search

Nitrokey / opcard-rs

OpenPGP card implementation
51 stars 1 forks source link

Gnupg keeps querying card, even if key in question is unrelated to key on card #196

Open intr-cx opened 11 months ago

intr-cx commented 11 months ago

Been noticing for a while now that Gnupg keeps querying my smart card when I try to decrypt anything at all, even with keys that are not stored on the card. This is not a huge problem, but it gets quite annoying when working with large batches of encrypted files (emails or password files for example), because it takes about a second per decryption operation and it causes unnecessary strain on the device.

This does not occur with the Nitrokey Pro 2. It'll query it once, and then leave it alone.

I've tried running scdaemon with verbose logging and found this:

scdaemon[12887] DBG: chan_7 -> S SERIALNO <redacted>
scdaemon[12887] DBG: chan_7 -> OK
scdaemon[12887] DBG: chan_7 <- SERIALNO
scdaemon[12887] sending signal 12 to client 12885
scdaemon[12887] DBG: chan_7 -> S SERIALNO <redacted>
scdaemon[12887] DBG: chan_7 -> OK
scdaemon[12887] DBG: chan_7 <- KEYINFO --list=encr
scdaemon[12887] reading public key failed: Missing item in object
scdaemon[12887] DBG: chan_7 -> S KEYINFO <redacted> T <redacted> OPENPGP.2 e
scdaemon[12887] DBG: chan_7 -> OK
scdaemon[12887] DBG: chan_7 <- RESTART
scdaemon[12887] DBG: chan_7 -> OK
sosthene-nitrokey commented 11 months ago

Thank you for the report!

Does your NK3 and the pro 2 have keys stored on it?

From my testing, gpg polls the device if there is no key in it, but if there is a key in it it does not poll.

intr-cx commented 11 months ago

sosthene-nitrokey @.***> wrote:

Thank you for the report!

Does your NK3 and the pro 2 have keys stored on it?

Yes, both nitrokeys have gpg keys on them.

From my testing, gpg polls the device if there is no key in it, but if there is a key in it it does not poll.

When using the Pro 2, and decrypting something that was encrypted with a key not stored on the Pro 2, it will query it the first time, but no longer after that.

If there's more info I can share, feel free to ask.

intr-cx commented 11 months ago

So, I'm an idiot. The reason it's doing this is because the key on the NK3 was set as the default signing key...

Sorry for wasting your time.

intr-cx commented 9 months ago

The issue resurfaced, it seems the default signing key setting had no effect.

Using pcscd, the Nitrokey gets queried (and blinks) for any decryption operation, even with keys that are not on the Nitrokey. The issue is that it slows down all PGP decryption operations whenever the Nitrokey is plugged in.