search

drduh / YubiKey-Guide

Guide to using YubiKey for GnuPG and SSH
http://drduh.github.io/YubiKey-Guide/
MIT License
11.14k stars 1.19k forks source link

Problems transfering subkeys if you don't set attributes #461

Open xfors opened 1 week ago

xfors commented 1 week ago

In the guide there is a step to Set attributes before transfering subkeys.

It is not mentioned why one would want to do this but I have discovered that if you don't do it the first transfer of a subkey will fail with Bad PIN

The output from gpg looks like

[GNUPG:] KEY_CONSIDERED 1E3B99CEDC2F927B19BA9742933A8A2EA0C63373 0 
Secret key is available.                                           

sec  rsa4096/0x933A8A2EA0C63373                                    
     created: 2024-10-07  expires: never       usage: C            
     trust: ultimate      validity: ultimate                       
ssb  ed25519/0x66C92C3A3DAB0DE9                                    
     created: 2024-10-07  expires: 2026-10-07  usage: S            
ssb  cv25519/0x184881132871E1A4                                    
     created: 2024-10-07  expires: 2026-10-07  usage: E            
ssb  ed25519/0x4164F614690501D0                                    
     created: 2024-10-07  expires: 2026-10-07  usage: A            
[ultimate] (1). John Doe <jd@example.com>   

[GNUPG:] GET_LINE keyedit.prompt                                   
[GNUPG:] GOT_IT                                                    

sec  rsa4096/0x933A8A2EA0C63373                                    
     created: 2024-10-07  expires: never       usage: C            
     trust: ultimate      validity: ultimate                       
ssb* ed25519/0x66C92C3A3DAB0DE9                                    
     created: 2024-10-07  expires: 2026-10-07  usage: S            
ssb  cv25519/0x184881132871E1A4                                    
     created: 2024-10-07  expires: 2026-10-07  usage: E            
ssb  ed25519/0x4164F614690501D0                                    
     created: 2024-10-07  expires: 2026-10-07  usage: A            
[ultimate] (1). John Doe <jd@example.com>  

[GNUPG:] GET_LINE keyedit.prompt                                   
[GNUPG:] GOT_IT                                                    
[GNUPG:] CARDCTRL 3 D2760001240103040006120603330000               
Please select where to store the key:                              
   (1) Signature key                                               
   (3) Authentication key                                          
[GNUPG:] GET_LINE cardedit.genkeys.storekeytype                    
[GNUPG:] GOT_IT                                                    
[GNUPG:] INQUIRE_MAXLEN 100                                        
[GNUPG:] GET_HIDDEN passphrase.enter                               
[GNUPG:] GOT_IT                                                    
[GNUPG:] INQUIRE_MAXLEN 100                                        
[GNUPG:] GET_HIDDEN passphrase.enter                               
[GNUPG:] GOT_IT                                                    
[GNUPG:] INQUIRE_MAXLEN 100                                        
[GNUPG:] GET_HIDDEN passphrase.enter                               
[GNUPG:] GOT_IT                                                    
[GNUPG:] SC_OP_FAILURE 2                                           
gpg: KEYTOCARD failed: Bad PIN                                     

[GNUPG:] GET_LINE keyedit.prompt                                   
[GNUPG:] GOT_IT

If I use the instructions for setting the values for login then this doesn't happen. Even stranger is the fact that if I try to set the attribute for name instead, then that command fails with Bad PIN

Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240103040006120603330000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 12345678
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: ed25519 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 9 9 9
Signature counter : 0
KDF setting ......: on
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Admin commands are allowed

gpg: error setting Name: Bad PIN

I'm using 

gpg (GnuPG) 2.2.40
YubiKey Manager (ykman) version: 4.0.9

Device type: YubiKey 5 NFC
Firmware version: 5.2.4
xfors commented 1 week ago

To clarify. Running the gpg --edit-card command to set login attribute before running --edit-key and keytocard makes everything work. Without setting login attribute it will fail with Bad Pin and trying to set name attribute instead of login attribute will not work since that also gives Bad Pin

I can also get transfering the subkey to work without first setting login attribute, if I accept that the first try will fail and just re-run the command once again.

I understand that this is magic that you are not responsible for, but thought it would be nice to mention.