Unreliable GPG card of Nitrokey 3 Mini

Hi,

After replacing my NK3 mini (after Nitrokey 3 Mini no longer reacts on touch - #4 by geoW ), I’m now struggling with the gpg card feature of the new device. I can sign or decrypt basically only once after plugging or rebooting the key. If I retry the same operation, I’m getting errors like

gpg: public key decryption failed: Not supported
gpg: decryption failed: Not supported

This did not happen with my old NK3 mini and still does not - just retested as only the touch is broken. That one was on firmware 1.7, the new is on 1.8.3. Another difference was opcard.use_se050_backend=false with the old one, but meanwhile I switched the new to this mode as well, without any change. Also factory-reset didn’t help.

This is a highly annoying regression. I can mitigate it by issuing “nitropy nk3 reboot” prior to any gpg operation, but that is not really a solution.

FWIW, tests are passing, ssh key storage or FIDO2 features work as before.

And in some cases I get this after plugging the key:

gpg: public key decryption failed: Missing item in object
gpg: decryption failed: Missing item in object

Retry then gives:

gpg: public key decryption failed: Card error
gpg: decryption failed: Card error

Also suspend/resume of the machine with the key plugged requires a reboot of it in order to get the card working, once.

Looks like there is bad interaction going on between scdaemon and other users of the card (browser and email client) which - for whatever reason - didn’t affect the old key. If close those other users, the gpg works as expected, also with the new NK3 mini. Most likely a local configuration issue.

Hello,

your issue look like the one explained in the last bullet point here:

I already had pcsc-shared set.

What I did now is to disable PIV (wasn’t available with firmware 1.7), and that seems to help.