GnuPG dropped support of smart card version 1.0?

Werner Koch wk at gnupg.org
Tue Mar 25 10:22:46 CET 2025 

Hi!

I found a 1.0 card and I also had a copy of the old test key:  the card
is displayed fine using gpg-card:

Reader ...........: 04E6:E003:51271922204260:0
Serial number ....: D27600012401010000010000000C0000
Application type .: OpenPGP
Version ..........: 1.0
Displayed s/n ....: 0001 0000000C
Manufacturer .....: PPC Card Systems (1)
Name of cardholder: [not set]
Language prefs ...: de
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Max. PIN lengths .: 254 254 254
PIN retry counter : 3 2 3

I used an SPR332 reader and that card is actually one of the very first
cards ever produced.  No problem here using GnuPG 2.5.5 - well except
that I forgot the decryption PIN and better don't do any more tests.
Running on Linux using the the internal driver.  But that should not
matter.

The log showed:

scdaemon[24460]: Version-2+ .....: no
scdaemon[24460]: Version-3+ .....: no
scdaemon[24460]: Button .........: no
scdaemon[24460]: SM-Support .....: no
scdaemon[24460]: Get-Challenge ..: yes (0 bytes max)
scdaemon[24460]: Key-Import .....: yes
scdaemon[24460]: Change-Force-PW1: yes
scdaemon[24460]: Private-DOs ....: no
scdaemon[24460]: Algo-Attr-Change: no
scdaemon[24460]: Symmetric Crypto: no
scdaemon[24460]: KDF-Support ....: no
scdaemon[24460]: Max-Cert-Len ...: 0
scdaemon[24460]: Cmd-Chaining ...: no
scdaemon[24460]: Ext-Lc-Le ......: no
scdaemon[24460]: Status-Indicator: 00
scdaemon[24460]: GnuPG-No-Sync ..: no
scdaemon[24460]: GnuPG-Def-PW2 ..: no
scdaemon[24460]: Key-Attr-sign ..: RSA, n=1024, e=32, fmt=std
scdaemon[24460]: Key-Algo-sign ..: rsa1024
scdaemon[24460]: Key-Attr-encr ..: RSA, n=1024, e=32, fmt=std
scdaemon[24460]: Key-Algo-encr ..: rsa1024
scdaemon[24460]: Key-Attr-auth ..: RSA, n=1024, e=32, fmt=std
scdaemon[24460]: Key-Algo-auth ..: rsa1024

> One difference is that GnuPG 1.x uses:
> APDU: 00 CA 00 6E 00

Will also be read by current gnupg but I did not looked closer at the
APDUs.

> While GnuPG 2.x uses:
> APDU: 00 CA 7F 74 00

That is the feature flag for the confirmation button.  

> Maybe the easiest thing to do is to document that cards version 1.0
> are no more supported and report an understandable error message from
> GnuPG 2.x.

There might have been a regression.  I remember
https://dev.gnupg.org/T7058 with fixes released in July with 2.5.0 and
in October with 2.4.6

This my conclusion is th at 1.0 cards still work.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20250325/7f4ca921/attachment.sig>

More information about the Gnupg-devel mailing list