Can't update /boot/ checksums nitrokey pro + diy nitropad

I’ve been using a nitrokey pro with the heads version from the nitrokey repos(v1.3.1) on an x230 for a while now,
the nitrokey still confirms the integrity of the TPM and i can access the gpg card in the recovery shell,
however when i try to update the boot partition checksums and confirm the presence of the nitrokey,
i get the following error message:

61998411: 00ebaddecaf000005ac
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
/boot: Unable to sign kexec hashes
Failed to sign default config; press Enter to continue.

does anyone know what the problem could be?

Hi @Discordia !
It looks for me like the stub for the private key got removed. Can you run the gpg --card-status and describe or make a photo of the output?

honestly not sure what you can do with it so i just removed the stuff that was described as some kind of key.

Reader …: 20A0:4108:00000000000xxxxxx:0
Application ID …: D2760001240xxxxxx
Application type .: OpenPGP
Version …: 3.3
Manufacturer …: ZeitControl
Serial number …: xxxxxx
Name of cardholder: [not set]
Language prefs …: de
Salutation …:
URL of public key : [not set]
Login data …: [not set]
Signature PIN …: not forced
Key attributes …: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 15
KDF setting …: off
Signature key …: [redacted]
created …: 2020-11-12 16:18:24
Encryption key…: [redacted]
created …: 2020-11-12 16:18:24
Authentication key: [redacted]
created …: 2020-11-12 16:18:24
General key info…: pub rsa2048/A7FCE51B5D5A3A76 2020-11-12 Discordia (alias: xxxxxx)
sec> rsa2048/A7FCE51B5D5A3A76 created: 2020-11-12 expires: 2021-05-11
card-no: 0005 0000xxxxxx
ssb> rsa2048/54B0A5A55F908A3B created: 2020-11-12 expires: 2021-05-11
card-no: 0005 0000xxxxxx
ssb> rsa2048/33925FBBBD090F18 created: 2020-11-12 expires: 2021-05-11
card-no: 0005 0000xxxxxx

Thank you. It looks like I have found the cause:

expires: 2021-05-11

GPG claims it cannot find any usable key. The key on the Nitrokey is expired by almost a month, hence it is not taken into account most probably.

You need to:

Scenario A

  1. Extend your key for the further period using GnuPG on any available moderately safe setup (ideally in the recovery console of the Nitropad)
  2. Export the public key with updated metadata to USB drive
  3. Import the public key to the Heads in the Nitropad

Scenario B

(only in case you do not care about the PGP key stored on the Nitrokey and other of its content)

  1. Run a Factory Reset in Heads

Let me ask my colleague for elaboration.
@simon: Can you provide the exact guide?

1 Like

thank you,
it works now.
i thought i had already extended the expiration date, but apparently i have not.