You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the guide there is a step to Set attributes before transfering subkeys.
It is not mentioned why one would want to do this but I have discovered that if you don't do it the first transfer of a subkey will fail with Bad PIN
The output from gpg looks like
[GNUPG:] KEY_CONSIDERED 1E3B99CEDC2F927B19BA9742933A8A2EA0C63373 0
Secret key is available.
sec rsa4096/0x933A8A2EA0C63373
created: 2024-10-07 expires: never usage: C
trust: ultimate validity: ultimate
ssb ed25519/0x66C92C3A3DAB0DE9
created: 2024-10-07 expires: 2026-10-07 usage: S
ssb cv25519/0x184881132871E1A4
created: 2024-10-07 expires: 2026-10-07 usage: E
ssb ed25519/0x4164F614690501D0
created: 2024-10-07 expires: 2026-10-07 usage: A
[ultimate] (1). John Doe <[email protected]>
[GNUPG:] GET_LINE keyedit.prompt
[GNUPG:] GOT_IT
sec rsa4096/0x933A8A2EA0C63373
created: 2024-10-07 expires: never usage: C
trust: ultimate validity: ultimate
ssb* ed25519/0x66C92C3A3DAB0DE9
created: 2024-10-07 expires: 2026-10-07 usage: S
ssb cv25519/0x184881132871E1A4
created: 2024-10-07 expires: 2026-10-07 usage: E
ssb ed25519/0x4164F614690501D0
created: 2024-10-07 expires: 2026-10-07 usage: A
[ultimate] (1). John Doe <[email protected]>
[GNUPG:] GET_LINE keyedit.prompt
[GNUPG:] GOT_IT
[GNUPG:] CARDCTRL 3 D2760001240103040006120603330000
Please select where to store the key:
(1) Signature key
(3) Authentication key
[GNUPG:] GET_LINE cardedit.genkeys.storekeytype
[GNUPG:] GOT_IT
[GNUPG:] INQUIRE_MAXLEN 100
[GNUPG:] GET_HIDDEN passphrase.enter
[GNUPG:] GOT_IT
[GNUPG:] INQUIRE_MAXLEN 100
[GNUPG:] GET_HIDDEN passphrase.enter
[GNUPG:] GOT_IT
[GNUPG:] INQUIRE_MAXLEN 100
[GNUPG:] GET_HIDDEN passphrase.enter
[GNUPG:] GOT_IT
[GNUPG:] SC_OP_FAILURE 2
gpg: KEYTOCARD failed: Bad PIN
[GNUPG:] GET_LINE keyedit.prompt
[GNUPG:] GOT_IT
If I use the instructions for setting the values for login then this doesn't happen. Even stranger is the fact that if I try to set the attribute for name instead, then that command fails with Bad PIN
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240103040006120603330000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 12345678
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: ed25519 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 9 9 9
Signature counter : 0
KDF setting ......: on
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
Admin commands are allowed
gpg: error setting Name: Bad PIN
To clarify.
Running the gpg --edit-card command to set login attribute before running --edit-key and keytocard makes everything work. Without setting login attribute it will fail with Bad Pin and trying to set name attribute instead of login attribute will not work since that also gives Bad Pin
I can also get transfering the subkey to work without first setting login attribute, if I accept that the first try will fail and just re-run the command once again.
I understand that this is magic that you are not responsible for, but thought it would be nice to mention.
In the guide there is a step to Set attributes before transfering subkeys.
It is not mentioned why one would want to do this but I have discovered that if you don't do it the first transfer of a subkey will fail with Bad PIN
The output from gpg looks like
If I use the instructions for setting the values for login then this doesn't happen. Even stranger is the fact that if I try to set the attribute for name instead, then that command fails with Bad PIN
I'm using
The text was updated successfully, but these errors were encountered: