Re: :-(( Re: smart card no longer works

[Philip Jackson]

On 19/09/16 13:02, Stephan Beck wrote:
>> then run tests. Can now sign and encrypt emails, sign and encrypt and
>> > decrypt files although verify on its own causes me a problem but I
>> > shouldn't think that is connected with the smartcard.
> Another wild guess: maybe it's because the ownertrust values of your own
> public key have not been imported together with the key. You have to
> reassign trust.
> Try
> gpg2 --edit-key [yourkeyID]
> gpg> trust
> 5
> 
> Another way (I forgot to mention this in my previous mail)
> is to import your key with
> gpg2 --import-keep-ownertrust [yourkeyID]
> 
> Then the ownertrust value is being imported as well.


Yes, Stephan, that seems to have solved the issues I had with
verification. The command you suggested does not work as you wrote it -
I got words to the effect that the command was not recognised.

After consulting man gpg2, I tried the following and this worked.

gpg2 --import --import-options keep-ownertrust
~/path-to-my-key/mykey.sec.asc

Thanks,
Philip

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: :-(( Re: smart card no longer works

[Stephan Beck]

Philip Jackson:
> On 16/09/16 22:09, Stephan Beck wrote:
>> Sorry for the delayed response.
>> It's not enough to simply copy and paste all the files into the new
>> ~/.gnupg directory, as you write you did in your previous mail. You have
>> to run gpg2 with the --import option to import your public key and then
>> (having your smartcard inserted and doing a gpg2 --card-status) generate
>> key stubs for the secret subkeys on the new system.From what you say, it
>> seems that you haven't done this. It's my wild guess that things may
>> have gone wrong there.
> 
> Thank you Stephan - got it working.  For the record, I did not undo
> anything that I had previously done. Just left the installation as it
> was then did :
> 
> gpg2 --import /path-to-my-key/mykey.asc
> inserted smartcard
> gpg2 --card-status
> 
> then run tests. Can now sign and encrypt emails, sign and encrypt and
> decrypt files although verify on its own causes me a problem but I
> shouldn't think that is connected with the smartcard.

Another wild guess: maybe it's because the ownertrust values of your own
public key have not been imported together with the key. You have to
reassign trust.
Try
gpg2 --edit-key [yourkeyID]
gpg> trust
5

Another way (I forgot to mention this in my previous mail)
is to import your key with
gpg2 --import-keep-ownertrust [yourkeyID]

Then the ownertrust value is being imported as well.

Does it change anything with respect to your verification problems?

HTH

Stephan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: :-(( Re: smart card no longer works

[Philip Jackson]

On 16/09/16 22:09, Stephan Beck wrote:
> Sorry for the delayed response.
> It's not enough to simply copy and paste all the files into the new
> ~/.gnupg directory, as you write you did in your previous mail. You have
> to run gpg2 with the --import option to import your public key and then
> (having your smartcard inserted and doing a gpg2 --card-status) generate
> key stubs for the secret subkeys on the new system.From what you say, it
> seems that you haven't done this. It's my wild guess that things may
> have gone wrong there.

Thank you Stephan - got it working.  For the record, I did not undo
anything that I had previously done. Just left the installation as it
was then did :

gpg2 --import /path-to-my-key/mykey.asc
inserted smartcard
gpg2 --card-status

then run tests. Can now sign and encrypt emails, sign and encrypt and
decrypt files although verify on its own causes me a problem but I
shouldn't think that is connected with the smartcard.

Thanks.
Philip




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: :-(( Re: smart card no longer works

[Stephan Beck]

Hi,

Philip Jackson:
> On 11/09/16 19:49, Stephan Beck wrote:
>> Which type of smartcard do you have? Which gnupg versions were installed
>> on the the old system and with which of it did you generate keys?
> 
> 
> The smartcard is a version2.0 made by ZeitControl and bought from
> Kernel-concepts and used with a SCT3512 usb holder from SCM.
> 
> I bought it in or around August / September 2014 and installed it using
> UbuntuStudio1404 LTS with gnupg 2.0.22.  The keys were generated in 2013
> using the gnupg2 stuff in Windows 7 except for a couple of the sub keys
> which were made on the card in October 2014.
> 
> I guess I'll have to dig in the archives and see if I can find records
> of how I got it working back in 2014.
> 
Sorry for the delayed response.
It's not enough to simply copy and paste all the files into the new
~/.gnupg directory, as you write you did in your previous mail. You have
to run gpg2 with the --import option to import your public key and then
(having your smartcard inserted and doing a gpg2 --card-status) generate
key stubs for the secret subkeys on the new system.From what you say, it
seems that you haven't done this. It's my wild guess that things may
have gone wrong there.

But as I don't know the detailed steps you took including those with
gpg4win on Windows7, I simply refer you to two docs (1,2) I found useful.

(1) https://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups
(2)
https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard

They may talk about other smartcards (I do not promote any!) than you
have and/or not match exactly your use case, but are quite detailed and
may be useful for detecting whether there is a particular step you might
have missed.

Stebe

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: :-(( Re: smart card no longer works

[Philip Jackson]

On 11/09/16 19:49, Stephan Beck wrote:
> Which type of smartcard do you have? Which gnupg versions were installed
> on the the old system and with which of it did you generate keys?


The smartcard is a version2.0 made by ZeitControl and bought from
Kernel-concepts and used with a SCT3512 usb holder from SCM.

I bought it in or around August / September 2014 and installed it using
UbuntuStudio1404 LTS with gnupg 2.0.22.  The keys were generated in 2013
using the gnupg2 stuff in Windows 7 except for a couple of the sub keys
which were made on the card in October 2014.

I guess I'll have to dig in the archives and see if I can find records
of how I got it working back in 2014.

Philip

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: :-(( smart card no longer works

[Stephan Beck]

Peter Lebbing:
> On 10/09/16 20:56, Stephan Beck wrote:
> [...]
> It looks fine to me, I think you're getting confused by it referring to
> the key in several ways. Here's part of the output for "gpg2 -v -d" for me:
> 
>> gpg: public key is 73A33BEE
>> gpg: using subkey 73A33BEE instead of primary key DE500B3E
>> gpg: using subkey 73A33BEE instead of primary key DE500B3E
>> gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12
>>   "Peter Lebbing "
> 
> It first notices the key it is encrypted to is 73A33BEE, which is a
> subkey. Then it really wants me to know that it is using this subkey of
> the primary DE500B3E :-). Finally it shows the actual subkey it was
> encrypted to along with the primary User ID of the key as a whole.

Thanks, Peter. Yes, this referring to the key in several ways lead to my
confusion (and I didn't even try to reproduce the situation). But you
put your light and confusion is gone :-)

Cheers,

Stebe

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: :-(( Re: smart card no longer works

[Stephan Beck]

Philip Jackson:
> On 10/09/16 20:56, Stephan Beck wrote:


> It looks like I got the process of moving to a new installation wrong.
> So I am in need of a precise process description to start again and do
> it correctly.


Which type of smartcard do you have? Which gnupg versions were installed
on the the old system and with which of it did you generate keys?

It might be possible, though, that the error is somewhere else, so you
may gather more information first using gpg with the --debug-level
expert option, and checking the BTS (and the smartcard's support site)
to rule out other causes.

Cheers,

Stebe

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: :-(( smart card no longer works

[Peter Lebbing]

On 10/09/16 20:56, Stephan Beck wrote:
> And, by the way, does the screen output in your previous mail really
> show that a subkey with the same ID as the pubkey (so, a duplicate of
> the pubkey) is being used for decrypting a file encrypted to your
> pubkey? I mean, that wouldn't make sense in terms of public key
> cryptography and is duly canceled by gpg.
> Am I missing something?

It looks fine to me, I think you're getting confused by it referring to
the key in several ways. Here's part of the output for "gpg2 -v -d" for me:

> gpg: public key is 73A33BEE
> gpg: using subkey 73A33BEE instead of primary key DE500B3E
> gpg: using subkey 73A33BEE instead of primary key DE500B3E
> gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12
>   "Peter Lebbing "

It first notices the key it is encrypted to is 73A33BEE, which is a
subkey. Then it really wants me to know that it is using this subkey of
the primary DE500B3E :-). Finally it shows the actual subkey it was
encrypted to along with the primary User ID of the key as a whole.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: :-(( Re: smart card no longer works

[Philip Jackson]

On 10/09/16 20:56, Stephan Beck wrote:
> Have you recreated the key stubs on the new system after having imported
> your public key first?
> 
No - how do you do that ?  I am just a user nunky-dunk.

> And before, still on 14.04, did you use the --export-secret-keys command?

Not specifically before doing the clean install of 1604. I didn't know I
had to. I backed up all my home directory and saved a few other things
that occurred to me but nothing specifically for gnupg (except the old
.gnupg in the home directory).
> 
> Which were the steps you have taken for "migrating" keys to the new
> installation?

I copied into the .gnupg directory of the new installation the files
that I have copied over onto other machines in the past : pubring,
secring,trustdb, and conf files.

> And, by the way, does the screen output in your previous mail really
> show that a subkey with the same ID as the pubkey (so, a duplicate of
> the pubkey) is being used for decrypting a file encrypted to your
> pubkey? I mean, that wouldn't make sense in terms of public key
> cryptography and is duly canceled by gpg.
> Am I missing something?

The screen output was just what gpg (1.4.20) displayed. After I solved
the missing scdaemon issue, gpg2 (2.1.11) produces the same output.

There doesn't appear to be anything wrong with the encrypted file
because it decrypts fine (as I noted) using my pre-smartcard secring.

It looks like I got the process of moving to a new installation wrong.
So I am in need of a precise process description to start again and do
it correctly.
Philip


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: :-(( Re: smart card no longer works

[Stephan Beck]

Hi Philip,

Philip Jackson:
> On 10/09/16 06:27, NIIBE Yutaka wrote:
> 
>> I don't have any experience with this error behavior.  Please describe
>> the situation and the interaction; Did you input passphrase and push
>> [OK] button, and then gpg failed?
>>
>> Please try again with pinentry-curses and/or pinentry-tty.  Does it work?
>>
> I don't think the pinentry is the problem. I have tried several versions
> and no matter if I enter the pin via dialogue box or on the command
> line, the result is the same.
> 
> I verified the pin using gpg --card-edit & it is ok.
> 
> I think the problem must be more connected with how I introduced my
> secring and pubring to the new distro installation when I installed
> ubuntu 16.04

Have you recreated the key stubs on the new system after having imported
your public key first?

And before, still on 14.04, did you use the --export-secret-keys command?

Which were the steps you have taken for "migrating" keys to the new
installation?

And, by the way, does the screen output in your previous mail really
show that a subkey with the same ID as the pubkey (so, a duplicate of
the pubkey) is being used for decrypting a file encrypted to your
pubkey? I mean, that wouldn't make sense in terms of public key
cryptography and is duly canceled by gpg.
Am I missing something?

Cheers,

Stebe


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: :-(( Re: smart card no longer works

[Tristan Santore]

On 10/09/16 14:27, Philip Jackson wrote:

On 10/09/16 06:27, NIIBE Yutaka wrote:


I don't have any experience with this error behavior.  Please describe
the situation and the interaction; Did you input passphrase and push
[OK] button, and then gpg failed?

Please try again with pinentry-curses and/or pinentry-tty.  Does it work?


I don't think the pinentry is the problem. I have tried several versions
and no matter if I enter the pin via dialogue box or on the command
line, the result is the same.

I verified the pin using gpg --card-edit & it is ok.

I think the problem must be more connected with how I introduced my
secring and pubring to the new distro installation when I installed
ubuntu 16.04

I have tried reverting to my old secring.gpg file from before starting
with the smartcard (back in 2014), the one with the full key and not the
'stubs'.  This enables me to run the file decrypt command but of course
I have to enter the old full passphrase rather than the six digit pin of
the smartcard.

Philip

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

This sounds like a bit of an issue I had with my Omnikey 38xx. I had a 
similar issue, where it always claimed the pin was wrong. I installed 
the omnikey drivers and then restarted PCSD. But I was using the 
pinpad on the device itself. Maybe your issue is different, depending on 
your hardware.



Regards,
Tristan

--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
tristan.sant...@internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
tsant...@fedoraproject.org

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: :-(( Re: smart card no longer works

[Philip Jackson]

On 10/09/16 06:27, NIIBE Yutaka wrote:

> I don't have any experience with this error behavior.  Please describe
> the situation and the interaction; Did you input passphrase and push
> [OK] button, and then gpg failed?
> 
> Please try again with pinentry-curses and/or pinentry-tty.  Does it work?
> 
I don't think the pinentry is the problem. I have tried several versions
and no matter if I enter the pin via dialogue box or on the command
line, the result is the same.

I verified the pin using gpg --card-edit & it is ok.

I think the problem must be more connected with how I introduced my
secring and pubring to the new distro installation when I installed
ubuntu 16.04

I have tried reverting to my old secring.gpg file from before starting
with the smartcard (back in 2014), the one with the full key and not the
'stubs'.  This enables me to run the file decrypt command but of course
I have to enter the old full passphrase rather than the six digit pin of
the smartcard.

Philip

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: :-(( Re: smart card no longer works

[NIIBE Yutaka]

On 09/09/2016 11:52 PM, Philip Jackson wrote:
>> Packaging in Debian had been changed.  Now scdaemon is in a package of
>> "scdaemon" (used to be in "gnupg2" package).
>>
> 
> I have now installed the missing scdaemon deb package and that makes a
> big improvement as far as gpg2 is concerned.
> 
> Both gpg and gpg2 --card-status return essentially the same data which
> looks good.

Good.

> gpg: public key decryption failed: Operation cancelled
> gpg: decryption failed: No secret key
> 
> Since in my first attempts, the pinentry window which came up was
> anonymous, I supposed there might be a problem with the choice of
> pinentry.  So I put "pinentry-program /usr/bin/pinentry-gtk-2" into the
> gpg-agent.conf file.
> 
> The pinentry dialogue is no longer anonymous, it does say
> pinentry-gtk-2, but the result is the same, no decrypt.

I don't have any experience with this error behavior.  Please describe
the situation and the interaction; Did you input passphrase and push
[OK] button, and then gpg failed?

Please try again with pinentry-curses and/or pinentry-tty.  Does it work?
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: :-(( Re: smart card no longer works

[Philip Jackson]

On 09/09/16 06:16, NIIBE Yutaka wrote:
> On 09/09/2016 05:21 AM, Robert J. Hansen wrote:
>>> The last I checked, Ubuntu's stock install did not include smartcard
>> drivers.

> 
> Please use the standard scdaemon from GnuPG.

> PC/SC service is optional.  In-stock CCID driver of GnuPG just works
> well in most cases.  Only when it doesn't work, please try
> to install pcscd and libpcsclite1.

As I recall, in Ubuntu 14.04 I just used the in-stock driver in gnupg.

> Packaging in Debian had been changed.  Now scdaemon is in a package of
> "scdaemon" (used to be in "gnupg2" package).
> 

I have now installed the missing scdaemon deb package and that makes a
big improvement as far as gpg2 is concerned.

Both gpg and gpg2 --card-status return essentially the same data which
looks good.

For decrypting a file, both gpg and "gpg2 -o output_file -d
input_file.gpg" fail with the same message :


gpg: public key is 0x79D467BFF5DF6C91
gpg: using subkey 0x79D467BFF5DF6C91 instead of primary key
0x26BD500A23543A63
gpg: using subkey 0x79D467BFF5DF6C91 instead of primary key
0x26BD500A23543A63
gpg: encrypted with 2048-bit RSA key, ID 0x79D467BFF5DF6C91, created
2014-10-28
  "Philip Jackson (Jan 2013 +) "
gpg: public key decryption failed: Operation cancelled
gpg: decryption failed: No secret key

Since in my first attempts, the pinentry window which came up was
anonymous, I supposed there might be a problem with the choice of
pinentry.  So I put "pinentry-program /usr/bin/pinentry-gtk-2" into the
gpg-agent.conf file.

The pinentry dialogue is no longer anonymous, it does say
pinentry-gtk-2, but the result is the same, no decrypt.

Philip


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: smart card no longer works

[NIIBE Yutaka]

On 09/09/2016 05:21 AM, Robert J. Hansen wrote:
>> The last I checked, Ubuntu's stock install did not include smartcard
> drivers.
>> The good news is these can be easily installed via apt-get.  The bad news
> is I
>> don't remember what the package name is.  :(
> 
> A little searching suggests that "sudo apt-get install gnupg-pkcs11-scd" is
> the magic you need.  Hope this helps!

Please use the standard scdaemon from GnuPG.

apt-get install scdaemon

PC/SC service is optional.  In-stock CCID driver of GnuPG just works
well in most cases.  Only when it doesn't work, please try
to install pcscd and libpcsclite1.

For PKCS#11 things, we (GnuPG team) do totally in different way by
Scute, when people want to use the PKCS#11 API.  I don't think
gnupg-pkcs11-scd works, these days.

Packaging in Debian had been changed.  Now scdaemon is in a package of
"scdaemon" (used to be in "gnupg2" package).
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: smart card no longer works

[Robert J. Hansen]

> The last I checked, Ubuntu's stock install did not include smartcard
drivers.
> The good news is these can be easily installed via apt-get.  The bad news
is I
> don't remember what the package name is.  :(

A little searching suggests that "sudo apt-get install gnupg-pkcs11-scd" is
the magic you need.  Hope this helps!



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: smart card no longer works

[Robert J. Hansen]

> 1. with gpg2 :gpg2 --card-status
> gpg: error getting version from 'scdaemon': No SmartCard daemon
> gpg: OpenPGP card not available: No SmartCard daemon

The last I checked, Ubuntu's stock install did not include smartcard
drivers.  The good news is these can be easily installed via apt-get.  The
bad news is I don't remember what the package name is.  :(

> Its a real PITA that a simple clean installation of an OS won't give a
working
> smartcard operation. It looks like the whole smartcard thing is a little
lacking
> in robustness.

Although I understand your frustration, it would be best to aim that
frustration at Ubuntu -- they're the ones who elected to not make smartcard
drivers part of the base OS image.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users