Greetings!
I have been successfully using my Nitrokey Pro on Ubuntu for about a year, mostly for SSH and signing commits. I recently migrated to macOS, and I cannot use my Nitrokey unless I run one of gpg --card-status or gpg --card-edit beforehand.
Here is an example of what I must do to decrypt a file:
$ gpg -d ~/encryptedFile.txt
gpg: encrypted with 3072-bit RSA key, ID XXXXXXXXXXXXXXXX, created 2020-02-02
"John Doe <john.doe@example.org>"
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key
$ gpg --card-status # --card-edit will also work
Reader ...........: Nitrokey Nitrokey Pro
Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Application type .: OpenPGP
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: XXXXXXXX
Name of cardholder: John Doe
Language prefs ...: en
Salutation .......: Mr.
URL of public key : https://example.org/johndoe/pgp_keys.asc
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa3072 rsa3072 rsa3072
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 3 3
Signature counter : 617
KDF setting ......: off
Signature key ....: AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA
created ....: 2020-20-20 02:02:02
Encryption key....: BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB
created ....: 2020-20-20 02:02:02
Authentication key: CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC CCCC
created ....: 2020-20-20 02:02:02
General key info..: pub rsa3072/AAAAAAAAAAAAAAAA 2020-20-20 John Doe <john.doe@example.org>
sec> rsa3072/AAAAAAAAAAAAAAAA created: 2020-20-20 expires: never
card-no: XXXX XXXXXXXX
ssb> rsa3072/BBBBBBBBBBBBBBBB created: 2020-20-20 expires: never
card-no: XXXX XXXXXXXX
ssb> rsa3072/CCCCCCCCCCCCCCCC created: 2020-20-20 expires: never
card-no: XXXX XXXXXXXX
$ gpg -d ~/encryptedFile.txt
gpg: encrypted with 3072-bit RSA key, ID XXXXXXXXXXXXXXXX, created 2020-02-02
"John Doe <john.doe@example.org>"
[Succesfully decrypting the file]
I tried to read the logs from scdaemon, but it’s rather cryptic to me. Here are relevant logs for when the first `gpg -d’ fails:
DBG: chan_7 <- SERIALNO --demand=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ccid open error: skip
detected reader 'Nitrokey Nitrokey Pro'
reader slot 0: not connected
pcsc_control failed: not transacted (0x80100016)
pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65547
reader slot 0: active protocol: T1
[...]
Version-2+ .....: yes
Extcap-v3 ......: yes
Button .........: no
SM-Support .....: no
Get-Challenge ..: yes (2048 bytes max)
Key-Import .....: yes
Change-Force-PW1: yes
Private-DOs ....: yes
Algo-Attr-Change: yes
Symmetric Crypto: yes
KDF-Support ....: yes
Max-Cert3-Len ..: 2048
PIN-Block-2 ....: no
MSE-Support ....: yes
Max-Special-DOs : 2048
Cmd-Chaining ...: no
Ext-Lc-Le ......: yes
Status-Indicator: 05
GnuPG-No-Sync ..: no
GnuPG-Def-PW2 ..: no
[...]
DBG: chan_7 -> S SERIALNO XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
DBG: chan_7 -> OK
DBG: chan_7 <- SETDATA YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
DBG: chan_7 -> OK
sending signal 31 to client 1588
DBG: chan_7 <- PKDECRYPT ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
operation decipher result: Invalid ID
app_decipher failed: Invalid ID
DBG: chan_7 -> ERR 100663414 Invalid ID <SCD>
DBG: chan_7 <- RESTART
DBG: chan_7 -> OK
I am unsure of what those card commands do, but I must issue one of them every time I plug the key. I did not have to do that on Ubuntu. I simply added my public key to my local keyring on macOS.
My version of GPG is gpg (GnuPG/MacGPG2) 2.2.24. I have no specific configuration file for GPG except use-agent in gpg.conf. I installed GPG via brew install gpg-suite.
Thank you for any sort of help you’ll be able to provide me with. I’ll be glad to provide more logs/info if needed. Cheers!