YubiKey NEO: "NFC Tag has wrong signing id"

[jas4711]

I get this error whenever I try to use my YubiKey NEO to sign/decrypt anything. I imported my private key using "gpg -a --output gpg-secret-key.asc --export-secret-keys", and had to update it from a keyserver because it had expired (not sure why this happend, probably unrelated). I suspect the reason is that I have an offline master key, so my YubiKey NEO only has subkeys on it. OpenPGP keychain won't find 54265e8c on my YubiKey NEO, only the three subkeys.

Here is some GnuPG output that may shred some light on the issue. Notice how my NEO only has the three subkeys on it. Does OpenPGP keychain support selecting the proper subkey to use?

Thanks, /Simon

jas@latte:~$ gpg --list-secret-keys
/home/jas/.gnupg/secring.gpg
----------------------------
sec#  3744R/54265E8C 2014-06-22 [expires: 2014-09-30]
uid                  Simon Josefsson <simon@josefsson.org>
uid                  Simon Josefsson <simon@yubico.com>
ssb>  2048R/32F8119D 2014-06-22
ssb>  2048R/78ECD86B 2014-06-22
ssb>  2048R/36BA8F9B 2014-06-22

jas@latte:~$ gpg --card-status
Application ID ...: D2760001240102000060000000420000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 00000042
Name of cardholder: Simon Josefsson
Language prefs ...: sv
Sex ..............: male
URL of public key : https://josefsson.org/54265e8c.txt
Login data .......: jas
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 2283
Signature key ....: 9941 5CE1 905D 0E55 A9F8  8026 860B 7FBB 32F8 119D
      created ....: 2014-06-22 19:19:04
Encryption key....: DC9F 9B7D 8831 692A A852  D95B 9535 162A 78EC D86B
      created ....: 2014-06-22 19:19:20
Authentication key: 2E08 856F 4B22 2148 A40A  3E45 AF66 08D7 36BA 8F9B
      created ....: 2014-06-22 19:19:41
General key info..: pub  2048R/32F8119D 2014-06-22 Simon Josefsson <simon@josefsson.org>
sec#  3744R/54265E8C  created: 2014-06-22  expires: 2015-01-23
ssb>  2048R/32F8119D  created: 2014-06-22  expires: 2015-01-23
                      card-no: 0060 00000042
ssb>  2048R/78ECD86B  created: 2014-06-22  expires: 2015-01-23
                      card-no: 0060 00000042
ssb>  2048R/36BA8F9B  created: 2014-06-22  expires: 2015-01-23
                      card-no: 0060 00000042
jas@latte:~$ 

[Valodim]

OpenKeychain uses the first available (non-expired, non-revoked, non-stripped, suitably flagged) subkey for signing. Your master key has sign and certification capabilities, so it will be chosen unless it is marked as stripped. Can you provide a gpg --list-packets of your secret keyring to verify this?

[jas4711]

Thanks -- this means it should work, I guess. Here is --list-packets on the file I put on my phone before importing it into OpenPGP Keychain. The master is a "gnu-dummy" key, indicating it is a stub, as far as I understand.

:secret key packet:
    version 4, algo 1, created 1403464321, expires 0
    skey[0]: [3744 bits]
    skey[1]: [17 bits]
    gnu-dummy S2K, algo: 3, SHA1 protection, hash: 2
    protect IV: 
    keyid: 0664A76954265E8C
:user ID packet: "Simon Josefsson <simon@josefsson.org>"
:signature packet: algo 1, keyid 0664A76954265E8C
    version 4, created 1421182694, md5len 0, sigclass 0x13
    digest algo 10, begin of digest c8 b0
    hashed subpkt 27 len 1 (key flags: 03)
    hashed subpkt 11 len 7 (pref-sym-algos: 9 8 7 13 12 11 10)
    hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
    hashed subpkt 30 len 1 (features: 01)
    hashed subpkt 23 len 1 (key server preferences: 80)
    hashed subpkt 25 len 1 (primary user ID)
    hashed subpkt 2 len 4 (sig created 2015-01-13)
    hashed subpkt 9 len 4 (key expires after 1y82d1h45m)
    subpkt 16 len 8 (issuer key ID 0664A76954265E8C)
    data: [3741 bits]
:user ID packet: "Simon Josefsson <simon@yubico.com>"
:signature packet: algo 1, keyid 0664A76954265E8C
    version 4, created 1421182696, md5len 0, sigclass 0x13
    digest algo 10, begin of digest 9c 6c
    hashed subpkt 27 len 1 (key flags: 03)
    hashed subpkt 11 len 7 (pref-sym-algos: 9 8 7 13 12 11 10)
    hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
    hashed subpkt 30 len 1 (features: 01)
    hashed subpkt 23 len 1 (key server preferences: 80)
    hashed subpkt 2 len 4 (sig created 2015-01-13)
    hashed subpkt 9 len 4 (key expires after 1y82d1h45m)
    subpkt 16 len 8 (issuer key ID 0664A76954265E8C)
    data: [3741 bits]
:secret sub key packet:
    version 4, algo 1, created 1403464744, expires 0
    skey[0]: [2048 bits]
    skey[1]: [17 bits]
    gnu-divert-to-card S2K, algo: 3, SHA1 protection, hash: 2
    serial-number:  d2 76 00 01 24 01 02 00 00 60 00 00 00 42 00 00
    keyid: 860B7FBB32F8119D
:signature packet: algo 1, keyid 0664A76954265E8C
    version 4, created 1421182717, md5len 0, sigclass 0x18
    digest algo 10, begin of digest 3d 0e
    hashed subpkt 27 len 1 (key flags: 20)
    hashed subpkt 2 len 4 (sig created 2015-01-13)
    hashed subpkt 9 len 4 (key expires after 1y82d1h38m)
    subpkt 16 len 8 (issuer key ID 0664A76954265E8C)
    data: [3738 bits]
:secret sub key packet:
    version 4, algo 1, created 1403464760, expires 0
    skey[0]: [2048 bits]
    skey[1]: [17 bits]
    gnu-divert-to-card S2K, algo: 3, SHA1 protection, hash: 2
    serial-number:  d2 76 00 01 24 01 02 00 00 60 00 00 00 42 00 00
    keyid: 9535162A78ECD86B
:signature packet: algo 1, keyid 0664A76954265E8C
    version 4, created 1403464760, md5len 0, sigclass 0x18
    digest algo 10, begin of digest 1e c9
    hashed subpkt 2 len 4 (sig created 2014-06-22)
    hashed subpkt 27 len 1 (key flags: 0C)
    hashed subpkt 9 len 4 (key expires after 100d0h0m)
    subpkt 16 len 8 (issuer key ID 0664A76954265E8C)
    data: [3740 bits]
:secret sub key packet:
    version 4, algo 1, created 1403464781, expires 0
    skey[0]: [2048 bits]
    skey[1]: [17 bits]
    gnu-divert-to-card S2K, algo: 3, SHA1 protection, hash: 2
    serial-number:  d2 76 00 01 24 01 02 00 00 60 00 00 00 42 00 00
    keyid: AF6608D736BA8F9B
:signature packet: algo 1, keyid 0664A76954265E8C
    version 4, created 1403464781, md5len 0, sigclass 0x18
    digest algo 10, begin of digest fd 36
    hashed subpkt 2 len 4 (sig created 2014-06-22)
    hashed subpkt 27 len 1 (key flags: 20)
    hashed subpkt 9 len 4 (key expires after 100d0h0m)
    subpkt 16 len 8 (issuer key ID 0664A76954265E8C)
    data: [3739 bits]

[Valodim]

if I'm not mistaken here, the subkey with id 0x32F8119D, which is in the 'sign' slot of your yubikey, has usage flag 0x20, which is authentication. that value seems wrong, and is actually different from the flags in your public key, where it is a correct 0x2 for signing.

even if that flag was right, the signature would be rejected because subkeys with signing capability need to have a primary key binding sub-signature on them, so this is more of a correctly issued authentication-only subkey binding signature than a bit-flipped signing-only subkey binding signature. something has gone very wrong there at some point.

did you create and export this key with gpg? if so, what versions? also, did you perhaps change expiration in a seperate operation before export? we had a similar issue before (#996) where gpg would buck up the key flags while changing expiry, which was fixed in gpg 2.1.0.

[jas4711]

Gpg --card-edit indicates this:

pub  3744R/54265E8C  created: 2014-06-22  expires: 2015-09-12  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/32F8119D  created: 2014-06-22  expires: 2015-09-12  usage: S   
sub  2048R/78ECD86B  created: 2014-06-22  expires: 2015-09-12  usage: E   
sub  2048R/36BA8F9B  created: 2014-06-22  expires: 2015-09-12  usage: A   

The key flags for 78ECD86B is 0C according to --list-packets which means encrypted comms+storage, which seems fine. The key flags for 36BA8F9B is also 20, but that seems correct since it is authentication.

I created the key using GnuPG using 1.4.12 as per my writeup below, using the 'subkeys.txt' file generated at the end to import into my laptop's GnuPG and then export it to send to you.

http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/

I will try to export the secret key again and look more carefully at the flags.

I'm not sure how to correct the issue you discuss in the second paragraph -- thoughts?

I have changed expiration date after exporting the key, yes.

[jas4711]

I believe I resolved my GnuPG key by doing:

gpg --delete-secret-keys 54265e8c
gpg --delete-keys 54265e8c
gpg --recv-keys 54265e8c
gpg --card-status

However I still get the error from OpenPGP keychain when I try to sign something. Here is my --list-packets output for the key I import into OpenPGP Keychain:

:secret key packet:
    version 4, algo 1, created 1403464321, expires 0
    skey[0]: [3744 bits]
    skey[1]: [17 bits]
    gnu-dummy S2K, algo: 0, simple checksum, hash: 0
    protect IV: 
    keyid: 0664A76954265E8C
:user ID packet: "Simon Josefsson <simon@yubico.com>"
:signature packet: algo 17, keyid 78302C4B8DBFEC2F
    version 4, created 1408019953, md5len 0, sigclass 0x10
    digest algo 8, begin of digest dc fb
    hashed subpkt 2 len 4 (sig created 2014-08-14)
    subpkt 16 len 8 (issuer key ID 78302C4B8DBFEC2F)
    data: [160 bits]
    data: [160 bits]
:signature packet: algo 17, keyid 72043670BDE5F1EE
    version 4, created 1406678382, md5len 0, sigclass 0x10
    digest algo 10, begin of digest 65 d8
    hashed subpkt 2 len 4 (sig created 2014-07-29)
    subpkt 16 len 8 (issuer key ID 72043670BDE5F1EE)
    data: [158 bits]
    data: [157 bits]
:signature packet: algo 1, keyid EDA21E94B565716F
    version 4, created 1403466403, md5len 0, sigclass 0x10
    digest algo 2, begin of digest 96 7c
    hashed subpkt 2 len 4 (sig created 2014-06-22)
    subpkt 16 len 8 (issuer key ID EDA21E94B565716F)
    data: [1280 bits]
:signature packet: algo 1, keyid BCA00FD4B2168C0A
    version 4, created 1403530441, md5len 0, sigclass 0x10
    digest algo 8, begin of digest f9 f2
    hashed subpkt 2 len 4 (sig created 2014-06-23)
    subpkt 16 len 8 (issuer key ID BCA00FD4B2168C0A)
    data: [2040 bits]
:signature packet: algo 1, keyid F04367096FBA95E8
    version 4, created 1420716336, md5len 0, sigclass 0x10
    digest algo 8, begin of digest 88 6b
    hashed subpkt 2 len 4 (sig created 2015-01-08)
    subpkt 16 len 8 (issuer key ID F04367096FBA95E8)
    data: [2045 bits]
:signature packet: algo 1, keyid 0664A76954265E8C
    version 4, created 1409064480, md5len 0, sigclass 0x13
    digest algo 10, begin of digest 34 66
    hashed subpkt 27 len 1 (key flags: 03)
    hashed subpkt 11 len 7 (pref-sym-algos: 9 8 7 13 12 11 10)
    hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
    hashed subpkt 30 len 1 (features: 01)
    hashed subpkt 23 len 1 (key server preferences: 80)
    hashed subpkt 2 len 4 (sig created 2014-08-26)
    hashed subpkt 9 len 4 (key expires after 214d19h35m)
    subpkt 16 len 8 (issuer key ID 0664A76954265E8C)
    data: [3742 bits]
:signature packet: algo 1, keyid 0664A76954265E8C
    version 4, created 1403464481, md5len 0, sigclass 0x13
    digest algo 10, begin of digest c6 1f
    hashed subpkt 2 len 4 (sig created 2014-06-22)
    hashed subpkt 27 len 1 (key flags: 03)
    hashed subpkt 9 len 4 (key expires after 100d0h0m)
    hashed subpkt 11 len 7 (pref-sym-algos: 9 8 7 13 12 11 10)
    hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
    hashed subpkt 30 len 1 (features: 01)
    hashed subpkt 23 len 1 (key server preferences: 80)
    subpkt 16 len 8 (issuer key ID 0664A76954265E8C)
    data: [3737 bits]
:signature packet: algo 1, keyid C43570F80CC295E6
    version 4, created 1408020087, md5len 0, sigclass 0x10
    digest algo 8, begin of digest 6e fa
    hashed subpkt 2 len 4 (sig created 2014-08-14)
    subpkt 16 len 8 (issuer key ID C43570F80CC295E6)
    data: [4091 bits]
:signature packet: algo 1, keyid 7FD9FCCB000BEEEE
    version 4, created 1403811322, md5len 0, sigclass 0x10
    digest algo 10, begin of digest f3 5d
    hashed subpkt 2 len 4 (sig created 2014-06-26)
    subpkt 16 len 8 (issuer key ID 7FD9FCCB000BEEEE)
    data: [4096 bits]
:signature packet: algo 1, keyid 0BC47DC64D135306
    version 4, created 1406678564, md5len 0, sigclass 0x10
    digest algo 10, begin of digest 79 b6
    hashed subpkt 2 len 4 (sig created 2014-07-30)
    subpkt 16 len 8 (issuer key ID 0BC47DC64D135306)
    data: [4095 bits]
:user ID packet: "Simon Josefsson <simon@josefsson.org>"
:signature packet: algo 17, keyid 78302C4B8DBFEC2F
    version 4, created 1408019953, md5len 0, sigclass 0x10
    digest algo 8, begin of digest 4d 26
    hashed subpkt 2 len 4 (sig created 2014-08-14)
    subpkt 16 len 8 (issuer key ID 78302C4B8DBFEC2F)
    data: [160 bits]
    data: [160 bits]
:signature packet: algo 17, keyid 72043670BDE5F1EE
    version 4, created 1406678382, md5len 0, sigclass 0x10
    digest algo 10, begin of digest c6 82
    hashed subpkt 2 len 4 (sig created 2014-07-29)
    subpkt 16 len 8 (issuer key ID 72043670BDE5F1EE)
    data: [158 bits]
    data: [160 bits]
:signature packet: algo 1, keyid EDA21E94B565716F
    version 4, created 1403466403, md5len 0, sigclass 0x10
    digest algo 2, begin of digest 28 b4
    hashed subpkt 2 len 4 (sig created 2014-06-22)
    subpkt 16 len 8 (issuer key ID EDA21E94B565716F)
    data: [1278 bits]
:signature packet: algo 1, keyid BCA00FD4B2168C0A
    version 4, created 1403530438, md5len 0, sigclass 0x10
    digest algo 8, begin of digest 82 4a
    hashed subpkt 2 len 4 (sig created 2014-06-23)
    subpkt 16 len 8 (issuer key ID BCA00FD4B2168C0A)
    data: [2048 bits]
:signature packet: algo 1, keyid F04367096FBA95E8
    version 4, created 1420716336, md5len 0, sigclass 0x10
    digest algo 8, begin of digest d8 68
    hashed subpkt 2 len 4 (sig created 2015-01-08)
    subpkt 16 len 8 (issuer key ID F04367096FBA95E8)
    data: [2045 bits]
:signature packet: algo 1, keyid 0664A76954265E8C
    version 4, created 1403464490, md5len 0, sigclass 0x13
    digest algo 10, begin of digest be 8e
    hashed subpkt 27 len 1 (key flags: 03)
    hashed subpkt 9 len 4 (key expires after 100d0h0m)
    hashed subpkt 11 len 7 (pref-sym-algos: 9 8 7 13 12 11 10)
    hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
    hashed subpkt 30 len 1 (features: 01)
    hashed subpkt 23 len 1 (key server preferences: 80)
    hashed subpkt 2 len 4 (sig created 2014-06-22)
    hashed subpkt 25 len 1 (primary user ID)
    subpkt 16 len 8 (issuer key ID 0664A76954265E8C)
    data: [3743 bits]
:signature packet: algo 1, keyid 0664A76954265E8C
    version 4, created 1409064478, md5len 0, sigclass 0x13
    digest algo 10, begin of digest 5c b2
    hashed subpkt 27 len 1 (key flags: 03)
    hashed subpkt 11 len 7 (pref-sym-algos: 9 8 7 13 12 11 10)
    hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
    hashed subpkt 30 len 1 (features: 01)
    hashed subpkt 23 len 1 (key server preferences: 80)
    hashed subpkt 25 len 1 (primary user ID)
    hashed subpkt 2 len 4 (sig created 2014-08-26)
    hashed subpkt 9 len 4 (key expires after 214d19h35m)
    subpkt 16 len 8 (issuer key ID 0664A76954265E8C)
    data: [3744 bits]
:signature packet: algo 1, keyid C43570F80CC295E6
    version 4, created 1408020087, md5len 0, sigclass 0x10
    digest algo 8, begin of digest cd 1c
    hashed subpkt 2 len 4 (sig created 2014-08-14)
    subpkt 16 len 8 (issuer key ID C43570F80CC295E6)
    data: [4095 bits]
:signature packet: algo 1, keyid 7FD9FCCB000BEEEE
    version 4, created 1403811315, md5len 0, sigclass 0x10
    digest algo 10, begin of digest e7 e3
    hashed subpkt 2 len 4 (sig created 2014-06-26)
    subpkt 16 len 8 (issuer key ID 7FD9FCCB000BEEEE)
    data: [4096 bits]
:signature packet: algo 1, keyid 0BC47DC64D135306
    version 4, created 1406678564, md5len 0, sigclass 0x10
    digest algo 10, begin of digest 1a f0
    hashed subpkt 2 len 4 (sig created 2014-07-30)
    subpkt 16 len 8 (issuer key ID 0BC47DC64D135306)
    data: [4093 bits]
:secret sub key packet:
    version 4, algo 1, created 1403464744, expires 0
    skey[0]: [2048 bits]
    skey[1]: [17 bits]
    gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
    serial-number:  d2 76 00 01 24 01 02 00 00 60 00 00 00 42 00 00
    keyid: 860B7FBB32F8119D
:signature packet: algo 1, keyid 0664A76954265E8C
    version 4, created 1409064489, md5len 0, sigclass 0x18
    digest algo 10, begin of digest 1d 3e
    hashed subpkt 27 len 1 (key flags: 02)
    hashed subpkt 2 len 4 (sig created 2014-08-26)
    hashed subpkt 9 len 4 (key expires after 214d19h29m)
    subpkt 32 len 284 (signature: v4, class 0x19, algo 1, digest algo 10)
    subpkt 16 len 8 (issuer key ID 0664A76954265E8C)
    data: [3741 bits]
:secret sub key packet:
    version 4, algo 1, created 1403464760, expires 0
    skey[0]: [2048 bits]
    skey[1]: [17 bits]
    gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
    serial-number:  d2 76 00 01 24 01 02 00 00 60 00 00 00 42 00 00
    keyid: 9535162A78ECD86B
:signature packet: algo 1, keyid 0664A76954265E8C
    version 4, created 1409064497, md5len 0, sigclass 0x18
    digest algo 10, begin of digest 49 b2
    hashed subpkt 27 len 1 (key flags: 0C)
    hashed subpkt 2 len 4 (sig created 2014-08-26)
    hashed subpkt 9 len 4 (key expires after 214d19h28m)
    subpkt 16 len 8 (issuer key ID 0664A76954265E8C)
    data: [3743 bits]
:secret sub key packet:
    version 4, algo 1, created 1403464781, expires 0
    skey[0]: [2048 bits]
    skey[1]: [17 bits]
    gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
    serial-number:  d2 76 00 01 24 01 02 00 00 60 00 00 00 42 00 00
    keyid: AF6608D736BA8F9B
:signature packet: algo 1, keyid 0664A76954265E8C
    version 4, created 1409064505, md5len 0, sigclass 0x18
    digest algo 10, begin of digest 06 09
    hashed subpkt 27 len 1 (key flags: 20)
    hashed subpkt 2 len 4 (sig created 2014-08-26)
    hashed subpkt 9 len 4 (key expires after 214d19h28m)
    subpkt 16 len 8 (issuer key ID 0664A76954265E8C)
    data: [3744 bits]

Thanks, Simon

[Valodim]

Did you delete the key from OpenKeychain before importing? Also, in the import log, there should be notices that keys are flagged as stripped and divert-to-card, and their flags.

[jas4711]

How do I view the import log? Will alas not have time to test more today -- will resume later.

[Valodim]

After import, there is a popup message at the top, with a "View Log" button on the right. Thanks for taking the time so far to debug this :+1:

[jas4711]

I retried this now -- and everything worked. Thanks a bunch for debugging help!

Minor: I don't see a "View Log" button after key import, though, maybe that's a newer feature? I'm using version 3.1.2.

Alas, both GnuPG 1.4.12 and GnuPG 2.0.26 from current Debian Jessie still has change-expire-on-a-sub-key-messes-up-keyflags bug. I'm really happy I keep backups of my master PGP key. I filed https://bugs.g10code.com/gnupg/issue1817 to keep track of fixing that in GnuPG 1.4+2.0.

[Valodim]

Are you sure there is no button? Do you get a green message "Successfully imported key" after import? That one should have the button

[jas4711]

After import I directly get to the list of keys. Will try more tomorrow, can shoot a video of it to illustrate.

[Valodim]

this is how it should look

[jas4711]

I found out why it didn't worked for me: I cleaned the applications data (using settings->apps->openpgpkeychain->clean data) to make sure I didn't have any local state. If I remove my private key, select import, I get that green button. If I do a fresh install, and import the key via the wizard, the green button doesn't show up.

[Valodim]

Only now noticed the bug report you filed with gpg. Thanks, I think this is a really important fix that should be backported asap.

[jonathancross]

Note: the bug filed by @jas4711 is now at this url: https://dev.gnupg.org/T1817