Bad pin in gpg not in Nitrokey app after changing pin

I just received new Nitrokey Storage 2 and started to change pins, import keys and personalize (name, url) when I found out that after inputting right pin in gpg it didnt recognize it and wrote “Bad pin…” Both admin and normal one. But right after first changing them it worked as intended for a while and recognized them. Only after ejecting the key and putting it back it didnt recognize it. When I had only one try on admin pin I thought I would try Nitrokey app. Went to change the admin pin, wrote the same pin as to gpg and changed it to same pin. It said ok and reseted the pin counter. The same with normal pin. So the Nitrokey app didnt had any problem.
So the problem is maybe in gpg?

Firmware: 0.54
App ver: 1.4.0
Using Linux OS (Manjaro).
gpg 2.2.18

Thanks for help.

ps. also tryed using tty pinentry. The same result.
ps2. also did 2 factory resets trough gpg --card-edit and problem remained


My guess is, that GnuPG might use different encoding for your PINs, than Nitrokey App (UTF-8). Could you try with Ascii-only characters?

That was my guess too. But I always used only ascii characters.
But maybe I found the problem. I didnt setup KDF this time and its working. I read somewhere the KDF is hashing the pins so maybe gpg cant recognize it?

I am not sure; perhaps indeed this is something with the GnuPG. Could you provide the exact steps for the local reproduction?
Nitrokey App is sending the PIN as-is to the smart card, without any mangling except providing it in the UTF-8.

If you are interested in further debugging, I plan to set up debug log for the scdaemon, the GnuPG bridge to the smart card, and we should catch the problem there.

Yeah. Its KDF. As soon as I (gpg --card-edit > admin > kdf-setup) it stoped recognizing both pins. Till then it worked fine. And the Nitrokey app still works fine as before (changing pins, unlocking storage)
some info about gpg I have:
gpg-agent (GnuPG) 2.2.18
libgcrypt 1.8.5

So for reproduction I guess its only the kdf-setup option that breaks it. But what I did was first personalized (name, url, lang), after I changed both pins inside gpg with passwd. Later I put S,E,A keys with keytocard in gpg --edit-key mykey and still it worked fine. I could change things with admin pin also used command verify in gpg --card-edit and it recognized my pin perfectly. And after I did the kdf-setup the verify command didnt recognize the pin, also the admin pin was not recognized when I tryed changing pins in passwd again. But the Nitrokey app still worked.

Note: when I first connected the Nitrokey the kdf was already on.

Ok, thank you. Will try to reproduce this then on Monday.

cc @nitroalex

I can confirm here. I observed the same with my Nitrokey Pro 2. The command “kdf-setup” seems to broke that. Changing PIN via GPG fails, but works with Nitrokey App.

@szszszsz any news?

Adding one more report to the pile here. With a fresh Nitrokey, neither the default password nor the password I set with the app work for moving my PGP keys onto the device.

EDIT: my problem was a broken pinentry


I am really sorry for the delay. Indeed setting up KDF seems to break the further authorization with the GnuPG. Problem is, that GnuPG is not changing the raw PINs to new values, according to the KDF.
The ticket is already registered: GnuPG#T3891. Once it will do so properly however, the Nitrokey App authorization will stop working, as it does not support the KDF-based authorization at the moment.

Once the KDF is enabled, it seems that it is not possible to disable it in other way, than through factory reset (gpg2 --card-edit -> admin -> factory-reset).
I am waiting for my account’s approval there, then will ask about current state of this usage, and whether it is in plans to fix it.

For a workaround of KDF usage perhaps the following script could be extended to set the new values for PINs. What it seems to do is setting the KDF exactly, as GnuPG is doing right now (this was a proof of concept implementation). Adding PIN change would complete it.

Please open a new thread for your question as it does not seem to be related.