Can’t set new PIN using Reset Code

Kirill Elagin kirelagin at gmail.com
Fri Apr 23 21:58:37 CEST 2021


Hello,

Today gnupg suddenly refused to accept the PIN code of my YubiKey and
it got blocked. I am not exactly sure what happened, but it does not
matter now anyway.

I am trying to unblock the PIN using a Reset Code.

```
$ gpg --edit-card

Reader ...........: Yubico YubiKey FIDO CCID 00 00
Application ID ...: D2760001240103040006117659560000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 11765956
Name of cardholder: Kirill Elagin
Language prefs ...: en
Salutation .......:
URL of public key : https://bruna.kir.elagin.me/kirelagin.asc
Login data .......: kirelagin
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 0 3 0
Signature counter : 3
KDF setting ......: on
Signature key ....: CC5E B1EF E671 C418 33CC  318B FA66 ABF3 CFA3 569C
      created ....: 2021-01-27 16:37:47
      keygrip ....: AD296DDA5EB86005A83ABCCC57046D9E64007C10
Encryption key....: 047A 7B2F B0E9 6F07 F9C2  16DC B3D9 F87D 907D C8B1
      created ....: 2021-01-27 16:38:41
      keygrip ....: B0960250674C237FF7D7979C8871684392B84F9C
Authentication key: 8039 572F A015 0862 CB26  7A65 6D74 9968 B8E9 D1FE
      created ....: 2021-01-27 16:39:33
      keygrip ....: C9CAE2108556320815105E1D528B62D081965835
General key info..:
sub  rsa2048/FA66ABF3CFA3569C 2021-01-27 Kirill Elagin <kirelagin at gmail.com>
sec>  rsa4096/90D516249B728BE6  created: 2017-11-30  expires: never
                                card-no: 0006 05764872
ssb>  rsa2048/FA66ABF3CFA3569C  created: 2021-01-27  expires: 2022-01-01
                                card-no: 0006 11765956
ssb>  rsa2048/B3D9F87D907DC8B1  created: 2021-01-27  expires: 2022-01-01
                                card-no: 0006 11765956
ssb>  rsa2048/6D749968B8E9D1FE  created: 2021-01-27  expires: 2022-01-01
                                card-no: 0006 11765956
ssb>  rsa4096/85D128E1B30E1931  created: 2017-11-30  expires: never
                                card-no: 0006 05764872
ssb>  rsa4096/435BC889600C52F1  created: 2017-11-30  expires: never
                                card-no: 0006 05764872

gpg/card> unblock
gpg: OpenPGP card no. D2760001240103040006117659560000 detected
PIN changed.

gpg/card>
```

It says that the PIN was changed, however when I try to use the card
with the new PIN, it keeps saying that it’s wrong.

Note that the admin pin is blocked (which, ugh, is a different story –
I got it blocked months ago during the initial setup and I was so
tired of that process that I decided not to start over). Also note
that the first and the second retry counters are different (I have no
idea why; I always assumed that gnupg was supposed to keep them in
sync). And also note that KDF is enabled (which, I think, might be
contributing to the issue – all my problems with e.g. the admin PIN
getting blocked started after I enabled KDF).

I’m pretty sure that at this point the easiest option is just to wipe
the card and start over, but, I thought, I would still give it a try,
so I’m looking for tips on how to debug this issue. And has anyone
seen anything like that before?

This all started with gnupg 2.2.23, I have now upgraded to 2.2.27 and
it’s still the same.

Cheers,
Kirill



More information about the Gnupg-users mailing list