTRY_ID_2)
2021-02-09 20:16:37.927008+0100 localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] installed device removal notification
2021-02-09 20:16:37.927563+0100 localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] new device arrival: 2c97:0001 14400000 (entryId=REDACTED_ENTRY_ID_2)
2021-02-09 20:16:37.935487+0100 localhost com.apple.ifdbundle[7254]: <com.apple.ifdbundle> [com.apple.CryptoTokenKit:smartcard] bundle loaded: /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle
2021-02-09 20:16:37.939057+0100 localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] found bundle for device, resolved entryId=REDACTED_ENTRY_ID_2 to deviceName='Ledger Nano S'
2021-02-09 20:16:37.940006+0100 localhost com.apple.ifdbundle[7254]: <com.apple.ifdbundle> [com.apple.CryptoTokenKit:smartcard] Ledger Nano S: allocate lun: 0
2021-02-09 20:16:37.940305+0100 localhost com.apple.ifdbundle[7254]: <com.apple.ifdbundle> [com.apple.CryptoTokenKit:smartcard] -> IFDHCreateChannelByName(00000000, 'Ledger Nano S')
2021-02-09 20:17:29.055325+0100 localhost scdaemon[94462]: (PCSC) <PCSC`SCardConnect.cold.7> [com.apple.CryptoTokenKit:pcscapi] -> SCardConnect()
2021-02-09 20:17:29.056679+0100 localhost com.apple.ctkpcscd[94463]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] received new request 3 for peer REDACTED_PEER_2
2021-02-09 20:17:29.056747+0100 localhost com.apple.ctkpcscd[94463]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] answering operation 3, result -2146435063
2021-02-09 20:17:29.056797+0100 localhost scdaemon[94462]: (PCSC) <PCSC`SCardConnect.cold.4> [com.apple.CryptoTokenKit:pcscapi] <- (80100009) SCardConnect()
2021-02-09 20:17:29.057362+0100 localhost com.apple.ctkpcscd[94463]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] terminating peer REDACTED_PEER_2 because of connection error
Probably you have not bought your Ledger Nano S in the official Apple store. Nah, just kidding. Kind of. I have seen some USB devices that work perfectly on most platforms, but work with a degraded performance or functionality with MacOS. Which is completely understandable with a closed-source OS supported only by hardware sales.
Does that "answering operation 3" result FFEF_FFF7 ring any bells for you, Cédric? @cslashm
Friendly nudge on this one @cslashm.
Hi all, MacOS and smartcard is a pain! It is often a question of security of MacOS fire-walling the HW. Unfortunately I'm not a MacOS expert (I was born a ordinary hospital not in a apple store :) ).
BTW, before playing with gnupg or any other highlevel tool, equivalent MacOS tool to lsusb
and pcsc_scan
must report
correctly the presence of the reader. (see below)
Note: All the code regarding the USB CCID handling is open source either in the SDK or in the app..
NanoX sample:
$ lsusb -v
Bus 001 Device 076: ID 2c97:0004 Ledger Nano X
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x2c97
idProduct 0x0004
bcdDevice 2.01
iManufacturer 1 Ledger
iProduct 2 Nano X
iSerial 3 0001
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0076
bNumInterfaces 2
bConfigurationValue 1
iConfiguration 2 Nano X
bmAttributes 0xc0
Self Powered
MaxPower 100mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 3 Human Interface Device
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 2 Nano X
HID Device Descriptor:
bLength 9
bDescriptorType 33
bcdHID 1.11
bCountryCode 0 Not supported
bNumDescriptors 1
bDescriptorType 34 Report
wDescriptorLength 34
Report Descriptors:
** UNAVAILABLE **
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 1
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 11 Chip/SmartCard
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 5 Nano X
ChipCard Interface Descriptor:
bLength 54
bDescriptorType 33
bcdCCID 1.10 (Warning: Only accurate for version 1.0)
nMaxSlotIndex 0
bVoltageSupport 3 5.0V 3.0V
dwProtocols 1 T=0
dwDefaultClock 3600
dwMaxiumumClock 3600
bNumClockSupported 0
dwDataRate 9677 bps
dwMaxDataRate 9677 bps
bNumDataRatesSupp. 0
dwMaxIFSD 0
dwSyncProtocols 00000000
dwMechanical 00000000
dwFeatures 000206BA
Auto configuration based on ATR
Auto voltage selection
Auto clock change
Auto baud rate change
Auto PPS made by CCID
NAD value other than 0x00 accepted
Auto IFSD exchange
Short APDU level exchange
dwMaxCCIDMsgLen 271
bClassGetResponse 00
bClassEnvelope 00
wlcdLayout none
bPINSupport 3 verification modification
bMaxCCIDBusySlots 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Device Status: 0x0003
Self Powered
Remote Wakeup Enabled
and
$ pcsc_scan
Using reader plug'n play mechanism
Scanning present readers...
0: Ledger Nano X [Nano X] (0001) 00 00
Wed Feb 24 12:52:23 2021
Reader 0: Ledger Nano X [Nano X] (0001) 00 00
Event number: 0
Card state: Card inserted,
ATR: 3B 00
ATR: 3B 00
+ TS = 3B --> Direct Convention
+ T0 = 00, Y(1): 0000, K: 0 (historical bytes)
Thank you for your response, @cslashm. If one were to engulf in the endeavour of looking into the USB CCID code—which is beyond my expertise currently—where would one start?
Running pcsctest
on macOS with the Ledger Nano S attached and the OpenPGP.XL application open just hangs:
% pcsctest ~
MUSCLE PC/SC Lite Test Program
Testing SCardEstablishContext : Command successful.
Testing SCardGetStatusChange
Please insert a working reader :
Whereas the device is shown in Apple's equivalent of lsusb
:
% system_profiler SPUSBDataType
Inspecting the IO registry the Nano S is listed on various planes/classes:
% ioreg -C IOUSBHostInterface
% ioreg -C AppleUSBInterface
% ioreg -c AppleUSBDevice
Is there anything that strikes you as odd or that would be a good starting point for further investigation?
Friendly ping on ☝️ for @cslashm :)
Same issue here, my YubiKey works fine on MacOs Catalina, but it can't recognize Ledger Nano X as a smart-card.
gpg --card-status
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device
Same issue here as well for both of my Ledger Nano X.
Hello I updated my Nano S and Nano X to the last firmware version 2.0.0
. The GPG app stop working on the Nano X but on the Nano S still works fine, here below are the of scdeamon.
Ledger Nano S GPG App 1.4.4
$ pcsctest
MUSCLE PC/SC Lite Test Program
Testing SCardEstablishContext : Command successful.
Testing SCardGetStatusChange
Please insert a working reader : Command successful.
Testing SCardListReaders : Command successful.
Reader 01: Ledger Nano S
Enter the reader number : 1
Waiting for card insertion
: Command successful.
Testing SCardConnect : Command successful.
Testing SCardStatus : Command successful.
Current Reader Name : Ledger Nano S
Current Reader State : 0x54
Current Reader Protocol : 0x0
Current Reader ATR Size : 2 (0x2)
Current Reader ATR Value : 3B 00
Testing SCardDisconnect : Command successful.
Testing SCardReleaseContext : Command successful.
Testing SCardEstablishContext : Command successful.
Testing SCardGetStatusChange
Please insert a working reader : Command successful.
Testing SCardListReaders : Command successful.
Reader 01: Ledger Nano S
Enter the reader number : ^C
Ledger Nano X GPG App 1.4.4
$ pcsctest
MUSCLE PC/SC Lite Test Program
Testing SCardEstablishContext : Command successful.
Testing SCardGetStatusChange
Please insert a working reader : Command successful.
Testing SCardListReaders : Command successful.
Reader 01: Ledger Nano X
Enter the reader number : 1
Waiting for card insertion
^C
Ledger Nano S GPG App 1.4.4
2021-10-26 17:27:40 scdaemon[41206] listening on socket '/Users/juan/.gnupg/S.scdaemon'
2021-10-26 17:27:40 scdaemon[41206] handler for fd -1 started
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 <- GETINFO socket_name
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 -> D /Users/juan/.gnupg/S.scdaemon
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 -> OK
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 <- OPTION event-signal=31
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 -> OK
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 <- GETINFO version
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 -> D 2.2.27
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 -> OK
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 <- SERIALNO
2021-10-26 17:27:40 scdaemon[41206] DBG: enter: apdu_open_reader: portstr=(null)
2021-10-26 17:27:40 scdaemon[41206] detected reader 'Ledger Nano S'
2021-10-26 17:27:40 scdaemon[41206] detected reader ''
2021-10-26 17:27:40 scdaemon[41206] reader slot 0: not connected
2021-10-26 17:27:40 scdaemon[41206] DBG: leave: apdu_open_reader => slot=0 [pc/sc]
2021-10-26 17:27:40 scdaemon[41206] DBG: enter: apdu_connect: slot=0
2021-10-26 17:27:40 scdaemon[41206] pcsc_control failed: not transacted (0x80100016)
2021-10-26 17:27:40 scdaemon[41206] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65547
2021-10-26 17:27:40 scdaemon[41206] reader slot 0: active protocol: T0
2021-10-26 17:27:40 scdaemon[41206] slot 0: ATR=3B 00
2021-10-26 17:27:40 scdaemon[41206] DBG: pcsc_get_status_change: changed present excl
2021-10-26 17:27:40 scdaemon[41206] DBG: leave: apdu_connect => sw=0x0
2021-10-26 17:27:40 scdaemon[41206] DBG: send apdu: c=00 i=A4 p1=00 p2=0C lc=2 le=-1 em=0
2021-10-26 17:27:40 scdaemon[41206] DBG: PCSC_data: 00 A4 00 0C 02 3F 00
2021-10-26 17:27:40 scdaemon[41206] DBG: response: sw=9000 datalen=0
...
Ledger Nano X GPG App 1.4.4
2021-10-26 17:26:09 scdaemon[38976] listening on socket '/Users/juan/.gnupg/S.scdaemon'
2021-10-26 17:26:09 scdaemon[38976] handler for fd -1 started
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 <- GETINFO socket_name
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> D /Users/juan/.gnupg/S.scdaemon
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> OK
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 <- OPTION event-signal=31
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> OK
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 <- GETINFO version
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> D 2.2.27
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> OK
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 <- SERIALNO
2021-10-26 17:26:09 scdaemon[38976] DBG: enter: apdu_open_reader: portstr=(null)
2021-10-26 17:26:09 scdaemon[38976] detected reader 'Ledger Nano X'
2021-10-26 17:26:09 scdaemon[38976] detected reader ''
2021-10-26 17:26:09 scdaemon[38976] reader slot 0: not connected
2021-10-26 17:26:09 scdaemon[38976] DBG: leave: apdu_open_reader => slot=0 [pc/sc]
2021-10-26 17:26:09 scdaemon[38976] DBG: enter: apdu_connect: slot=0
2021-10-26 17:26:09 scdaemon[38976] reader slot 0: not connected
2021-10-26 17:26:09 scdaemon[38976] DBG: leave: apdu_connect => sw=0x10008
2021-10-26 17:26:09 scdaemon[38976] DBG: enter: apdu_close_reader: slot=0
2021-10-26 17:26:09 scdaemon[38976] DBG: enter: apdu_disconnect: slot=0
2021-10-26 17:26:09 scdaemon[38976] DBG: leave: apdu_disconnect => sw=0x0
2021-10-26 17:26:09 scdaemon[38976] DBG: leave: apdu_close_reader => 0x0 (close_reader)
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> ERR 100696144 Operation not supported by device <SCD>
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 <- RESTART
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> OK
2021-10-26 17:26:51 scdaemon[38976] DBG: chan_7 <- killscd
2021-10-26 17:26:51 scdaemon[38976] DBG: chan_7 -> OK closing connection
This is my scdaemon.conf
$ cat scdaemon.conf
allow-admin
disable-ccid
log-file /Users/juan/tmp/scdeamon.log
debug-level guru
debug-all
I don't think the problem comes from Mac OS, because this morning was working fine, it is just after the firmware upgrade that it stop working.
Any ideas? CC @cslashm
my Nano X App 1.4.4 stopped working on Ubuntu 20.04 after firmware 2.0.2 upgrade
Quick update that the Ledger Nano S (Firmware Version 2.1.0) with openpgp-card-app(OpenPGP.XL 1.4.40) is now detected by GnuPG using macOS Monterey (12.2.1 21D62), GnuPG 2.3.4 (libgcrypt 1.9.4) and CCID 1.4.3. 🎉
@afh same here with Nano X. Are you able to encrypt/decrypt with your Nano S?
Thanks for asking @bereska and making sure I double check the functionality; I assumed "it just works"™ and it seems there are more obstacles to overcome.
TL;DR: Moving the encryption subkey to the card does not create a shadowed private key, i.e. key is on the card, but also still available on disk. Any help in keeping the key on the card, but "removing" it, that is making it a shadowed private key, is greatly appreciated!
:warning: NOTA BENE: I'm currently using a dedicated Ledger Nano S and the OpenPGP.XL application on it ONLY for testing purposes. In case you follow any of my steps or commands you are at risk of irreversibly losing your private key and access to any data that may have been encrypted with it!
Here is what I've done:
% mkdir -p -m 0700 ~/tmp/ledger-nano-s-gnupg; export GNUPGHOME=~/tmp/ledger-nano-s-gnupg
% gpgconf --kill all; gpgconf --launch gpg-agent
% PASS=$(pwgen -By 24 1)
% gpg --batch --passphrase $PASS --quick-gen-key "Ledger Nano_S (Test) <mail@example.net>" ed25519 cert 4w
% export KEYID=$(gpg --list-options show-only-fpr-mbox --list-secret-keys | awk '{print $1}')
gpg --batch --pinentry-mode=loopback --passphrase $PASS --quick-add-key $KEYID cv25519 encrypt 4w
% gpg --list-secret-key | sed -e "s#$HOME#\$HOME#" -e "s#$KEYID#\$KEYID#"
$HOME/tmp/ledger-nano-s-gnupg/pubring.kbx
----------------------------------------------
sec ed25519 2022-02-18 [C] [expires: 2022-03-18]
$KEYID
uid [ultimate] Ledger Nano_S (Test) <mail@example.net>
ssb cv25519 2022-02-18 [E] [expires: 2022-03-18]
Store the subkey id and fingerprint and the public key id in environment variables for use in later commands below
% export SUBKEYID=$(gpg --list-keys --with-colons | awk -F: '/^sub/{print $5}')
% export SUBKEYFPR=$(gpg --list-keys --with-colons | awk -F: '/^sub/{getline; print $10}')
% export PUBKEYID=$(gpg --list-keys --with-colons | awk -F: '/^pub/{print $5}')
% print "key $SUBKEYID\nkeytocard\n2\nsave\n" | gpg --command-fd 0 --edit-key $KEYID
gpg (GnuPG) 2.3.4; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec ed25519/14F496EF98C2F7B1 created: 2022-02-18 expires: 2022-03-18 usage: C trust: ultimate validity: ultimate ssb cv25519/D4CA58C1093A46BA created: 2022-02-18 expires: 2022-03-18 usage: E [ultimate] (1). Ledger Nano_S (Test) mail@example.net
sec ed25519/14F496EF98C2F7B1 created: 2022-02-18 expires: 2022-03-18 usage: C trust: ultimate validity: ultimate ssb* cv25519/D4CA58C1093A46BA created: 2022-02-18 expires: 2022-03-18 usage: E [ultimate] (1). Ledger Nano_S (Test) mail@example.net
Please select where to store the key: (2) Encryption key
sec ed25519/14F496EF98C2F7B1 created: 2022-02-18 expires: 2022-03-18 usage: C trust: ultimate validity: ultimate ssb* cv25519/D4CA58C1093A46BA created: 2022-02-18 expires: 2022-03-18 usage: E [ultimate] (1). Ledger Nano_S (Test) mail@example.net
gpg --card-status | sed -e "s#$KEYID#\$KEYID#g" -e "s#$PUBKEYID#\$PUBKEYID#g" -e "s#$SUBKEYID#\$SUBKEYID#g" -e 's#^\(Serial.*:\).*#\1 $SERIAL#' -e 's#^\(Encryption.*:\).*#\1 $SUBKEYFPR#'
Reader ...........: Ledger Nano S
Application ID ...: D2760001240103032C972D671E230000
Application type .: OpenPGP
Version ..........: 3.3
Manufacturer .....: unknown
Serial number ....: $SERIAL
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 cv25519 rsa2048
Max. PIN lengths .: 12 12 12
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: $SUBKEYFPR
created ....: 2022-02-18 09:43:15
Authentication key: [none]
General key info..: sub cv25519/$SUBKEYID 2022-02-18 Ledger Nano_S (Test) <mail@example.net>
sec ed25519/$PUBKEYID created: 2022-02-18 expires: 2022-03-18
ssb cv25519/$SUBKEYID created: 2022-02-18 expires: 2022-03-18
% gpg --list-secret-key | sed -e "s#$HOME#\$HOME#" -e "s#$KEYID#\$KEYID#"
$HOME/tmp/ledger-nano-s-gnupg/pubring.kbx
----------------------------------------------
sec ed25519 2022-02-18 [C] [expires: 2022-03-18]
$KEYID
uid [ultimate] Ledger Nano_S (Test) <mail@example.net>
ssb cv25519 2022-02-18 [E] [expires: 2022-03-18]
NOTA BENE: how the subkey listing on the last line is missing the >
after the ssb
tag to indicate that the key is stored on a smartcard. This does not seem right.
Surely encrypting and decrypting data works, but regardless of whether the Ledger Nano S is connected or not.
@cslashm any ideas of what might be going wrong and how to possibly fix this?
@afh i wish i could help but I am just not as knowledgable as you are with GnuPG. But I hope you can help me with my problem. The card is detected and I can edit the card and the keys but I can't encrypt/decrypt:
MacBook-Air-DG-4007:~ bereska$ gpg --card-status
Reader ...........: Ledger Nano X
Application ID ...: D2760001240103032C97A0CC32160000
Application type .: OpenPGP
Version ..........: 3.3
Manufacturer .....: unknown
Serial number ....: A0CC3216
Name of cardholder: Dmitry Gudkov
Language prefs ...: [not set]
Salutation .......: Mr.
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 12 12 12
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: 1E86 6FB2 8C4D 9016 F779 4905 9498 E11F 82E6 5E2B
created ....: 2020-08-11 22:15:59
Encryption key....: 643B 4EAF 8ED7 9899 8593 DA73 4EA4 0FF7 1348 31D0
created ....: 2020-08-11 22:15:59
Authentication key: 0279 99A2 0605 DBFD AF15 5063 3D38 98D1 D1D2 0F38
created ....: 2020-08-11 22:15:59
General key info..: pub ed25519/9498E11F82E65E2B 2020-08-11 Dmitry Gudkov admin@parustrans.ru
sec# ed25519/9498E11F82E65E2B created: 2020-08-11 expires: never
ssb# ed25519/3D3898D1D1D20F38 created: 2020-08-11 expires: never
ssb# cv25519/4EA40FF7134831D0 created: 2020-08-11 expires: never
MacBook-Air-DG-4007:~ bereska$ gpg --list-secret-keys admin@parustrans
gpg: error reading key: No secret key
@bereska It seems that the secret keys on the smartcard are not in your GnuPG keyring.
The #
after the key tags (sec
, ssb
) indicates that the keys are "offline", which means "that secret key or subkey is currently not usable" — gpg(1)
This can happen when the smartcard is used on a different computer or with different user account that hasn't been setup with the secret keys from the smartcard.
In order to use keys on a smartcard on a different computer or with another user account, use the original computer or user account that was used to create the secret keys or move them to the smartcard.
From there run gpg --export-secret-subkeys --output exported-subkeys
or if you also need / want to include the primary key use gpg --export-keys --output exported-keys
, then on the computer or the user account where you also want to use the keys on the smart card do: gpg --import exported-subkeys
or gpg --import exported-keys
, then check if gpg -K
lists the secret (sub)keys and you are able to decrypt your data. For good measure be sure to remove the exported keys rm -f exported-subkeys exported-keys
when you're done.
@afh thank you very much. I tried to import exported-secret-keys but no dice. Strangely I noticed that decryption also fails on the original machine:
bereska@ubuntuVM:~$ gpg -esa -r admin@parustrans test_nanox
File 'test_nanox.asc' exists. Overwrite? (y/N) y
bereska@ubuntuVM:~$ gpg -d test_nanox.asc
gpg: encrypted with 256-bit ECDH key, ID 4EA40FF7134831D0, created 2020-08-11
"Dmitry Gudkov admin@parustrans.ru"
gpg: public key decryption failed: Card error
gpg: decryption failed: No secret key
bereska@ubuntuVM:~$ gpg --card-status
Reader ...........: Ledger Token [Nano X] (0001) 00 00
Application ID ...: D2760001240103032C97A0CC32160000
Application type .: OpenPGP
Version ..........: 3.3
Manufacturer .....: unknown
Serial number ....: A0CC3216
Name of cardholder: Dmitry Gudkov
Language prefs ...: [not set]
Salutation .......: Mr.
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 12 12 12
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: 1E86 6FB2 8C4D 9016 F779 4905 9498 E11F 82E6 5E2B
created ....: 2020-08-11 22:15:59
Encryption key....: 643B 4EAF 8ED7 9899 8593 DA73 4EA4 0FF7 1348 31D0
created ....: 2020-08-11 22:15:59
Authentication key: 0279 99A2 0605 DBFD AF15 5063 3D38 98D1 D1D2 0F38
created ....: 2020-08-11 22:15:59
General key info..: pub ed25519/9498E11F82E65E2B 2020-08-11 Dmitry Gudkov admin@parustrans.ru
sec> ed25519/9498E11F82E65E2B created: 2020-08-11 expires: never
card-no: 2C97 A0CC3216
ssb> ed25519/3D3898D1D1D20F38 created: 2020-08-11 expires: never
card-no: 2C97 A0CC3216
ssb> cv25519/4EA40FF7134831D0 created: 2020-08-11 expires: never
card-no: 2C97 A0CC3216
Following on this issue and I also written in here too #71
I just updated the CCID driver to the last version 1.5.0. Sadly the results are the same I am pretty confident to say that the problem is not in the ledger firmware or the OpenPGP.XL app any longer but on the python tool. That by the way the last commit is from 2 years ago (15 January 2020). Here below you will find the steps I took:
First I took my ledger nano S with firmware 1.6.1 and OpenPGP.XL app 1.4.3. and perform a backup of my keys
$ python3 -m gpgcard.gpgcli --backup --pinpad --backup-keys --file gpg-key.pickle
GPG Ledger Admin Tool v0.1.
Copyright 2018 Cedric Mesnil <cslashm@gmail.com>, Ledger SAS
Connect to card pcsc:Ledger...OK
Verfify PINs...OK
Select slot 1...OK
Get card info...OK
Backup application...OK
Then I took my ledger nano X with firmware 2.0.2 and OpenPGP.XL app 1.4.4 and try to restore the keys there
$ python3 -m gpgcard.gpgcli --restore --pinpad --file gpg-key.pickle
GPG Ledger Admin Tool v0.1.
Copyright 2018 Cedric Mesnil <cslashm@gmail.com>, Ledger SAS
Connect to card pcsc:Ledger...OK
Verfify PINs...OK
Select slot 1...OK
Get card info...OK
Restore application...Error:
(b'0000ff88', '6f42')
I think is not much to be done to make it work. Sadly I don't have any knowledge of GPG protocols to take this into my hands and also because cslashm is not woking with Ledger anymore. I have no idea to whom we should address this issue.
PS: my keys are ed25519 cv25519 ed25519
FTR, cannot connect to Ledger Nano SP on Debian/Linux
Bus 001 Device 036: ID 2c97:0005 Ledger Nano SP
idVendor 0x2c97 Ledger
iManufacturer 1 Ledger
Tried hard with pcscd
and pcsc_scan
but failed.
$ pcscd --version
pcsc-lite version 1.9.5.
Seems related to low-level CCID issues.
Hi,
The app has been refactored and updated to v2, still in develop
branch.
Please note also a change in the USB IDs (meaning need to change the ids used by CCID)
Please check the App and the documentation.
No issue on my side to detect the ledger devices.
Hi,
I tried to set up my Ledger Nano S for GnuPG, but I cannot detect the Ledger as a smartcard reader on MacOS Catalina (10.15.7):
similarly:
Ledger seems to be already present in libccid bundle:
I have the OpenPGP.XL app installed on my Ledger (installed via Ledger Manager).
Any ideas?