No such device after gpg2 factory reset

fantastic · December 1, 2023, 5:19pm

I have a new nitrokey 3 - I may have entered the admin password wrong too many times.

In gpg2 --card-edit I ran factory-reset - and since then I’m getting the:

❯ gpg2 --card-edit --expert

gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

I’ve followed the instructions here: Troubleshooting - Nitrokey Documentation

I tried with just pcscd and just scdaemon and rebooted Linux many times.

nitrokeypy works with it ok. I’ve re-installed the 1.5.0 hardware, but gpg still doesn’t see it.

Any help or guidance appreciated.

saper · December 26, 2023, 9:10pm

Can you try OpenSC and see what does the openpgp-tool -K say?

Further troubleshooting steps:

Configure the following $HOME/scdaemon.conf:

log-file /tmp/scd.log
debug 0xffff
disable-ccid

Before posting data from such log, be careful, it may contain secret data!

fantastic · January 7, 2024, 9:03am

❯ sudo openpgp-tool -K -vv
No smart card readers found.
P:524087; T:0x139775920576512 19:00:49.087 [openpgp-tool] ctx.c:931:sc_release_context: called
error: failed to connect to card: No readers found
Aborting.

❯ cat scdaemon.conf
log-file /tmp/scd.log
debug 0xffff
disable-ccid

❯ cat /tmp/scd.log
cat: /tmp/scd.log: No such file or directory

❯ lsusb | rg -i nitro
Bus 001 Device 023: ID 20a0:42b2 Clay Logic Nitrokey 3

❯ ps aux | rg 'scdaemon|pcsd'
matiu     524000  0.0  0.0  94376  3072 ?        SLl  19:00   0:00 scdaemon --multi-server

I just did another update to v1.6.0 but still no luck:

❯ nitropy nk3 update
Command line tool to interact with Nitrokey devices 0.4.43
Do you want to download the firmware version v1.6.0? [Y/n]: y
Download v1.6.0: 100%|███████████████████████████████████████████████████████████████████████████████████| 909k/909k [00:00<00:00, 6.86MB/s]
Current firmware version:  v1.5.0
Updated firmware version:  v1.6.0

Please do not remove the Nitrokey 3 or insert any other Nitrokey 3 devices during the update. Doing so may damage the Nitrokey 3.
Do you want to perform the firmware update now? [y/N]: y

Please press the touch button to reboot the device into bootloader mode ...

Perform firmware update: 100%|███████████████████████████████████████████████████████████████████████████| 461k/461k [00:05<00:00, 87.5kB/s]
Finalize upgrade: 100%|████████████████████████████████████████████████████████████████████████████████████| 100/100 [00:01<00:00, 59.13%/s]

saper · January 7, 2024, 10:47am

Ok, we are almost there. For openpgp-tool test, you cannot run scdaemon. Make sure gpg-agent and scdaemon are not running at the time you are testing with openpgp-tool.

For example, start your system clean, make sure pcscd is running or gets started and without touching GPG try openpgp-tool.

After this, you can try gpg --edit-card and then /tmp/scd.log should get created.
pcscd should be running at the time you access the smartcard, so you will probably have gpg-agent, scdaemon and pcscd running.

I like running pcscd -adf in the foreground to see live commands sent to the smartcard when troubleshooting. This log will contain your PINs and other possibly secret things, so be careful when sharing. But I don’t know the details if your system - you might need to disable system-level pcscd to do something like this.

fantastic · January 28, 2024, 6:11pm

Thanks @saper

I started with a clean boot. I checked that gpg-agent and scdaemon hadn’t started. I killed and restarted pcscd a few times. I dumped the log with sudo pcscd -adf 2>&1 | tee pcscd.log

Once pcscd was running I ran gpg --edit-card and got the same issues.

In ~/.gnupg/scdaemon.conf I have disable-ccid from some forum post.

I’ve pasted the log here - I couldn’t see any sensitive info in it.

I tried to figure it out myself but it’s way beyond me. Thanks again for guiding me in the right direction.

saper · January 28, 2024, 9:58pm

I have re-did your steps on my Nitrokey 3 with 1.5.0 firmware and the key difference is this:

I get

APDU: 00 A4 04 00 06 D2 76 00 01 24 01
SW: 90 00

where you are getting

APDU: 00 A4 04 00 06 D2 76 00 01 24 01
SW: 62 85

which means Open PGP applet D27600012401 cannot be selected - OpenPGP part seems to be “dead”.

I think running factory-reset from gpg2 was a mistake. Which gpg were you using? There is Factory Reset fails on old gpg (2.2.21) · Issue #144 · Nitrokey/opcard-rs · GitHub bug report about broken factory-reset with GnuPG 2.2 - but there is nothing that would make OpenPGP applet disappear if I read the report correctly.

@sosthene-nitrokey is there any way to bring the applet back? (even upgrade to 1.6.0 didn’t seem to help)

fantastic · January 28, 2024, 10:41pm

Thanks again for the great support.

I’m not sure what version of gpg. I’m on PopOs, based off of Ubuntu 22.04. I may have upgraded since breaking things.

Current version:

❯ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
...

I’ll continue to try random things and let you know if I get anywhere. I’ll also keep an eye out on here for updates.

sosthene-nitrokey · January 29, 2024, 8:20am

Hi,

You could try using the latest experimental v1.6.0-test.20231218 release, which has support for openpgpg factory reset through nitropy . nitropy nk3 factory-reset-app opcard --experimental, and also a full-device factory-reset: nitropy nk3 factory-reset --experimental.

saper · January 29, 2024, 8:37am

How could this have happened? Is it normal for the applet to “disappear”?

saper · January 29, 2024, 8:38am

not sure this will help, you need to get OpenPGP function back on the token.

sosthene-nitrokey · January 29, 2024, 12:24pm

This should not happen. The OpenPGP standard mechanism for factory-reset is performed in 2 steps. GnuPG however does not seem to properly handle the case where only one step has been performed.

APDU: 00 A4 04 00 06 D2 76 00 01 24 01
SW: 62 85

Confirm that this is the error. The experimental nitropy factory-reset functionality does not go through the standard mechanism for factory-reset, and should not be affected by this issue.