In this case the OpenPGP Card Firmware needs to be extended. Is there a dedicated BugTracker for OpenPGP Card? -- Secured with Tuta Mail: https://tuta.com/free-email
Nov 24, 2025, 15:50 by [email protected]: > On Sun, 23 Nov 2025 01:46, Rodolfo Silva said: > >> gpg-connect-agent --hex "scd apdu 00 DA 00 C4 07 00404040100303" /bye >> > > Let's see using a Gnuk token: > > $ gpg-connect-agent > > /hex > > scd apdu 00ca00c400factory r > D[0000] 01 7F 7F 7F 03 03 03 90 00 > > This returns: 01 = PW1 valid for several commands > 7F = UTF PW1 with a max length of 127 > 7F = Reset Code with a max length of 127 > 7F = UTF PW3 with a max length of 127 > 03 - Current error counter for PW1 > 03 - Current error counter for the Reset Code > 03 - Current error counter for PW3 > 90 00 - Success > > You sent: 00 = PW1 valid for one command > 40 = UTF PW1 with a max length of 64 > 40 = Reset Code with a max length of 64 > 40 = UTF PW3 with a max length of 64 > 10 = Not specified in 3.4.1 (4.4.2 DOs for PUT DATA) > 03 = Not specified in 3.4.1 > 03 = Not specified in 3.4.1 > > Thus there is no way in the OpenPGP specs to change the max. retry. For > Yubikeys you may use a proprietary APDU, though. Simon already > mentioned this. Let's do this using the gpg-card command: > > $ gpg-card > Reader ...........: 1050:0407:X:0 > Card type ........: yubikey > Card firmware ....: 5.4.3 > Serial number ....: D2760001240100000006154932830000 > Application type .: OpenPGP > Version ..........: 3.4 > # [...] > Max. PIN lengths .: 127 127 127 > PIN retry counter : 3 0 3 > Signature counter : 0 > Capabilities .....: key-import algo-change button priv-data > # [...] > > gpg/card> verify D2760001240100000006154932830000[CHV3] > # shows listing again > > gpg/card> apdu 00 f2 00 00 03 05 00 07 > Statusword: 0x9000 (success) > > gpg/card> l > # shows listing again > > gpg/card> reset > gpg/card> l > # [...] > Max. PIN lengths .: 127 127 127 > PIN retry counter : 5 0 7 > Signature counter : 0 > > Et voila, PIN retry counter set to 5 and Admin retry counter set to 7. > The important thing here is that you use the s/n with "[CHV3] appended > as argument to the verify command. This will only work if the retry > counter is above 2. > > > Salam-Shalom, > > Werner > > -- > The pioneers of a warless world are the youth that > refuse military service. - A. Einstein > _______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
