NK3 GPG not working

After updating to firmware v1.4.0 I am not able to use pgp keytocard to move a key created outside to the smartcard.

I am not even prompted for the pin anymore. Maybe I entered it wrong multiple times because of I confused gpg pin (which was probably still the default) and the fido2 pin.

gpg2 --edit-key --expert ...
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Geheimer Schlüssel ist vorhanden.

sec  ed25519/...
     erzeugt: 2023-05-11  verfällt: 2026-05-10  Nutzung: SC  
     Vertrauen: ultimativ     Gültigkeit: ultimativ
ssb  cv25519/...
     erzeugt: 2023-05-11  verfällt: 2026-05-10  Nutzung: E   
ssb  ed25519/...
     erzeugt: 2023-05-11  verfällt: 2026-05-10  Nutzung: A   
[uneingeschränkt] (1). ...

gpg> keytocard
Den Hauptschlüssel wirklich verschieben? (j/N) j
Wählen Sie den Speicherort für den Schlüssel:
   (1) Signatur-Schlüssel
   (3) Authentisierungs-Schlüssel
Ihre Auswahl? 1
gpg: Das KEYTOCARD Kommando schlug fehl: Falsche PIN


Now it seems I am even not able to do a factory-reset (gpg2 --card-edit > admin > factory reset ).

gpg2 --card-edit

Reader ...........: 
Application ID ...: 
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: unknown
Serial number ....: 
Name of cardholder: [nicht gesetzt]
Language prefs ...: [nicht gesetzt]
Salutation .......: 
URL of public key : [nicht gesetzt]
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: ed25519 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 0 0 0
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin-Befehle sind erlaubt

gpg/card> factory-reset 
gpg: OpenPGP Karte Nr. ... erkannt

gpg: Hinweis: Dieses Kommando zerstört alle auf der Karte gespeicherten Schlüssel!

Fortsetzen? (j/N) j
Möchten Sie die Karte wirklich komplett löschen? ("yes" eingeben) yes
sending card command SELECT AID failed: Fehlerhafter geheimer Schlüssel


I am really getting annoyed and losing my trust in nitrokey and the team. The software-development process seems to be not under control. This is extremely critical in such an security-relevant area.

Unfortunately, there is a bug in GnuPG older than 2.2.35 that affects the factory reset, see:

You can fix the problem by updating GnuPG or by using a different application to execute the factory reset, e. g. openpgp-tool --erase (from OpenSC) or opgpcard factory-reset (from openpgp-card-tools). We are also working on adding a command to pynitrokey to execute the factory reset to work around this issue, see: Allow resetting opcard-rs · Issue #362 · Nitrokey/pynitrokey · GitHub

Thank you for the solution! With opengpg-tool I was able to do a factory-reset. After that the import of the keys generated outside the nitrokey was successful and now finally after years the gpg encryption with nitrokey3 works as expected.