setting GnuPG card to 'not forces' does not let sign

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

setting GnuPG card to 'not forces' does not let sign

Matthias Apitz

Hello,

I was tired of having always enter the PIN when sending mails to sign them
and switched the card to 'not forces':

Signature PIN ....: not forced

After this (without withdrawing the card, i.e. the PIN was already
entered around 10 times and the card unlocked), the signing says:

$ echo bla > test.doc
$ LANG=C
$ gpg2 --armor --output test.doc.signed --sign test.doc
gpg: signing failed: Bad PIN
gpg: signing failed: Bad PIN

The bad PIN counter in the card is not decremented. Switching the card
back to 'forced' makes signing with PIN working again.

What do I wrong?

        matthias


--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: setting GnuPG card to 'not forces' does not let sign

Werner Koch

> The bad PIN counter in the card is not decremented. Switching the card
> back to 'forced' makes signing with PIN working again.

Interesting.  Did you also try to reset the card (i.e. re-insert) whit
non-forced set?


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: setting GnuPG card to 'not forces' does not let sign

Matthias Apitz
El día viernes, junio 09, 2017 a las 08:09:12a. m. +0200, Werner Koch escribió:

>
> > The bad PIN counter in the card is not decremented. Switching the card
> > back to 'forced' makes signing with PIN working again.
>
> Interesting.  Did you also try to reset the card (i.e. re-insert) whit
> non-forced set?

As I wrote in the last mail, it works now like it should and for signing
as for SSH I only have to enter the PIN once.

I have one last remaining issue with this GnuPG card and/or my USB
device HID Global OMNIKEY 6121 Smart Card Reader and/or FreeBSD, i.e.
its totally unclear at the moment what is causing it:

Sometimes (let's say in 50% of the cases) the USB device is not seen by
the FreeBSD kernel on power-on boot, even if the OMNIKEY is already inserted before
power-on. When it is not seen on boot, it is not seen on withdraw and
re-insert. When it is seen, it is always seen, i.e. one can re-insert as
much as you want, it always works. Sometimes not even a re-boot helps, it
takes 2-3 re-boots to get the OMNIKEY seen.

I know, this is not a GnuPG issue, but I wanted to mention it here to
ask if others has similar experiences, even on Linux or other OS, or if
it worth to get a new OMNIKEY device or even another device.

Comments?

Thanks

        matthias
--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: setting GnuPG card to 'not forces' does not let sign

Werner Koch
On Fri,  9 Jun 2017 08:39, [hidden email] said:

> I know, this is not a GnuPG issue, but I wanted to mention it here to
> ask if others has similar experiences, even on Linux or other OS, or if
> it worth to get a new OMNIKEY device or even another device.

You better avoid everything with an Omnikey chip in it.  I had only
trouble with it and they never responded to questions.  Well, it works
on Windows because they fix their hardware with their Windows driver.


Shalom-Salam,

   Werner


p.s.
If someone from Omnikey reads this and likes to help getting Omnikey
devices working with current keys sizes under free software OSes, feel
free to contact me off-list.  I won't sign any NDAs, though.

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: setting GnuPG card to 'not forces' does not let sign

Matthias Apitz
El día domingo, junio 11, 2017 a las 08:59:37p. m. +0200, Werner Koch escribió:

> On Fri,  9 Jun 2017 08:39, [hidden email] said:
>
> > I know, this is not a GnuPG issue, but I wanted to mention it here to
> > ask if others has similar experiences, even on Linux or other OS, or if
> > it worth to get a new OMNIKEY device or even another device.
>
> You better avoid everything with an Omnikey chip in it.  I had only
> trouble with it and they never responded to questions.  Well, it works
> on Windows because they fix their hardware with their Windows driver.

Do you know of any other CCID reader for ID-000 size cards?

        matthias

--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: setting GnuPG card to 'not forces' does not let sign

Werner Koch
On Mon, 12 Jun 2017 12:38, [hidden email] said:

> Do you know of any other CCID reader for ID-000 size cards?

I have a sample of the Gemalto Shell Token here.  It has been around for
quite some time and the kernelconcept folks that it works nicely.  See

  https://www.floss-shop.de/en/security-privacy/

On that page you also find the a bit more expensive uTrust token which
would be my preferred choice. I used it for many years until it broke due
to my fault.  In fact I recycled the case for my gnuk token.


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: setting GnuPG card to 'not forces' does not let sign

Matthias Apitz
El día lunes, junio 12, 2017 a las 12:58:23p. m. +0200, Werner Koch escribió:

> On Mon, 12 Jun 2017 12:38, [hidden email] said:
>
> > Do you know of any other CCID reader for ID-000 size cards?
>
> I have a sample of the Gemalto Shell Token here.  It has been around for
> quite some time and the kernelconcept folks that it works nicely.  See
>
>   https://www.floss-shop.de/en/security-privacy/
>
> On that page you also find the a bit more expensive uTrust token which
> would be my preferred choice. I used it for many years until it broke due
> to my fault.  In fact I recycled the case for my gnuk token.
I bought the uTrust token in the above mentioned FLOSS-shop and it arrived today.
It shows in my netbook the same problem as the other one from Omnikey:
it is not always detected at power-on boot:

In the boot at 14:17:02 it is seen, while later it takes three boot to be
seen by the kernel:

Jun 16 14:17:02 c720-r314251 syslogd: kernel boot file is /boot/kernel/kernel
Jun 16 14:17:02 c720-r314251 kernel: ugen0.2: <Identiv uTrust 3512 SAM slot Token> at usbus0

Jun 16 20:20:48 c720-r314251 syslogd: kernel boot file is /boot/kernel/kernel

Jun 16 20:23:28 c720-r314251 syslogd: kernel boot file is /boot/kernel/kernel

Jun 16 20:25:49 c720-r314251 syslogd: kernel boot file is /boot/kernel/kernel
Jun 16 20:25:49 c720-r314251 kernel: ugen0.4: <Identiv uTrust 3512 SAM slot Token> at usbus0

Perhaps, it is more a netbook's (Acer C720) or FreeBSD issue.

        matthias

--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

about CCID USB readers (Re: setting GnuPG card to 'not forces' does not let sign)

Matthias Apitz
In reply to this post by Werner Koch
El día lunes, junio 12, 2017 a las 12:58:23p. m. +0200, Werner Koch escribió:

> On Mon, 12 Jun 2017 12:38, [hidden email] said:
>
> > Do you know of any other CCID reader for ID-000 size cards?
>
> I have a sample of the Gemalto Shell Token here.  It has been around for
> quite some time and the kernelconcept folks that it works nicely.  See
>
>   https://www.floss-shop.de/en/security-privacy/
>
> On that page you also find the a bit more expensive uTrust token which
> would be my preferred choice. I used it for many years until it broke due
> to my fault.  In fact I recycled the case for my gnuk token.
Some days ago I acquired this uTrust token. And surprise, surprise, it
showed the same symptoms as the other one, the HID Global OMNIKEY 6121
Smart Card Reader: My operating system does not always recognises the
USB device, not even when plug'ed in before power-on. This smells
somehow as a hardware issue in the Acer C720 or in the kernel of the
FreeBSD (and I do run CURRENT on it, i.e. compiled directly from SVN).
Here is the bug issue I filed against our beloved FreeBSD:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220127
Only if someone has similar experiences.

I tested a lot with this issue and now have some trick which seems to
make it at least less often fail: I insert the uTrust token before
power-on, start the laptop but hold the boot in the moment when you can
modify certain boot options, i.e. the device is powered on but awaiting
a keyboard input to continue loading the kernel. Only a few seconds.
Then the booting kernel sees the device as:

ugen0.2: <Identiv uTrust 3512 SAM slot Token> at usbus0

Is there something in the cards firmware which needs some time to come
up?

        matthias


--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: about CCID USB readers (Re: setting GnuPG card to 'not forces' does not let sign)

Matthias Apitz
El día jueves, junio 22, 2017 a las 08:28:57a. m. +0200, Matthias Apitz escribió:

> Some days ago I acquired this uTrust token. And surprise, surprise, it
> showed the same symptoms as the other one, the HID Global OMNIKEY 6121
> Smart Card Reader: My operating system does not always recognises the
> USB device, not even when plug'ed in before power-on. This smells
> somehow as a hardware issue in the Acer C720 or in the kernel of the
> FreeBSD (and I do run CURRENT on it, i.e. compiled directly from SVN).
> Here is the bug issue I filed against our beloved FreeBSD:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220127
> Only if someone has similar experiences.
>
> ...
At the end of the day it turned out that this was an issue in the
FreeBSD' drivers and/or some raise conditions or electrical problem. I
removed some of the drivers which were searching the USB bus for devices
and now have only the XHCI driver in the kernel (disabled UHCI, OHCI and EHCI)
and with this, the detection of both cards (uTrust and Omnikey) is fine.

        matthias
--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (849 bytes) Download Attachment
Loading...