When I try to import the pre-existing GPG keys to the card, this happens:
β ~ gpg --edit-key --expert tcanabrava@kde.org
gpg (GnuPG) 2.2.41; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/B10D17C4DDFC6DDE
created: 2023-07-17 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/DA22FFE1B0A5BA0E
created: 2023-07-17 expires: never usage: E
ssb rsa3072/0496D634F124F14A
created: 2023-10-19 expires: never usage: A
[ultimate] (1). Tomaz Canabrava <tcanabrava@archlinux.org>
[ultimate] (2) Tomaz Canabrava <tcanabrava@kde.org>
gpg> keytocard
Really move the primary key? (y/N) y
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
gpg: KEYTOCARD failed: Card error
My status is ok, and nitrokey mk3 test is also ok.
β ~ gpg --card-status
Reader ...........: 20A0:42B2:X:0
Application ID ...: D276000124010304000FC2E6E7A50000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: unknown
Serial number ....: C2E6E7A5
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
The RSA of my key and of nitrokey are both set to 4096
The test status:
β ~ g
β ~ nitropy nk3 test
Command line tool to interact with Nitrokey devices 0.4.39
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at /dev/hidraw0
Running tests for Nitrokey 3 at /dev/hidraw0
[1/4] uuid UUID query SUCCESS C2E6E7A51562BF54B2485CBC8D8E4496
[2/4] version Firmware version query SUCCESS v1.5.0
[3/4] status Device status SUCCESS Status(init_status=<InitStatus: 0>, ifs_blocks=60, efs_blocks=478, variant=<Variant.LPC55: 1>)
Please press the touch button on the device ...
Please press the touch button on the device ...
[4/4] fido2 FIDO2 SUCCESS
4 tests, 4 successful, 0 skipped, 0 failed
Summary: 1 device(s) tested, 1 successful, 0 failed
So Iβm a bit puzzled how to continue. I have seen here that some people that had this problem was because the key had a different size, but, Iβm out of ideas.
Since weβre on the same distro (gpg version, udev rules via package and all) and I happen to have a not yet deployed nk3 on the same fw 1.5.0, I just did a test of a keytocard and it worked first try. To ensure my gpg config is vanilla I used a new user. I know this is of limited help. One point I note is your second ssb is on 3072 where I chose 4096 for all (not that it should matter, of course).
If I have an idea, I post again.
Hi @ion, It seems to work for you. In order to compare possible variations of the confirguration, can you please post the output of the following commands? gpgconf --show-configs gpgconf --list-components gpgconf --check-config
and FWIW this is the card-status since after my test yesterday:
$ gpg --card-status
Reader ...........: 20A0:42B2:X:0
Application ID ...: D27....
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: unknown
Serial number ....: 12345678
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: 436B 9BF3 B171 63A6 6BDA DD3E 3971 7E5D 3D58 368B
created ....: 2023-10-21 16:39:45
Encryption key....: [none]
Authentication key: [none]
General key info..: pub rsa4096/39717E5D3D58368B 2023-10-21 ion test (test) <iontest@dev.null>
sec> rsa4096/39717E5D3D58368B created: 2023-10-21 expires: never
card-no: 000F 555555
ssb rsa4096/FFA10C0BCD5F829E created: 2023-10-21 expires: never
ssb rsa4096/192094F5C21D4C5C created: 2023-10-21 expires: never
edit: the rest of output for completeness:
$ gpgconf --list-components
gpg:OpenPGP:/usr/bin/gpg
gpgsm:S/MIME:/usr/bin/gpgsm
gpg-agent:Private Keys:/usr/bin/gpg-agent
scdaemon:Smartcards:/usr/lib/gnupg/scdaemon
dirmngr:Network:/usr/bin/dirmngr
pinentry:Passphrase Entry:/usr/bin/pinentry
$ gpgconf --check-config
gpgconf: can not open global config file '/etc/gnupg/gpgconf.conf': No such file or directory
Creating RSA2048 keys using gpg on the local machine and perform a keytocard with these keys? (I have already tried this with success, yet still need to test RSA4096).