after updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)

gpg_dude's Avatar

gpg_dude

25 Sep, 2017 05:54 PM

Which of our tools is giving you problems?

gpg2

Attach a screenshot of the version info for all installed components (how to: https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...):

Attached

Describe your problem. Add as much detail as possible.

After installing GPGTools 2017.1 I am not longer able to access my private key using my Yubikey 4 Nano. I am not prompted for my PIN to unlock the Yubikey and Mail displays a message saying "Secret key to decrypt the message is missing"

Attempts to use gpg2 on the command line to edit/inspect the Yubikey also failed:
gpg2 --card-edit

gpg: selecting openpgp failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

What did you expect instead

I expect to be prompted for my PIN to unlock the Yubikey.

I also expect to be able to issue gpg2 --card-edit to inspect/edit the GPG key on my Yubikey.

Describe steps leading to the problem.

Described above

Are you using any other Mail.app plugins?

No

EDIT: I also tried following the steps listed @ https://gpgtools.tenderapp.com/discussions/problems/58454-after-upd...

but when I got to the end and tried to run the final command it failed with:
gpg --card-status
gpg: selecting openpgp failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

EDIT2: might be related to https://gpgtools.tenderapp.com/discussions/problems/50900-unable-to...

Showing page 2 out of 2. View the first page

  1. 31 Posted by gpg_dude on 03 Oct, 2017 03:04 PM

    gpg_dude's Avatar

    So on my issue a reboot did not appear to fix the strange behavior where after a period of time Mail hangs when trying to decrypt a message and "ssh-add -l" hangs when issued as well. I have to remove and reinsert the card to get things back on track. If there is other data I can collect to help troubleshoot what is happening here let me know. Otherwise, I am contemplating downgrading back to 2016.10_v2 to get back to smoother operation.

    Teoclaid: as for your issue, downgrading to a previous version of GPGTools just requires you to run the previous installer. I've also made backups of my ~/.gnupg directory prior to each upgrade and have been restoring that as part of the downgrade process too, though I'm not sure that's strictly necessary. I've been doing so because I recall reading somewhere the GPG upgrade modifies the keys somehow.

  2. 32 Posted by teoclaid on 03 Oct, 2017 03:21 PM

    teoclaid's Avatar

    I'm back up and running! I think what I thought was a backup of my full keys must just have been a stub(?). I realised I had a copy of my GPG keys on my iPhone so imported that copy to my GPG Keychain.

    After that I followed the instructions in https://developers.yubico.com/PGP/Importing_keys.html (having first reset the applet), and now my Yubikey is happy with decrypting in mail and anywhere else. phew!

  3. 33 Posted by MartinBa on 03 Oct, 2017 03:41 PM

    MartinBa's Avatar

    @teoclaid: concratulations - its always good to have a second (offline) place to have the secret key available. Maybe your backup of the secret key was made/overwritten after you moved the secret keys to the yubikey - therefore only the stubs were in it. please check filedate of the "backup" and try to remember when you originally put your secret keys to the yubikey with keytocard :-)

    i've also learned that my original setup before updateing (osx 10.10.5 yosemite) under gpgtools 2016.2 (GnuPG/MacGPG2 Version 2.0.30) accessed the yubikey with the (gnupg-buildin) ccid driver and the new gpgtools 2017.1 is using the pc/sc interface driver (which was the source of my problem as it doesn't work correctly until i installed the yubikey neo manager application). I am not sure if ccid (fallback) works correctly with 2017.1

  4. 34 Posted by gpg_dude on 09 Oct, 2017 05:01 PM

    gpg_dude's Avatar

    @Luke - after a week of banging my head against the wall and constantly removing and reinserting my yubikey multiple times per hour (along with killing gpg-agent which I already did with previously releases) I've had to downgrade back to 2016_10.v2. Let me know if I should start a new thread about the usability issues since technically the problem(s) that spawned this thread were resolved.

  5. 35 Posted by teoclaid on 10 Oct, 2017 02:08 PM

    teoclaid's Avatar

    @gpg_dude - did you try resetting the applet and reinstalling your keys onto the Yubikey? That completely solved the problem for me...

  6. 36 Posted by jbr on 06 Dec, 2017 11:57 AM

    jbr's Avatar

    So I was also getting "bad pin" when using my Yubikey (2017.1 on High Sierra). It turns out that the "problem", was that I was using one passphrase for the regular pin and a different passphrase for admin, reset and unblock. Apparently the regular pin is not used for signing mails and such anymore, but the admin pin is. So I've solved my problem by just having the same passphrase for all the pins on my Yubikey. It would however be nice if anyone knows how to use the regular pin and not the admin pin for signing.

  7. 37 Posted by gpg_dude on 06 Dec, 2017 05:35 PM

    gpg_dude's Avatar

    @jbr I'm not on High Sierra, but that doesn't sound right. Are you sure you didn't get the admin & regular PIN's transposed?

  8. 38 Posted by jbr on 07 Dec, 2017 08:24 AM

    jbr's Avatar

    @gpg_dude, yes I initialised the key multiple times, with different pin combinations to track the problem down. I just inserted an older Yubikey, which was initialised with gpg 2.0 and not 2.2, and there the pins are functioning correctly.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Already uploaded files

  • Screen_Shot_2017-09-25_at_10.08.13_AM.png 86.3 KB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac