Unable to import authentication keys

[naftulikay]

I have generated a master key RSA 4096 with only signing support.

I've generated 3 subkeys, one for encryption, one for signatures, one for authentication. All are RSA 2048.

I go into gpg2 --card-edit $MASTER_KEY_ID and then select each key in turn to put it on the YubiKey. The encryption and signature keys go just fine. The authentication key always fails with the following error:

gpg: error writing key to card: Card error

I cannot work around this problem. Since the other keys write just fine, this indicates a firmware bug in the card.

I'm mainly following this tutorial to create an offline master keys with subkeys existing on a YubiKey NEO.

I have tried resetting the card in order to clear out its memory, following Yubico's tutorial here, which worked to clear out the memory, but I still cannot import the key to the card.

I have lost a lot of time creating my PGP infrastructure only to have this fail at this point. Please advise if a workaround exists for this bug.

GPG Version: 1.4.18 GPG2 Version: 2.0.26 scdaemon Version: 2.0.26 gpg-agent Version: 2.0.26 pcscd Version: 1.8.13

[naftulikay]

Seeing as the author of this tutorial had success importing the authentication keys, it seems that there's a bug on a YubiKey which has previously had a key occupy the authentication key slot. This YubiKey previously had keys installed in all three key slots, which I deleted using the reset tutorial.

[naftulikay]

I just tested this again with a fresh YubiKey which never had any keys installed on it. I was able to provision all 3 keys onto the YubiKey NEO without any problems. It appears that the bug only happens in slot 3 (the authentication slot) and only happens when this slot was occupied at one point in time in the past.

This is definitely a bug. I'll dig through the source to see if I can find it.

[naftulikay]

Sorry for the ruckus; for some reason, the nature of one specific subkey prevented it from being copied to the card. I deleted that subkey and everything is now working again with a new subkey.

[packwidth]

For the record, this has happened to me as well. In my case, it was the signing key slot. Nothing I did would let my write the key to the card. I revoked the subkey, generated another, and I was able to write it just fine.

I'll try to see what was special about the key that wouldn't work.

[naftulikay]

Yeah. This whole setup is so ridiculously hard to debug. I'll have a weird thing happen where no matter what I do, I can't get any card operations to work. Restart pcscd, restart gpg-agent, restart scdaemon, use gpg2, everything fails.

As awesome as PGP hardware smart cards are when they're working, they are frighteningly maddening when they don't. As an aside, it'd be really nice for Yubico to publish a blog post covering PGP setup on modern Linux distros (think Ubuntu 14.04 and above, also a tutorial for a recent stable Fedora would be nice).

Having to remember all the steps required proves to be quite a nightmare and things never just work as planned. Disable all the GNOME authenticator processes, make sure that all the packages are installed, make sure that all the services are running and can talk to each other, make sure that your user has write access to the CCID USB device, etc.

[norbusan]

Same here, still problematic with recent gpg. Also for me it worked on initial import, but after a reset the key did not accept my encryption key. Real bummer.

What did you guys do?