New Nitrokey Pro: Bad PIN

jsuqzlvs · December 31, 2020, 6:50pm

Hello,

I’ve recently bought a Nitrokey Pro stick and generated a new keypair:

Primary key [certify only]
Sub key [encrypt only]
Sub key [sign only]
Sub key [auth only]

I wanted to keep the primary key completely offline, so I only transferred the three subkeys to the Nitrokey.

I have some weird issues that I can’t figure out by myself:

If I try to encrypt a file with gpg -r my-mail@domain.tld -e test.txt, this works but it doesn’t prompt me for a password… I already restarted pc/gpg-agent so it shouldn’t be in the cache?
If I try to encrypt+sign a file with gpg -r my-mail@domain.tld -se test.txt I get this message:

gpg: 0xXXXXXXXXXXXXXXXX: Es gibt keine Garantie, daß dieser Schlüssel wirklich dem angegebenen Besitzer gehört.

Haupt-Fingerabdruck  = XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX
Unter-Fingerabdruck  = XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX

Es ist NICHT sicher, daß der Schlüssel zu dem in der User-ID
Genannten gehört. Wenn Sie *wirklich* wissen, was Sie tun,
können Sie die nächste Frage mit ja beantworten

Diesen Schlüssel trotzdem benutzen? (j/N) j

and then it fails with gpg: test.txt: sign+encrypt failed: No pinentry. (I have pinentry installed and set in gpg-agent.conf - see my config files below)

If I try to ssh I’ll get sign_and_send_pubkey: signing failed: agent refused operation.

Here are my config files:

# ~/.bashrc

# GnuPG directory
[ ! -d ~/.config/gnupg ] && mkdir -p ~/.config/gnupg && chmod 700 ~/.config/gnupg
export GNUPGHOME="$HOME/.config/gnupg"

# GnuPG SSH Auth
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
   export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi

# ~/.config/gnupg/gpg.conf
use-agent

# ~/.config/gnupg/gpg-agent.conf
enable-ssh-support

I already tried to add pinentry-program /usr/bin/pinentry-qt or .../pinentry-curses to my gpg-agent.conf but this doesn’t work either.

I used a Nitrokey Storage before. There I had also the primary key (certify+sign) on the card. Everything worked fine with this key… but now it is also not working anymore.

jsuqzlvs · December 31, 2020, 7:07pm

Before I had pinentry-qt and pinentry-curses installed. Now I’ve installed pinentry-gtk2 too and now and it does prompt for a password. Or better said it asks for the PIN of the smartcard.

I’ve entered the PIN and get: gpg: test.txt: sign+encrypt failed: Bad PIN

I tried several times and also reset the user PIN twice with the Nitrokey-App. I definitely entered the correct PIN…

jsuqzlvs · December 31, 2020, 7:47pm

Hm… actually this was the issue:

Did a factory reset and now it is working…