Hello,
I’ve recently bought a Nitrokey Pro stick and generated a new keypair:
- Primary key [certify only]
- Sub key [encrypt only]
- Sub key [sign only]
- Sub key [auth only]
I wanted to keep the primary key completely offline, so I only transferred the three subkeys to the Nitrokey.
I have some weird issues that I can’t figure out by myself:
-
If I try to encrypt a file with
gpg -r my-mail@domain.tld -e test.txt
, this works but it doesn’t prompt me for a password… I already restarted pc/gpg-agent so it shouldn’t be in the cache? -
If I try to encrypt+sign a file with
gpg -r my-mail@domain.tld -se test.txt
I get this message:
gpg: 0xXXXXXXXXXXXXXXXX: Es gibt keine Garantie, daß dieser Schlüssel wirklich dem angegebenen Besitzer gehört.
Haupt-Fingerabdruck = XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Unter-Fingerabdruck = XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Es ist NICHT sicher, daß der Schlüssel zu dem in der User-ID
Genannten gehört. Wenn Sie *wirklich* wissen, was Sie tun,
können Sie die nächste Frage mit ja beantworten
Diesen Schlüssel trotzdem benutzen? (j/N) j
and then it fails with gpg: test.txt: sign+encrypt failed: No pinentry
. (I have pinentry installed and set in gpg-agent.conf
- see my config files below)
- If I try to ssh I’ll get
sign_and_send_pubkey: signing failed: agent refused operation
.
Here are my config files:
# ~/.bashrc
# GnuPG directory
[ ! -d ~/.config/gnupg ] && mkdir -p ~/.config/gnupg && chmod 700 ~/.config/gnupg
export GNUPGHOME="$HOME/.config/gnupg"
# GnuPG SSH Auth
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
# ~/.config/gnupg/gpg.conf
use-agent
# ~/.config/gnupg/gpg-agent.conf
enable-ssh-support
I already tried to add pinentry-program /usr/bin/pinentry-qt
or .../pinentry-curses
to my gpg-agent.conf
but this doesn’t work either.
I used a Nitrokey Storage before. There I had also the primary key (certify+sign) on the card. Everything worked fine with this key… but now it is also not working anymore.