NK Start: Bad signature using ed25519 keys?

Hello,

I am observing the following strange behavior, that signatures from NK Start when using ed25519 keys are not verifiable.

✔ ~
joh@yksi ⌚ 21:43:40 <0> % ggpg --keyid-format long --list-secret-keys
/home/joh/.gnupg/pubring.kbx
----------------------------
sec#  ed25519/BCAD9887108EFDF4 2019-12-29 [C] [expires: 2024-12-27]
      7F1A07C05AF1A79F11C2CC24BCAD9887108EFDF4
uid                 [ultimate] Johannes Mueller <joh@johannes-mueller.org>
uid                 [ultimate] Johannes Mueller <github@johannes-mueller.org>
uid                 [ultimate] Johannes Mueller <johmue@keybase.io>
uid                 [ultimate] Johannes Mueller <joh@punkto.info>
ssb>  ed25519/E1E57DA4DDCD1ED6 2019-12-29 [SA] [expires: 2020-06-26]
ssb>  cv25519/A4B4D7A80E9D5C86 2019-12-29 [E] [expires: 2020-06-26]


✔ ~
joh@yksi ⌚ 21:44:29 <0> % gpg --card-status
Reader ...........: 20A0:4211:FSIJ-1.2.10-43245419:0
Application ID ...: D276000124010200FFFE432454190000
Application type .: OpenPGP
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 43245419
Name of cardholder: Johannes Mueller
Language prefs ...: [not set]
Salutation .......: 
URL of public key : https://johannes-mueller.org/public_key-2020.asc
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off
Signature key ....: A45C 4537 C822 DF43 CBDF  B67E E1E5 7DA4 DDCD 1ED6
      created ....: 2019-12-29 01:42:12
Encryption key....: 6F34 244F 3B48 AB6D 9F10  480D A4B4 D7A8 0E9D 5C86
      created ....: 2019-12-29 01:53:20
Authentication key: A45C 4537 C822 DF43 CBDF  B67E E1E5 7DA4 DDCD 1ED6
      created ....: 2019-12-29 01:42:12
General key info..: sub  ed25519/E1E57DA4DDCD1ED6 2019-12-29 Johannes Mueller <joh@johannes-mueller.org>
sec#  ed25519/BCAD9887108EFDF4  created: 2019-12-29  expires: 2024-12-27
ssb>  ed25519/E1E57DA4DDCD1ED6  created: 2019-12-29  expires: 2020-06-26
                                card-no: FFFE 43245419
ssb>  cv25519/A4B4D7A80E9D5C86  created: 2019-12-29  expires: 2020-06-26
                                card-no: FFFE 43245419

✔ ~
joh@yksi ⌚ 21:44:32 <0> % echo sign this | gpg --sign -u 7F1A07C05AF1A79F11C2CC24BCAD9887108EFDF4 | gpg --verify
gpg: Signature made Fri Feb  7 21:44:33 2020 CET
gpg:                using EDDSA key A45C4537C822DF43CBDFB67EE1E57DA4DDCD1ED6
gpg: BAD signature from "Johannes Mueller <joh@johannes-mueller.org>" [ultimate]

✘ [1] ~
joh@yksi ⌚ 21:44:33 <0> % 

Any idea what’s going on?

The signed not verifiable message:

joh@yksi ⌚ 21:44:33 <0> % echo sign this | gpg --sign -a -u 7F1A07C05AF1A79F11C2CC24BCAD9887108EFDF4               
-----BEGIN PGP MESSAGE-----

owGbwMvMwCH28Gntkrtn5a4xnhZIYoizPdNTnJmep1CSkVnM1VHKwiDGwSArpsiy
JMbV/ITSfefT97fVwXSwMoGUM3BxCsBE7jMz/NM8F+Lw63tvhvp8fh5n85kaWl53
Y99+O131LW99bQin1W9GhpVied3ZWgyc6w+9085+4vg1XPBlcKtrGdPuNUl/JoU/
5AIA
=UemJ
-----END PGP MESSAGE-----

✔ ~
joh@yksi ⌚ 21:46:04 <0> % 

Hello,

Sorry for the delay. Will see, how it behaves on my hardware. I assume you have imported the key to the device, is that right?

Yes, the key is imported to the device. It’s the signing subkey 0xE1E57DA4DDCD1ED6 from

✔ ~
joh@yksi ⌚ 21:01:49 <0> % gpg --list-secret-keys 7F1A07C05AF1A79F11C2CC24BCAD9887108EFDF4
sec#  ed25519/BCAD9887108EFDF4 2019-12-29 [C] [verfällt: 2024-12-27]
      7F1A07C05AF1A79F11C2CC24BCAD9887108EFDF4
uid              [ ultimativ ] Johannes Mueller <joh@johannes-mueller.org>
uid              [ ultimativ ] Johannes Mueller <github@johannes-mueller.org>
uid              [ ultimativ ] Johannes Mueller <johmue@keybase.io>
uid              [ ultimativ ] Johannes Mueller <joh@punkto.info>

here:

ssb>  ed25519/E1E57DA4DDCD1ED6 2019-12-29 [SA] [verfällt: 2020-06-26]
ssb>  cv25519/A4B4D7A80E9D5C86 2019-12-29 [E] [verfällt: 2020-06-26]

It’s shows up on the device:

✔ ~
joh@yksi ⌚ 21:01:58 <0> % gpg --card-status                                              
Reader ...........: 20A0:4211:FSIJ-1.2.10-43245419:0
Application ID ...: D276000124010200FFFE432454190000
Application type .: OpenPGP
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 43245419
Name of cardholder: Johannes Mueller
Language prefs ...: [nicht gesetzt]
Salutation .......: 
URL of public key : https://johannes-mueller.org/public_key-2020.asc
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off

here

Signature key ....: A45C 4537 C822 DF43 CBDF  B67E E1E5 7DA4 DDCD 1ED6
      created ....: 2019-12-29 01:42:12
Encryption key....: 6F34 244F 3B48 AB6D 9F10  480D A4B4 D7A8 0E9D 5C86
      created ....: 2019-12-29 01:53:20
Authentication key: A45C 4537 C822 DF43 CBDF  B67E E1E5 7DA4 DDCD 1ED6
      created ....: 2019-12-29 01:42:12
General key info..: sub  ed25519/E1E57DA4DDCD1ED6 2019-12-29 Johannes Mueller <joh@johannes-mueller.org>
sec#  ed25519/BCAD9887108EFDF4  erzeugt: 2019-12-29  verfällt: 2024-12-27

and here

ssb>  ed25519/E1E57DA4DDCD1ED6  erzeugt: 2019-12-29  verfällt: 2020-06-26
                                Kartennummer:FFFE 43245419
ssb>  cv25519/A4B4D7A80E9D5C86  erzeugt: 2019-12-29  verfällt: 2020-06-26
                                Kartennummer:FFFE 43245419

✔ ~
joh@yksi ⌚ 21:02:13 <0> % 

The problem occurs both of my two NK Start with this key. The key is also properly cross certified. I have a backup of it on a persistent Tails volume. Signatures I create with that one are verified without problems on the same system which fails to verify the signature of the NK.