gpg doesn’t see my nitrokey,
gpg -vvv --card-status gpg: using character set 'utf-8'
gpg: enabled compatibility flags:
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
while pscs_scan detects it:
pcsc_scan
PC/SC device scanner
V 1.6.2 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
Using reader plug'n play mechanism
Scanning present readers...
0: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Wed May 10 09:03:29 2023
Reader 0: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Event number: 0
Card state: Card inserted,
Am I missing some setup element?
I am already using nitrokey FIDO2 in my browsers and pam with no issues, so device setup should be ok.
gpg --version
gpg (GnuPG) 2.2.41
libgcrypt 1.10.2-unknown
After reading release notes I have discovered that GPG is only supported in 1.4 firmware. After upgrade it’s now recognized!
I continue to set is up following this guidehttps://docs.nitrokey.com/storage/windows/ecc.html?highlight=gpg
gpg-connect-agent "SCD SETATTR KEY-ATTR --force 1 19 brainpoolP256r1" /bye
ERR 100663383 Bad PIN <SCD>
I was trying my usual PIN that works for test command.
I can read in one for the screen copies:
Please note that the factory settings of the PINs are
PIN = '123456' Admin PIN = '12345678'
Are this different from FIDO2 PIN? How to change them? The screenprint is proposing something like
You should change them using the command --change-pin
gpg/card> admin
Admin commands are allowed
gpg/card> command --change-pin
Invalid command (try "help")
After some research I’ve found the change pin command.
gpg --change-pin
I’ve changed both normal and Admin pin. Still I am getting error about invalid pin:
gpg-connect-agent "SCD SETATTR KEY-ATTR --force 1 19 brainpoolP256r1" /bye
ERR 100663383 Bad PIN <SCD>
Now I guessed that the new admin pin must be at least 8 digits. It was not mentioned in any guide/doc.SETATTR commands now passed, but with no effect:
Key attributes ...: rsa2048 rsa2048 rsa2048
I definitely don’t want rsa2048 keys…
I have the same problem, but with firmware 1.4.
PC/SC device scannerludovic.rousseau@free.fr
Wed May 10 06:49:33 2023
gpg -vvv --card-status:
LANG=C gpg -vvv --card-status
gpg: using character set 'utf-8'
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
GPG:
LANG=C gpg --versionhttps://gnu.org/licenses/gpl.html
Home: /home/XXXXX/.gnupg
I think I have found all answers for my questions. The remaining part about keys management is here
Hope it will all go to a Nitrokey 3 guide on the main documentation site
Per default, gnupg uses its own CCID driver, not pcscd. If the card is detected by pcscd, gnupg can no longer access it. There are two solutions:
Instruct GnuPG to use pcscd by adding disable-ccid to ~/.gnupg/scdaemon.conf and restart scdaemon with gpg-connect-agent 'SCD KILLSCD' /bye
Stop pcscd and re-connect the device (make sure that pcscd is not activated again by a socket or similar)
See this guide for more information: Ludovic Rousseau's blog: GnuPG and PC/SC conflicts
Hm, this will not really fix it, because now gpg will take an exclusive lock to the NK3.
Reader 1: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Event number: 0
Card state: Card inserted, Exclusive Mode,
ATR: 3B 8F 01 80 5D 4E 69 74 72 6F 6B 65 79 00 00 00 00 00 6A
pkcs11-tool --list-slots:
Available slots:
Slot 0 (0x0): REINER SCT cyberJack RFID komfort (5033634424) 00 00
(empty)
Slot 1 (0x4): (GetSlotInfo failed, CKR_DEVICE_ERROR)
Unfortunately, this is a limitation of GnuPG/scdaemon. With more recent releases, you can try to use the --pcsc-shared option for scdaemon so that it no longer requires an exclusive lock. But it still caches some card state, so using it with other applications may cause problems.
An alternative approach could be to use Sequoia PGP and their openpgp-card tools instead which does not require exclusive access to the card.
beneth
September 19, 2024, 2:36pm
10
Maybe this is not the same subject, but on Archlinux today, I was not able to use anymore my Nitrokey 3c NFC (20a0:42b2).
By opening the udev rules, I see that Nitrokey 3 do not set the :
ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
So I add this to the rules for my Nitrokey and its working again.
Why rules are different than a nitrokey pro 2 for example ? I use only gnupg for using nitrokey smartcard.
Hi,
What is the gpg config you are using? You can find it at ~/.gnupg/gpg-agent.conf, ~/.gnupg/scdaemon.conf
Best,
beneth
September 20, 2024, 8:39am
12
Hello,
~/.gnupg/gpg-agent.conf :
# pinentry conf
default-cache-ttl 300
max-cache-ttl 7200
enable-ssh-support
allow-emacs-pinentry
And ~/.gnupg/scdaemon.conf :
pcsc-driver /usr/lib/libpcsclite.so
Please note that without udev rules hack, I have the following log when trying to use my key with gpg (gpg --card-status) :
gpg-agent[6207]: scdaemon[6207]: ccid open error: skip
gpg-agent[6207]: scdaemon[6207]: check permission of USB device at Bus 003 Device 034
Thx for your help,
There is another way to get this to work, by using pcscd.
Replace pcsc-driver /usr/lib/libpcsclite.so by disable-ccid and using the pcscd service: systemctl enable pcscd.
1 Like
