Smartcard working completely with GPG2 and incompletely with GPG1.4

chris.p.16 at gmx.de chris.p.16 at gmx.de
Wed Jan 25 20:14:56 CET 2017 

Hello all,

after using GnuPG since 2014 I now purchased a Nitrokey USB smartcard. I set it up mainly* following the steps at https://wiki.fsfe.org/TechDocs/CardHowtos/CardWithSubkeysUsingBackups with GnuPG 2 and tried to configure GnuPG 1.4 to work likewise (on Linux Mint, it's installed as well). I'm now running into a strange problem which is a bit like https://lists.gnupg.org/pipermail/gnupg-users/2015-September/054345.html , but the other way around.

With GnuPG 2, signing, encrypting and decrypting a file works without any problems. With 1.4, I can encrypt and sign a file, but I can't decrypt it. It's failing with the message:

gpg: public key decryption failed: general error
gpg: decryption failed: secret key not available

The commands gpg --card-status and gpg2 --card-status seem to display mainly the same things, the only strange line is "Key Attributes" at GPG 1.4:

$ gpg --card-status
Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: XXXXXXXX
Name of cardholder: Christoph Pxxx
Language prefs ...: de
Sex ..............: male
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 0R 0R 0R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 10
Signature key ....: D2F4 E619 8D05 9E98 AD58  7E6E 9965 610B 43F2 7C98
      created ....: 2017-01-24 17:52:18
Encryption key....: 4AD3 7EE7 6418 CABE 4026  923E D82A 7A84 3A07 266F
      created ....: 2014-04-12 10:52:41
Authentication key: [none]
General key info..: pub  4096R/43F27C98 2017-01-24 Christoph Pxxx <xxxxxxx at xxxxx.de>
sec#  4096R/E728903D  created: 2014-04-12  expires: never     
ssb>  4096R/3A07266F  created: 2014-04-12  expires: never     
                      card-no: 0005 00005031
ssb>  4096R/43F27C98  created: 2017-01-24  expires: never     
                      card-no: 0005 00005031


$ gpg2 --card-status
Reader ...........: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: XXXXXXXX
Name of cardholder: Christoph Pxxx
Language prefs ...: de
Sex ..............: male
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 10
Signature key ....: D2F4 E619 8D05 9E98 AD58  7E6E 9965 610B 43F2 7C98
      created ....: 2017-01-24 17:52:18
Encryption key....: 4AD3 7EE7 6418 CABE 4026  923E D82A 7A84 3A07 266F
      created ....: 2014-04-12 10:52:41
Authentication key: [none]
General key info..: sub  rsa4096/43F27C98 2017-01-24 Christoph Pxxx <xxxxxxx at xxxxx.de>
sec#  rsa4096/E728903D  created: 2014-04-12  expires: never     
ssb>  rsa4096/3A07266F  created: 2014-04-12  expires: never     
                        card-no: 0005 00005031
ssb>  rsa4096/43F27C98  created: 2017-01-24  expires: never     
                        card-no: 0005 00005031

I also set up a logfile for scdaemon as in the mentioned thread ("verbose", "debug ipc, cardio" in ~/.gnupg/scdaemon.conf). At encryption, there doesn't seem to be much difference. At decryption however, when using GnuPG 1.4 the new lines in scdaemon are

2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 <- SERIALNO openpgp
2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 -> S SERIALNO XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0
2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 -> OK
2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 <- RESTART
2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 -> OK

while using GnuPG 2.1 leads to 26 lines consisting of the decryption information. Instead of "SERIALNO openpgp" it's just "SERIALNO" there.

The output of 'gpg-connect-agent "KEYINFO --list" /bye' is

S KEYINFO 4C4D4CBB69450D70DAECB0929B4E57E00D96A270 T XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX OPENPGP.2 - - - - -
S KEYINFO 259BD34A8AFCFDE34C08C637086496C890AF3640 D - - - P - - -
S KEYINFO 6BB6690E54C14D959135BBFEA6665F2E8A04231C T XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX OPENPGP.1 - - - - -
OK

– I don't have an authentication subkey.

I know this is much information, but as all of this was asked for in the thread mentioned above, I thought it'd be better providing you with all of these outputs now than sending them one at a time later. I hope you have an idea why this strange problem occurs.

Regards,

Chris

P. S.: I'm sure you've noticed that, but anyway: Every "XXXX" sequence is not taken from the original output, but changed for anonymity reasons.

*: I used my existing RSA keypair, generated a signing subkey and put this subkey and the already existing encryption subkey on the card. So, no DSA & Elgamal. I also didn't follow the steps after "Ready to go" as I don't have more than one encryption subkey.

More information about the Gnupg-users mailing list