Hello all, after using GnuPG since 2014 I now purchased a Nitrokey USB smartcard. I set it up mainly* following the steps at https://wiki.fsfe.org/TechDocs/CardHowtos/CardWithSubkeysUsingBackups with GnuPG 2 and tried to configure GnuPG 1.4 to work likewise (on Linux Mint, it's installed as well). I'm now running into a strange problem which is a bit like https://lists.gnupg.org/pipermail/gnupg-users/2015-September/054345.html , but the other way around.
With GnuPG 2, signing, encrypting and decrypting a file works without any problems. With 1.4, I can encrypt and sign a file, but I can't decrypt it. It's failing with the message: gpg: public key decryption failed: general error gpg: decryption failed: secret key not available The commands gpg --card-status and gpg2 --card-status seem to display mainly the same things, the only strange line is "Key Attributes" at GPG 1.4: $ gpg --card-status Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Version ..........: 2.1 Manufacturer .....: ZeitControl Serial number ....: XXXXXXXX Name of cardholder: Christoph Pxxx Language prefs ...: de Sex ..............: male URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 0R 0R 0R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 10 Signature key ....: D2F4 E619 8D05 9E98 AD58 7E6E 9965 610B 43F2 7C98 created ....: 2017-01-24 17:52:18 Encryption key....: 4AD3 7EE7 6418 CABE 4026 923E D82A 7A84 3A07 266F created ....: 2014-04-12 10:52:41 Authentication key: [none] General key info..: pub 4096R/43F27C98 2017-01-24 Christoph Pxxx <xxxx...@xxxxx.de> sec# 4096R/E728903D created: 2014-04-12 expires: never ssb> 4096R/3A07266F created: 2014-04-12 expires: never card-no: 0005 00005031 ssb> 4096R/43F27C98 created: 2017-01-24 expires: never card-no: 0005 00005031 $ gpg2 --card-status Reader ...........: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Version ..........: 2.1 Manufacturer .....: ZeitControl Serial number ....: XXXXXXXX Name of cardholder: Christoph Pxxx Language prefs ...: de Sex ..............: male URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa4096 rsa4096 rsa2048 Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 10 Signature key ....: D2F4 E619 8D05 9E98 AD58 7E6E 9965 610B 43F2 7C98 created ....: 2017-01-24 17:52:18 Encryption key....: 4AD3 7EE7 6418 CABE 4026 923E D82A 7A84 3A07 266F created ....: 2014-04-12 10:52:41 Authentication key: [none] General key info..: sub rsa4096/43F27C98 2017-01-24 Christoph Pxxx <xxxx...@xxxxx.de> sec# rsa4096/E728903D created: 2014-04-12 expires: never ssb> rsa4096/3A07266F created: 2014-04-12 expires: never card-no: 0005 00005031 ssb> rsa4096/43F27C98 created: 2017-01-24 expires: never card-no: 0005 00005031 I also set up a logfile for scdaemon as in the mentioned thread ("verbose", "debug ipc, cardio" in ~/.gnupg/scdaemon.conf). At encryption, there doesn't seem to be much difference. At decryption however, when using GnuPG 1.4 the new lines in scdaemon are 2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 <- SERIALNO openpgp 2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 -> S SERIALNO XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0 2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 -> OK 2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 <- RESTART 2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 -> OK while using GnuPG 2.1 leads to 26 lines consisting of the decryption information. Instead of "SERIALNO openpgp" it's just "SERIALNO" there. The output of 'gpg-connect-agent "KEYINFO --list" /bye' is S KEYINFO 4C4D4CBB69450D70DAECB0929B4E57E00D96A270 T XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX OPENPGP.2 - - - - - S KEYINFO 259BD34A8AFCFDE34C08C637086496C890AF3640 D - - - P - - - S KEYINFO 6BB6690E54C14D959135BBFEA6665F2E8A04231C T XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX OPENPGP.1 - - - - - OK – I don't have an authentication subkey. I know this is much information, but as all of this was asked for in the thread mentioned above, I thought it'd be better providing you with all of these outputs now than sending them one at a time later. I hope you have an idea why this strange problem occurs. Regards, Chris P. S.: I'm sure you've noticed that, but anyway: Every "XXXX" sequence is not taken from the original output, but changed for anonymity reasons. *: I used my existing RSA keypair, generated a signing subkey and put this subkey and the already existing encryption subkey on the card. So, no DSA & Elgamal. I also didn't follow the steps after "Ready to go" as I don't have more than one encryption subkey. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users