HSM Key with GnuPG V 2.2 working?

On your website you are announcing under HSM->Applications->General that the HSM Key is supported since Version Gnu 2.1.

I have my doubts after spending my Sunday to get it up and running :frowning: - now saying that it could be that I make something wrong. While the card works very well under OpenSC with sm-hsm-tool, pkcs15-tool and pkcs11-tool , it doesn’t work with the openpgp-tool from OpenSC nor does it work with gpgv1/2. I always receive the answer the card doesn’t support OpenPGP.

Here is a log of the scdaemon:

2018-10-29 12:51:56 scdaemon[40080] DBG: chan_7 <- GETINFO version

2018-10-29 12:51:56 scdaemon[40080] DBG: chan_7 -> D 2.2.10

2018-10-29 12:51:56 scdaemon[40080] DBG: chan_7 -> OK

2018-10-29 12:51:56 scdaemon[40080] DBG: chan_7 <- SERIALNO openpgp

2018-10-29 12:51:56 scdaemon[40080] detected reader ‘Nitrokey Nitrokey HSM (010000000000000000000000) 00 00’

2018-10-29 12:51:56 scdaemon[40080] detected reader ‘’

2018-10-29 12:51:56 scdaemon[40080] reader slot 0: not connected

2018-10-29 12:51:57 scdaemon[40080] DBG: feature: code=12, len=4, v=42330012

2018-10-29 12:51:57 scdaemon[40080] DBG: TLV properties: tag=01, len=2, v=00000000

2018-10-29 12:51:57 scdaemon[40080] DBG: TLV properties: tag=03, len=1, v=00000000

2018-10-29 12:51:57 scdaemon[40080] DBG: TLV properties: tag=09, len=1, v=00000000

2018-10-29 12:51:57 scdaemon[40080] DBG: TLV properties: tag=0B, len=2, v=000020A0

2018-10-29 12:51:57 scdaemon[40080] DBG: TLV properties: tag=0C, len=2, v=00004230

2018-10-29 12:51:57 scdaemon[40080] DBG: TLV properties: tag=0A, len=4, v=00010000

2018-10-29 12:51:57 scdaemon[40080] reader slot 0: active protocol: T1

2018-10-29 12:51:57 scdaemon[40080] slot 0: ATR=3B FE 18 00 00 81 31 FE 45 80 31 81 54 48 53 4D 31 73 80 21 40 81 07 FA

2018-10-29 12:51:57 scdaemon[40080] DBG: pcsc_get_status_change: changed present inuse

2018-10-29 12:51:57 scdaemon[40080] DBG: send apdu: c=00 i=A4 p1=00 p2=0C lc=2 le=-1 em=0

2018-10-29 12:51:57 scdaemon[40080] DBG: PCSC_data: 00 A4 00 0C 02 3F 00

2018-10-29 12:51:57 scdaemon[40080] DBG: response: sw=6A86 datalen=0

2018-10-29 12:51:57 scdaemon[40080] can’t select application ‘openpgp’: Nicht unterstützt

2018-10-29 12:51:57 scdaemon[40080] DBG: chan_7 -> ERR 100696144 Operation not supported by device <SCD>

2018-10-29 12:51:57 scdaemon[40080] DBG: chan_7 <- RESTART

2018-10-29 12:51:57 scdaemon[40080] DBG: chan_7 -> OK

2018-10-29 12:51:57 gpg-agent[39839] Handhabungsroutine 0x801c17e00 für den fd 8 beendet

I was able to tell scdaemon not to use the internal ccid driver and also denied using the openpgp applications with the pcsc-driver ( as the driver should use sc-hsm-driver - which would be possible ) . Now it looks like pgp --card-status always wants the openpgp application and doesn’t leave the selection of the driver to scdaemon ?

Or I am lost in the wrong way inside the maze ?

PS: is it possible to simple change the card inside the HSM to a newer card ?
PS2: The above scenario works well with NK ProV1 - so I assume it is not my driver setup

Nitrokey HSM works with gpgsm from the GnuPG suite. Our documentation was misleading and I just fixed it. It doesn’t work with gpg directly neither with openpgp-tool.

Technically you could replace the smart card but we don’t support this and you would loose any warranty.

Hmm, I have my doubts that even
is working with that card: gpgsm --learn-card also fails ( is also using the gpg-agent and scdeamon and will only return something if scdaemon could use the internal ccid driver) either with a card is removed or with a continued reading of the card until you stop pcscd. I think the GnuGP usage with my current HSM is not possible and it is better to stay completely on the OpenSC side/sw.

Has the new HSM still the same old card ?

Hey,

I never found the time to test it myself, but a user wrote as a mail once and told us, that it is possible to use the HSM with this additional software and GnuPG. At least existing keys ought to be usable.

Kind regards

Thanks - I might try this. Problem with patching is, that it might be a “never-ending-story” during OS/Ports/Pkg upgrades ( You always have to remember that and do some extra work ). So a support out-of-the-box would of course be better. But if I don’t get my use-casess covered with OpenSC, I will give it a try. So thanks again for the information.

Is one requirement for the upcoming HSM v2 that it will be fully supported by GnuPG ?

No. The reason is that GnuPG project only wants to support the OpenPGP Card and no other smart card.

Oh, ok - thanks for the update ! As it works well with NK Pro, I don’t see this as an issue long-term. Looks also that OpenSC does support what I need with pkcs#11.