alonbl
commented
2 years ago Why do you add the following parameters?
provider-utimaco-private-mask 0
openpgp-sign 8E3F2428B781C1D84862D0543545DA1AC411AA54Closed psztoch closed 2 years ago
alonbl
commented
2 years ago Why do you add the following parameters?
provider-utimaco-private-mask 0
openpgp-sign 8E3F2428B781C1D84862D0543545DA1AC411AA54
psztoch
commented
2 years ago provider-utimaco-private-mask 0
Isn't zero default value?! Nevertheless, I commented.
penpgp-sign 8E3F2428B781C1D84862D0543545DA1AC411AA54
I thought I should add this. Without it, card-status works without problem, but then "card-edit / admin / generate" generates an error.
gpg --card-status
gpg: WARNING: server 'scdaemon' is older than us (0.9.3_master < 2.2.27)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
Reader ...........: [none]
Application ID ...: D2760001240111503131E848EB1B1111
Application type .: OpenPGP
Version ..........: 11.50
Manufacturer .....: ?
Serial number ....: E848EB1B
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa48 rsa48 rsa48
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]gpg --card-edit
(...)
gpg/card> admin
Admin commands are allowed
gpg/card> generate
(...)
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: key generation failed: Bad session key
Key generation failed: Bad session key
gpg/card>My sub keys is detected properly with ">":
gpg -K --with-subkey-fingerprint --with-keygrip
/root/.gnupg/pubring.kbx
------------------------
sec# rsa4096 2018-11-14 [SC] [expires: 2038-11-09]
68A1CCA9D09289608707E02A5B1B91B3668C9F09
Keygrip = C8C1D1BFA04FF264B6FCDE344A9101B6C9A0A4F3
uid [ultimate] EtherMatic Repository <admin@ethermatic.com>
ssb> rsa4096 2021-05-09 [S] [expires: 2029-05-07]
FC5013CAA0A3B871F3F708E8F248520952DB247B
Card serial no. = 3131 E848EB1B
Keygrip = 8E3F2428B781C1D84862D0543545DA1AC411AA54I have problem with PIN.
If I configure my Utimaco PKCS #11 library, and put PIN into their config file /etc/cs_pkcs11_R2.cfg, then all works fine!
And openpgp-sign should not be set. :-)
After changing the PKCS11 configuration, just remember to kill the gpg agent. Without it, everything works on the old configuration and you can lose heart. ;-)
alonbl
commented
2 years ago Logs
psztoch
commented
2 years ago Is it possible to use gpg-preset-passphrase --preset -P PIN KEY_GRIP for PIN to PKCS#11 slot?
I want to use gpg --sign for batch signing (APT repository), and pinentry is not solution for me.
alonbl
commented
2 years ago Refer[1] as an example.
[1] https://github.com/alonbl/gnupg-pkcs11-scd/blob/master/misc/pinentry-file
alonbl
commented
2 years ago Hi, Can you please check the https://github.com/alonbl/pkcs11-helper/tree/always-auth with the https://github.com/alonbl/gnupg-pkcs11-scd/tree/pincache branch? It should solve the yubikey issue. Thanks, @alonbl
alonbl
commented
2 years ago Should work with gnupg-pkcs11-scd-0.9.3
cat /etc/gnupg-pkcs11-scd.conf
There is journal log: journal-card-status.log
FIle
/.gnupg/private-keys-v1.d/8E3F2428B781C1D84862D0543545DA1AC411AA54.keyhas been created withKey: (shadowed-private-key (rsa (n....gpg -K --with-colons
gpg -K