Problem restoring keys after firmware upgrade 2.0.0 Nano x

[bereska]

Restoring keys to Nano X after firmware upgrades has always worked well except for 2.0.0 This is on Ubuntu 20.4 on a VM on mac os Please see the output below:

bereska@ubuntuVM:~/openpgp-card-app/pytools$ python3 -m gpgcard.gpgcli --pinpad --set-template ed255519:cv25519:ed255519 --set-fingerprints '1E866FB28C4D9016F77949059498E11F82E65E2B:643B4EAF8ED798998593DA734EA40FF7134831D0:027999A20605DBFDAF1550633D3898D1D1D20F38' --set-serial 'A0CC3216' --seed-key

GPG Ledger Admin Tool v0.1. Copyright 2018 Cedric Mesnil cslashm@gmail.com, Ledger SAS

Connect to card pcsc:Ledger...No token OK Verfify PINs...Error: 'GPGCard' object has no attribute 'exchange'

bereska@ubuntuVM:~/openpgp-card-app/pytools$ gpg --card-status gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device

[juan-sebastian]

I am having the same problem I wrote my experience in the following thread https://github.com/LedgerHQ/openpgp-card-app/issues/59#issuecomment-952073079

I am always afraid to upgrade the firmware because every time I do the GPG app stop working. The ledger team need to understand that many of us not only use ledger for cryptos but also as an authentication device.

[bereska]

yes, I read your thread #59 and rely on my Nano X a lot I have tried upgrading pyscard to the latest wget https://sourceforge.net/projects/pyscard/files/pyscard/pyscard%202.0.2/pyscard-2.0.2.tar.gz but no dice, my Nano X is just not detected on Ubuntu 20.04 anymore

[bereska]

more debugging below with pcsc_scan but still no dice:

bereska@ubuntuVM:~/openpgp-card-app/pytools$ pcsc_scan Using reader plug'n play mechanism Scanning present readers... Waiting for the first reader...found one Scanning present readers... 0: Ledger Token [Nano X] (0001) 00 00

Thu Oct 28 18:08:57 2021 Reader 0: Ledger Token [Nano X] (0001) 00 00 Event number: 0 Card state: Card inserted, ATR: 3B 00

ATR: 3B 00

• TS = 3B --> Direct Convention
• T0 = 00, Y(1): 0000, K: 0 (historical bytes) /
  bereska@ubuntuVM:~/openpgp-card-app/pytools$ gpg --card-status gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device

[bereska]

I sort of got working half way with OpenPGP.XL 1.4.4 after 5-6 plugging in/out and running restore more debugging below with ERROR again:

bereska@ubuntuVM:~/openpgp-card-app/pytools$ python3 -m gpgcard.gpgcli --pinpad --set-template ed255519:cv25519:ed255519 --set-fingerprints '1E866FB28C4D9016F77949059498E11F82E65E2B:643B4EAF8ED798998593DA734EA40FF7134831D0:027999A20605DBFDAF1550633D3898D1D1D20F38' --set-serial 'A0CC3216' --seed-key

GPG Ledger Admin Tool v0.1. Copyright 2018 Cedric Mesnil cslashm@gmail.com, Ledger SAS

Connect to card pcsc:Ledger...OK Verfify PINs...Error: (b'00000005', '6f42')

[bereska]

tried to restore the keys with a pickle file ... either way it crashes with the same ERROR below and the Nano X just hangs after "confirm pin" step:

bereska@ubuntuVM:~/openpgp-card-app/pytools$ python3 -m gpgcard.gpgcli --restore --pinpad --file gpg_backup.pickle

GPG Ledger Admin Tool v0.1. Copyright 2018 Cedric Mesnil cslashm@gmail.com, Ledger SAS

Connect to card pcsc:Ledger...OK Verfify PINs...Error: (b'00000005', '6f42')

[snarkyerica]

Exact same issue as everyone else here, even providing the default user and admin PINs in the command line. Additional APDU chatter provided, just dies regardless with that 0x6f42 status.

(.venv) [erica@franziska pytools]$ python3 -m gpgcard.gpgcli --apdu --restore --adm-pin 12345678 --user-pin 123456 --file ledger_openpgp_backup.pickle 

GPG Ledger Admin Tool v0.1.
Copyright 2018 Cedric Mesnil <cslashm@gmail.com>, Ledger SAS
Connect to card pcsc:Ledger...OK
Verfify PINs...send 0000 0020008206313233343536
recv 9000 
send 0000 00200083083132333435363738
recv 6f42 00000005
Error: 
  (b'00000005', '6f42')

[snarkyerica]

@cslashm just in case -- Nano X 2.0.0 firmware has left some of us with inaccessible keys, due to the firmware upgrade wiping the OpenPGP app, and this bug preventing restores.

[juan-sebastian]

Any news regarding this subject? Why this happens in every update? Many of us use the ledger as an authentication device. The GPG app should be treated as a first class app just like Bitcoin or Ethereum.

Actually I am so used to this app not working in every update. That I have a Ledger nano S with the previous firmware as a backup for my keys.

[bereska]

@juan-sebastian @cslashm same here

[bereska]

@cslashm any chance to help resolve this?

[Vepnar]

@juan-sebastian I've been in touch with Ledger. They told me the issue lies in the firmware, and it will be solved in mid-January 2022.

[juan-sebastian]

Thanks for the feedback. Last time I had to do the same thing. As I said before Ledger should treat this App as first class as BTC, ETH

[bereska]

OpenPGP with seed mode on Nano S/X is a unique value proposition. Please don't give up on this App

[bereska]

@cslashm I am happy to report that after latest 2.0.2 firmware update, it works like a charm:

bereska@ubuntuVM:~/openpgp-card-app/pytools$ python3 -m gpgcard.gpgcli --pinpad --set-template ed255519:cv25519:ed255519 --set-fingerprints '1E866FB28C4D9016F77949059498E11F82E65E2B:643B4EAF8ED798998593DA734EA40FF7134831D0:027999A20605DBFDAF1550633D3898D1D1D20F38' --set-serial 'A0CC3216' --seed-key

GPG Ledger Admin Tool v0.1. Copyright 2018 Cedric Mesnil cslashm@gmail.com, Ledger SAS

Connect to card pcsc:Ledger...OK Verfify PINs...OK Select slot 1...OK Get card info...OK Set template...OK Seed Key...OK Set fingerprints...OK Set serial...OK

[juan-sebastian]

Nice sadly for me still does not work. Here below you will find the steps I took.

First I took my ledger nano S with firmware 1.6.1 and OpenPGP.XL app 1.4.3. and perform a backup of my keys

$ python3 -m gpgcard.gpgcli --backup --pinpad --backup-keys --file gpg-key.pickle

GPG Ledger Admin Tool v0.1.
Copyright 2018 Cedric Mesnil <cslashm@gmail.com>, Ledger SAS

Connect to card pcsc:Ledger...OK
Verfify PINs...OK
Select slot 1...OK
Get card info...OK
Backup application...OK

Then I took my ledger nano X with firmware 2.0.2 and OpenPGP.XL app 1.4.4 and try to restore the keys there

$ python3 -m gpgcard.gpgcli --restore --pinpad --file gpg-key.pickle

GPG Ledger Admin Tool v0.1.
Copyright 2018 Cedric Mesnil <cslashm@gmail.com>, Ledger SAS

Connect to card pcsc:Ledger...OK
Verfify PINs...OK
Select slot 1...OK
Get card info...OK
Restore application...Error:
  (b'0000ff88', '6f42')

I got the error above. When I do a gpg --card-status the keys are there but when I try to use them I get the following error

$ gl
sign_and_send_pubkey: signing failed: agent refused operation
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

It seems that the keys are corrupted on the device.

Any Ideas of why this is happening @cslashm ?

PS: my keys are ed25519 cv25519 ed25519

[bereska]

@juan-sebastian try to restore with your full one line. It worked for me:

bereska@ubuntuVM:~/openpgp-card-app/pytools$ python3 -m gpgcard.gpgcli --pinpad --set-template ed255519:cv25519:ed255519 --set-fingerprints '1E866FB28C4D9016F77949059498E11F82E65E2B:643B4EAF8ED798998593DA734EA40FF7134831D0:027999A20605DBFDAF1550633D3898D1D1D20F38' --set-serial 'A0CC3216' --seed-key

GPG Ledger Admin Tool v0.1. Copyright 2018 Cedric Mesnil cslashm@gmail.com, Ledger SAS

Connect to card pcsc:Ledger...OK Verfify PINs...OK Select slot 1...OK Get card info...OK Set template...OK Seed Key...OK Set fingerprints...OK Set serial...OK

[juan-sebastian]

@bereska Thanks for the advice but my keys are not seeded, they are randomly generated. So I don't think this approach will work for me.

[snarkyerica]

Still not working with update 2.0.2 -- seeded keys appear to work, randomly generated keys do not. The restore process seems to get further, but still fails, with APDU response 6f42 0000ff88.

[cslashm]

@bereska I m not working anymore at Ledger ( :-/ :-( ) and I have no more access to dedicated tool to deep dive in the OS and understand what happen to 2.x firm serie (which is manage by a new team). I'm sorry. Please contact Ledger support directly

[bereska]

@cslashm merci, it explains everything, thank you for the great idea of the seed mode and the great work done with OpenPGP!

[juan-sebastian]

@cslashm thanks for the feed back. And the great work!!

[juan-sebastian]

I contacted the ledger support for this issue. it will be great if others can do the same. that way we show then that this app is used by a lot of people.

[jukefr]

I am facing the same issue trying to restore a key generated in seed mode from a Nano S to a Nano X.

The process of backup and restore worked fine on Nano S 2.1.0 and the smartcard works fine.

On the Nano X 2.0.2 however i get

Restore application...Error:
  (b'0000ff88', '6f42')

And the keys do appear to be "restored" on it, but pscs_scan detects the card state as Card inserted, Exclusive Mode and they do not work.

[cedelavergne-ledger]

Hi, The App has been refactored and the backup/restore mechanism reviewed. Also, now, Seed mode is activated by default. The new app version is v2.1, still in develop branch.