Is there any update on PIV support for Nitrokey 3?
It seems to be available only in the test versions of the firmware which Nitrokey recommends not using in production.
I’m at the point where I need to use PKCS #11 for OpenSSH since there are issues with gpg-agent support for ssh. I know FIDO is an alternative but I prefer not to use this.
I’m not sure what the full PIV status is specifically, but I’ve successfully used pkcs15-init to both generate and load private keys and pkcs11-util to sign and verify messages on a Nitro 3A.
Thanks for the info @iameli. This sounds sufficient for my needs.
I assume you are using the test version of the firmware. Two followup questions that I hope
Thanks for your help.
Interesting, what issues with gpg-agent are you having?
I’m also not too happy about the gpg-agent support, as it usually works fine after plugging the Nitrokey in, but some time later (maybe an hour or so?) it will stop working. Using PKCS11 instead might be a workaround, but I would also like to see the gpg-agent problem fixed.
In contrast, my older Nitrokey Pro 2 has no trouble with gpg-agent and works fine no matter how long it is in use.
This is a known issue [1] that I’ve reported to Nitrokey [2]. The main issue seems to be that the ssh protocol defines data size that is too large to be signed with a smartcard.
gpg and gpg-agent have been reliable for many years. It’s only with the introduction of new features by openssh has this issue come up. I would much prefer to stick with OpenPGP.
[1] ⚓ T6250 GPG-Agent doesn't work properly with smart cards and ed25519 keys and SSH Agent
[2] openpgp: gpg-agent fails for ed25519 keys with ssh certificates · Issue #348 · Nitrokey/nitrokey-3-firmware · GitHub
