Can this interface support Yubikey 5?

[pemensik]

Hello.

I use Yubikey on Gitlab and OTP. I wanted to also use it to carry my private GPG key, but I am constantly failing. I am trying on Fedora 36. I would like to have pkcs11 interface accessible, so exclusive use of key is no option for me.

I tried to configure this plugin, but reported values look bad. Especially Key attributes have weird values.

$ LC_ALL=C.UTF-8 gpg --card-status
gpg: WARNING: server 'scdaemon' is older than us (0.10.0 < 2.3.7)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
Reader ...........: [none]
Application ID ...: D2760001240111503131EF19C56F1111
Application type .: OpenPGP
Version ..........: 11.50
Manufacturer .....: ?
Serial number ....: EF19C56F
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa48 rsa48 rsa48
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

But with original scdaemon it reports better values.

$ LC_ALL=C.UTF-8 gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240100000006106447820000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 10644782
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Package version: gnupg-pkcs11-scd-0.10.0-1.fc36.x86_64

$ cat gpg-agent.conf
# redirect to pkcs11
scdaemon-program /usr/bin/gnupg-pkcs11-scd
pinentry-program /usr/bin/pinentry-gnome3

# increase verbosity
verbose
verbose
verbose

$ grep -v '^\s*#' gnupg-pkcs11-scd.conf 

providers yk

provider-opensc-library /usr/lib64/pkcs11/opensc-pkcs11.so
provider-yk-library /usr/lib64/libykcs11.so.2

Is there something to be tuned? It does not seem to allow working gpg --edit-card operations.

But journalctl --user -xeu gpg-agent seems reporting useful values.

gnupg-pkcs11-scd[633033]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gpg-agent[632989]: first connection to daemon /usr/libexec/scdaemon established
gpg-agent[633033]: gnupg-pkcs11-scd[633033.10749760]: processing connection
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 <- GETINFO socket_name
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> D /tmp/gnupg-pkcs11-scd.SZyHdX/agent.S
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> OK
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 <- OPTION event-signal=12
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> OK
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 <- GETINFO version
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> D 0.10.0
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> OK
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 <- SERIALNO
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S SERIALNO D2760001240111503131EF19C56F1111 0
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> OK
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 <- LEARN --force
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S SERIALNO D2760001240111503131EF19C56F1111
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S APPTYPE PKCS11
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S KEY-FRIEDNLY 6E74D2394243D7806B6F803191574143F1B1F84B /CN=Yubico PIV Attestation on YubiKey PIV #10644782
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S CERTINFO 101 pkcs11:model=YubiKey%20YK5;token=YubiKey%20PIV%20%2310644782;manufacturer=Yubico%20%28www.yubico.com%29;serial=10644782;id=%19
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S KEYPAIRINFO 6E74D2394243D7806B6F803191574143F1B1F84B pkcs11:model=YubiKey%20YK5;token=YubiKey%20PIV%20%2310644782;manufacturer=Yubico%20%28www.yubico.>
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> OK
gpg-agent[632989]: card has S/N: D2760001240111503131EF19C56F1111
gpg-agent[632989]:           id: pkcs11:model=YubiKey%20YK5;token=YubiKey%20PIV%20%2310644782;manufacturer=Yubico%20%28www.yubico.com%29;serial=10644782;id=%19    (type=101)
gpg-agent[632989]:           id: pkcs11:model=YubiKey%20YK5;token=YubiKey%20PIV%20%2310644782;manufacturer=Yubico%20%28www.yubico.com%29;serial=10644782;id=%19    (grip=6E74D2394243D7806B6F803191574143F1B1F8>
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 <- GETATTR KEY-ATTR
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S KEY-ATTR 1 1 1 2048 0
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S KEY-ATTR 2 1 1 2048 0
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S KEY-ATTR 3 1 1 2048 0
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> OK
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 <- RESTART
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> OK
``

Is there anything I am doing wrong? Should it work this way?

[alonbl]

If scdaemon works with the card why do you need to use pkcs#11?

Did you follow the instructions written at man page?

[pemensik]

Because scdaemon works for about 2 seconds, then it fails saying something about exclusivity failure and requires restart of gpg-agent again.

Which instructions exactly? Found many scrattered pieces, but no direct recipe to generate new key on card and then ability to use it. It is not clear what should work and what never would. Lack some instruction if something does not work, where to look for potential problems.

Should gpg --edit-card, admin, generate work with this configuration? How do I push a new key to a card, which should work with this way?

[alonbl]

please read the manual, especially the gnupg integration section, based on the version of gnupg follow the sequence.

[pemensik]

Which manual would that be? Found card manual, but it seems obsolete and not updated for long years. Can you point me to something revelant and up-to-date? I have issues finding documentation for this use case, which would at least look correct. You may not have trouble finding it, but my googling did not bring decent howto.

[alonbl]

man gnupg-pkcs11-scd?

[pemensik]

Oh, there are few examples. However, they fail without expected results to me.

My gnupg versions: gnupg2-2.3.7-3.fc36.x86_64 gnupg-pkcs11-scd-0.10.0-1.fc36.x86_64

$ gpg --card-status 
gpg: WARNING: server 'scdaemon' is older than us (0.10.0 < 2.3.7)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
Reader ...........: [none]
Application ID ...: D2760001240111503131658709FE1111
Application type .: OpenPGP
Version ..........: 11.50
Manufacturer .....: ?
Serial number ....: 658709FE
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa48 rsa48 rsa48
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
[pemensik@pemensik-t460 ~/.gnupg
$ gpg --card-edit

gpg: WARNING: server 'scdaemon' is older than us (0.10.0 < 2.3.7)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
Reader ...........: [none]
Application ID ...: D2760001240111503131658709FE1111
Application type .: OpenPGP
Version ..........: 11.50
Manufacturer .....: ?
Serial number ....: 658709FE
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa48 rsa48 rsa48
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> generate
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 3y
Key expires at Sat Jan 10 20:57:29 2026 CET
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: P M
Email address: pemensik@fedoraproject.org
Comment: Yubi5
You selected this USER-ID:
    "P M (Yubi5) <pemensik@fedoraproject.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: key generation failed: Bad session key
Key generation failed: Bad session key

gpg/card> 

Where journactl contains:

...
gpg-agent[642159]: handler 0x7f29839a8640 for fd 4 terminated
gpg-agent[642159]: handler 0x7f29839a8640 for fd 4 started
gpg-agent[642159]: new connection to /usr/libexec/scdaemon daemon established (reusing)
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 <- GETINFO version
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> D 0.10.0
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> OK
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 <- SERIALNO
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S SERIALNO D2760001240111503131658709FE1111 0
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> OK
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 <- LEARN --force
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S SERIALNO D2760001240111503131658709FE1111
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S APPTYPE PKCS11
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> OK
gpg-agent[642159]: card has S/N: D2760001240111503131658709FE1111
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 <- GETATTR KEY-ATTR
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S KEY-ATTR 1 1 1 2048 0
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S KEY-ATTR 2 1 1 2048 0
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S KEY-ATTR 3 1 1 2048 0
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> OK
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 <- GETATTR SERIALNO
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S SERIALNO D2760001240111503131658709FE1111
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> OK
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 <- GETATTR KEY-FPR
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> OK
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 <- GETATTR CHV-STATUS
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S CHV-STATUS 1 1 1 1 1 1 1
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> OK
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 <- GETATTR DISP-NAME
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S DISP-NAME PKCS#11
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> OK
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 <- GETATTR EXTCAP
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S EXTCAP gc=0 ki=0 fc=0 pd=0 mcl3=2048 aac=0 sm=0
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S EXTCAP gc=0 ki=0 fc=0 pd=0 mcl3=2048 aac=0 sm=0
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S EXTCAP gc=0 ki=0 fc=0 pd=0 mcl3=2048 aac=0 sm=0
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> OK
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 <- GETATTR KEY-ATTR
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S KEY-ATTR 1 1 1 2048 0
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S KEY-ATTR 2 1 1 2048 0
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S KEY-ATTR 3 1 1 2048 0
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> OK
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 <- CHECKPIN D2760001240111503131658709FE1111
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> OK
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 <- GETATTR KEY-ATTR
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S KEY-ATTR 1 1 1 2048 0
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S KEY-ATTR 2 1 1 2048 0
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> S KEY-ATTR 3 1 1 2048 0
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> OK
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 <- GENKEY --timestamp=20230111T195750 --force 1
gpg-agent[642181]: gnupg-pkcs11-scd[642181]: chan_0 -> ERR 19 Bad session key <Unspecified source>
gpg-agent[642159]: handler 0x7f29821a5640 for fd 7 started
gpg-agent[642159]: socket is still served by this server
gpg-agent[642159]: handler 0x7f29821a5640 for fd 7 terminated

[pemensik]

Oh, there are 4 very different recipes, only last one for my version of gpg.

Suggestion expects there is already key.

  (14) Existing key from card
Your selection? 14
Serial number of the card: D2760001240111503131658709FE1111
error reading the card: No data

$ gpg --edit-key A49E4430600513537D9D4B8D02AEEEFEC64C8EA9

gpg> keytocard
Really move the primary key? (y/N) y
gpg: WARNING: server 'scdaemon' is older than us (0.10.0 < 2.3.7)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
The card does not support the import of keys

Now, should I use any pkcs11 tool to generate RSA pair on the token, then only I can import it to gpg? Isn't it possible to directly generate new key pair on the token? Can it require some authentication?

[alonbl]

Now, should I use any pkcs11 tool to generate RSA pair on the token, then only I can import it to gpg? Isn't it possible to directly generate new key pair on the token? Can it require some authentication?

gnupg-pkcs11-scd works only with already personalized cards, and supports
     (for the time being) only RSA key pairs.  The following constraints must
     be satisfied:

     1.   For each private key object, a certificate object must exist on the
          card.  The existence of the corresponding public key object is not
          important (since the certificate includes public key).
     2.   The certificate and the corresponding private key must have identi‐
          cal CKA_ID attribute.

[pemensik]

Does that mean importing keys as described on https://developers.yubico.com/PGP/Importing_keys.html has to be done by classic gpg driver scdaemon and only when the key is imported into the token? What exactly means personalized token? I think ykpersonalize does a lot different thing and does not allow generating or importing keys, it seems to me. Perhaps I do not understand used terminology.

[pemensik]

Managed to initialize a key to card just by normal gpg way. Just stopped pcscd.{service,socket} for a while, then restarted it.

Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240100000006155074100000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 15507410
Name of cardholder: Petr Mensik
Language prefs ...: [není nastaveno]
Salutation .......: 
URL of public key : [není nastaveno]
Login data .......: pemensik@fedoraproject.org
Signature PIN ....: není vyžadováno
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: A49E 4430 6005 1353 7D9D  4B8D 02AE EEFE C64C 8EA9
      created ....: 2023-01-11 18:59:07
Encryption key....: D4AA 2ECA F1DE D2CE E847  DEB9 94CE 5B3B 4D7F C69E
      created ....: 2023-01-11 18:59:07
Authentication key: [none]
General key info..: 
pub  rsa2048/02AEEEFEC64C8EA9 2023-01-11 Petr Mensik (Yk) <pemensik@fedoraproject.org>
sec>  rsa2048/02AEEEFEC64C8EA9  vytvořen: 2023-01-11  platnost skončí: 2026-01-10
                                číslo karty: 0006 15507410
ssb>  rsa2048/94CE5B3B4D7FC69E  vytvořen: 2023-01-11  platnost skončí: 2026-01-10
                                číslo karty: 0006 15507410
ssb   rsa2048/B57540B7352D79CE  vytvořen: 2023-01-11  platnost skončí: nikdy 

But it seems the information received after switching to this plugin is entirely unrelated. Keys are gone. Customization data are gone, serial is different. No keys are found to be added.

$ echo 'SCD LEARN' | gpg-agent --server gpg-connect-agent 
OK Pleased to meet you
gpg-agent[660983]: no running /usr/libexec/scdaemon daemon - starting it
gnupg-pkcs11-scd[660984.436909888]: Listening to socket '/tmp/gnupg-pkcs11-scd.kgvGrm/agent.S'
gnupg-pkcs11-scd[660984.436909888]: accepting connection
gnupg-pkcs11-scd[660984]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[660984.436909888]: processing connection
gpg-agent[660983]: first connection to daemon /usr/libexec/scdaemon established
gnupg-pkcs11-scd[660984]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[660984]: chan_0 -> D /tmp/gnupg-pkcs11-scd.kgvGrm/agent.S
gnupg-pkcs11-scd[660984]: chan_0 -> OK
gnupg-pkcs11-scd[660984]: chan_0 <- LEARN
gnupg-pkcs11-scd[660984]: chan_0 -> S SERIALNO D2760001240111503131658709FE1111
gnupg-pkcs11-scd[660984]: chan_0 -> S APPTYPE PKCS11
S SERIALNO D2760001240111503131658709FE1111
S APPTYPE PKCS11
gnupg-pkcs11-scd[660984]: chan_0 -> OK
OK
gnupg-pkcs11-scd[660984]: chan_0 <- RESTART
gnupg-pkcs11-scd[660984]: chan_0 -> OK
gnupg-pkcs11-scd[660984]: chan_0 <- [eof]
gnupg-pkcs11-scd[660984.436909888]: post-processing connection
gnupg-pkcs11-scd[660984.436909888]: accepting connection
gnupg-pkcs11-scd[660984.436909888]: cleanup connection
gnupg-pkcs11-scd[660984.436909888]: Terminating
gnupg-pkcs11-scd[660984.427816512]: Thread command terminate
gnupg-pkcs11-scd[660984.427816512]: Cleaning up threads

$ LC_ALL=C.UTF-8 gpg --card-status
gpg: WARNING: server 'scdaemon' is older than us (0.10.0 < 2.3.7)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
Reader ...........: [none]
Application ID ...: D2760001240111503131658709FE1111
Application type .: OpenPGP
Version ..........: 11.50
Manufacturer .....: ?
Serial number ....: 658709FE
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa48 rsa48 rsa48
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Is such difference expected? Perhaps I am missing some important difference. openpgp-tool from opensc suite can read those data still. Is my card initialization still incomplete?

$ openpgp-tool -KUC
Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 00 00
AID:             d2:76:00:01:24:01:03:04:00:06:15:50:74:10:00:00
Version:         3.4
Manufacturer:    Yubico
Serial number:   15507410
Account:         pemensik@fedoraproject.org
Name:            Mensik Petr
Gender:          not announced
Aut Algorithm:   RSA2048
Aut Create Date: 1970-01-01 00:00:00
Aut Fingerprint: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
Dec Algorithm:   RSA2048
Dec Create Date: 2023-01-11 18:59:07
Dec Fingerprint: d4:aa:2e:ca:f1:de:d2:ce:e8:47:de:b9:94:ce:5b:3b:4d:7f:c6:9e
Sig Algorithm:   RSA2048
Sig Create Date: 2023-01-11 18:59:07
Sig Fingerprint: a4:9e:44:30:60:05:13:53:7d:9d:4b:8d:02:ae:ee:fe:c6:4c:8e:a9

[alonbl]

I am truly sorry, this is not support forum... I have little resources to help.

1. you are mixing technologies, use gpg, opensc, ykpkcs11 - this is very bad practice, you should use ykpkcs11 only if you want something to work, reformat the key and start over without jumping between technologies.
2. you do not read the document and when you read you do not follow the instructions.

I am closing this as there is no issue I am aware of using yubikey.