Nitrokey Pro 2 is not compatible with GPG4Win on Windows 10

Hello,

I just purchased two Nitrokey Pro 2 for signing and encrypting with Kleopatra tool on Windows 10 Enterprise. I have one physical PC (Windows version 1903) and one virtual PC (Windows version 1909).
I installed GPG4Win from "httpswwwgpg4winorg" (I am a new user in this forum, cannot add links, sorry), version 3.1.11.
I started with changing PINs according to httpswwwnitrokeycom/documentation/installation#p:nitrokey-pro&os:windows
I succeeded it on physical PC but on virtual PC the Nitrokey App did not recognize the USB device.

The next step was generating the keys. I chose the simplest option with GPA:
https*wwwnitrokeycom/documentation/openpgp-create-simple
On physical PC the GPA never found the smart card device, it just showed: “Checking the card…” and “Error accessing the card.”
On virtual PC I sometimes got the smart card visible in GPA. It seemed that the trick was to execute from “cmd.exe”: “certutil -scinfo”. At first “certutil” shows “SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED” but at the second time of running the same command shows “SCARD_STATE_PRESENT”. It seems that it enters sleep mode very easily. However, if the state is “SCARD_STATE_PRESENT” then GPA is able to show the device but only on the virtual PC.
GPA shows the following info about the device:

Serial number 00007E19
Card version: 3.3 (RSA-68222423)
Manufacturer: ZeitControl

I followed the instruction for generating new keys. It asked admin PIN several times and user PIN once and then showed an error message “The GPME library returned an unexpected error at gpagenkeycardop.c:218. The error was: Card error” and in details, it states: “[GPA 0.10.0, GPGME 1.14.0-beta36, GnuPG 2.2.19] gpg: AllowSetForegroundWindow(13976) failed: Access is denied.”.
Now “certutil -scinfo” prints “SCARD_SATE_PRESENT | SCARD_STATE_EXCLUSIVE | SCARD_STATE_INUSE”. If GPA has initiated this status then I am able to see the smart card also in Kleopatra tool. Otherwise, it did not recognize the smart card. In Kleopatra tool I was able to change PINs and “CardHolder” field, but “Generate new Keys” still failed, with the message: “general error”. By the way, it shows a different serial number in Kleopatra: “000500007E19”.

Now when failed with everything above, I took another instruction from Nitrokey help:
https*wwwnitrokeycom/documentation/openpgp-create-on-device
The instruction assumes that “gpg2.exe” is part of GPG4Win but it is NOT! I installed Cygwin to get the latest package.

$ gpg2 --version
gpg (GnuPG) 2.2.21-unknown
libgcrypt 1.8.2

Ran the command according to the instruction:

$ gpg2 --card-edit
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
gpg/card>

Since I had Git Bash installed, I also tried MinGW version of “gpg” - that returned exactly the same, both on physical and virtual PC.

From this point, all the options to generate keys were tried out and all of them failed.

In the marketing paper, it states that it works with Windows but at the same time it does not specify any specific version:
https*wwwnitrokeycom/files/doc/Nitrokey_Pro_factsheet.pdf
Is my current conclusion true that it does not work on Windows 10 and it is not supposed to be working on the latest Windows operating system?
Is there any chance that the support for Windows 10 and the latest GPG4Win will be added soon?
Or am I just missing something simple that makes it all work?

Not all virtualization softwares are handling this good. Some are passing only the HID interface. while others CCID. Just checked on Linux/KVM and it works.

Could you check on Windows 10 2004? Just confirmed it is working there. It was working on previous versions too. Perhaps virtualization software has made a mess in your configuration somehow (e.g. got the device’s interfaces locked)?

Indeed it looks like the gpg*exe binary is not available with Kleopatra.

This might have been a result of another’s application working service, e.g. of Kleopatra. The way this was designed is, that only one tool can have access at once, thus blocking others from connection. Therefore in case any other were run before, one has to make sure these were closed properly along with services (e.g. scdaemon.exe is not working anywhere).
Another option here is, that scdaemon package has to be downloaded separately at times, as it is not always (originally not) distributed with GnuPG.

For what is worth, it works on my installation.

image1142×815 257 KB

Let’s focus on making it work through GPA. Could you remove all other software installed extra, switch off VM and try again?

My physical PC has built-in smart card reader. I disabled the corresponding driver in the device manager. Now Kleopatra sees Nitrokey.
I found “gpg.exe” from “C:\Users[username]\AppData\Local\GnuPG\bin”, possibly came with GPG4Win (not sure where that came from). Now that one also shows Nitrokey. But “gpg2.exe” in Cygwin does not. “gpg.exe” in Cygwin works, “gpg.exe” in MinGW does not work.
Is there a principle difference between “gpg.exe” and “gpg2.exe”? Could I just use “gpg.exe” in GnuPG folder that seems to work now?

>gpg --version
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5

$ gpg2 --version
gpg (GnuPG) 2.2.21-unknown
libgcrypt 1.8.2

Good idea with disabling the integrated smart card reader. Is it not possible to select it in the GUI though?

In the past gpg was old versioned binary left for compatibility reasons, and gpg2 was for the modern release, but recently this decision was reverted, and gpg is the only valid name. As long as version is over 2.2.15 it should be good.
About why one is working and the other not, this might be either by missing scdaemon or locking the smart card access by another.

Now I was able to generate 4096-bits keys with Kleopatra. At first time it failed in a similar manner - asked Admin PIN 3 times and then User PIN once and then finished with “general error”. Second time it asked Admin PIN once and then started to run. Even though I marked “no backup”, it still exported some key. At the first minute of key generation, Windows message about Nitrokey device disconnected appeared repeatedly - it looked like the there was an error in electronics but probably not because actually key generation succeeded. I had Nitrokey App opened at the time of key generation - that showed a couple of fatal errors and then disappeared.

Could you try with Nitrokey App closed?

Now I got everything to work for my specific application. I was able to generate keys initiated from the physical PC and use the Nitrokey PRO on my virtual machine with Kleopatra for signing, signature checking, encrypting, and decrypting.

Main points that I learned:

1. Check if you have some other smartcards in your system. Remove all of them, either physically or disable the corresponding drivers (from device manager) for the time when you use Nitrokey PRO. You can see the list of smartcards connected to your system by executing “certutil -scinfo”.
2. Try to keep Nitrokey App always closed when using Kleopatra, GPA and “gpg.exe”.
3. When connecting to a virtual machine, VMWare offers two devices to connect: “Clay Logic Nitrokey Pro” and “Shared Nitrokey Nitrokey Pro 0”. Always connect to “Clay Logic Nitrokey Pro”! Otherwise, some functions do not work properly. Before connecting to a virtual machine, physically remove the device from USB port and attach it again (to reset the device status properly).
4. Use “gpg.exe” from GPG4Win package. Depending on how you have installed GPG4Win (for one or all users), it might be located either in C:\Users\[username]\AppData\Local\GnuPG\bin" or in “C:\Program Files (x86)\GnuPG\bin”. The PATH is already set by the installer - the “gpg.exe” is usable from “cmd.exe” directly. The latest “gpg.exe” is as good as “gpg2.exe” - you can use the same commands with “gpg.exe” as shown in the documentation for “gpg2.exe”.
5. In Kleopatra you can choose key length, in GPA you cannot (fixed to 2048 bits). Therefore, Kleopatra is better application for initiating keys generation to the Nitrokey device.

The topic can be closed. Conclusion: Nitrokey Pro 2 is compatible with GPG4Win and Windows 10. You just have to know the special tricks in order to not get overloaded with various error messages. The only thing that I think requires a fix right away, is the documentation. But there are also many SW improvements that could be done for increasing the stability.

That you, @szszszsz, for super-quick response!