Still failures when moving keys to card

Yubico / ykneo-openpgp

OpenPGP applet for the YubiKey NEO

https://developers.yubico.com/ykneo-openpgp/

GNU General Public License v2.0

215 stars 67 forks source link

Still failures when moving keys to card #39

Closed norbusan closed 8 years ago

norbusan commented 8 years ago

This is more or less a fork of the issue #32

I still have the same problems: gpg 2.1.11, yubikey applet returns

gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
D[0000]  01 00 10 90 00                                     .....           
OK

Moving a signing and authentication key worked, but encryption key always gives:

gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2
gpg: KEYTOCARD failed: Card error

The original issue is closed, but I don't think this is actually a closed issue.

I have gone through the reset procedure described in https://developers.yubico.com/ykneo-openpgp/ResetApplet.html and still the problem persists.

Any suggestions?

klali commented 8 years ago

The fix for this (probably this) is 65c6875348c406bece7c2c5a56e7f20db0ee27c9 which went in to 1.0.11, it looks like you've got 1.0.10.

norbusan commented 8 years ago

Thanks for the answer. Yes, from the first output my guess is that I am running 1.0.10.

Is there a way to update the applet to 1.0.11?

klali commented 8 years ago

Unfortunately not anymore, the Neo is shipped with locked down keys.

A workaround for this issue is to generate a new key and hope that the factors fill out (or actually write a small script that can import a key and knows how to pad it like the earlier version of the applet would require).

norbusan commented 8 years ago

Ok, thanks, I will try that. That also means that the explanations here: https://developers.yubico.com/ykneo-openpgp/InstallCAPFile.html do not actually work, right?

Thanks again for your advise!

klali commented 8 years ago

Yes, the relevant quite there is "You need to have a NEO with default card manager keys, or know the card manager keys." which maybe should be clearer.

norbusan commented 8 years ago

Ahhh, I thought that is the admin pin ... well, good to know.

Maybe initiate that this is written a bit clearer, including remarks to which devices this procedure can be applied.

Thanks a lot. I guess we can close this issue.

jonathancross commented 8 years ago

@klali Am I reading this correctly that a modern Yubikey NEO cannot use the instructions here: https://developers.yubico.com/ykneo-openpgp/InstallCAPFile.html

If so, that page really needs to be updated. Thanks.