One Key, multiple Smartcards not working anymore

Josef Schneider josef at netpage.dk
Mon Jul 27 21:09:19 CEST 2015 

Hello,

I have a problem with my Key. I have a 4096bit RSA key since 2012 and it
is stored on a OpenPGP smartcard.
Recently I added three new 2048bit subkeys, because I bought a Yubikey
NEO device and want to use PGP on my phone/tablet with Android and NFC.
This worked as expected. I created the new subkeys on my PC, saved a
backup and then moved them to the card.
PGP showed me correctly that the first three keys are on card 1 and the
second three are on card 2. If the wrong card was inserted, it asked me
to insert the correct one.

I then wanted to create one key backup with all six private keys to
print using PaperBack and store in a safe place. I was able to merge all
the private keys with gpgsplit and moving/renaming files and created
that backup.

After that, I deleted the whole key, got my public key from the
keyservers and tried to use it with the card (after gpg2 --card-status).
Here is now my problem:
GPG adds the key stub for the smartcard keys only for the first card! If
I delete the key, import, use card-status, then I can usse the three
keys from that smartcard. If I insert the second smartcard and do a
card-status, nothing changes!

If I import the full key with all private keys, I can then replace the
keys on the card and move all keys to smartcards. Then I get a key
working with both smartcards again. But of course I don't want to touch
the key backup. It's printed on paper and stored in a safe location for
a reason.

Am I doing something wrong, or is that a bug?

Here are some gpg outputs:

At the moment, I have it here on my notebook working with the 4096bit keys:
sec>  4096R/9BE45ED0 2012-12-10 [verfällt: 2017-04-13]
      Kartenseriennr. = 0005 XXXXXXXX
uid                  Josef Schneider <josef at netpage.dk>
uid                  Josef Schneider <josef at schneider.wf>
ssb>  4096R/B641DD11 2012-12-10
ssb>  4096R/CA02F8EA 2012-12-10
ssb#  2048R/988E7DDD 2015-07-07
ssb#  2048R/03E021FE 2015-07-07
ssb#  2048R/8B406748 2015-07-07

I insert the other card and do a card-status:

C:\Users\Josef Schneider>gpg --card-status
Application ID ...: DXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: XXXXXXXX
Name of cardholder: Josef Schneider
Language prefs ...: de
Sex ..............: männlich
URL of public key : https://j0s.at/gpg.asc
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 39
Signature key ....: 50FD 3663 AB67 A8FD 64BD  C208 1272 58BE 988E 7DDD
      created ....: 2015-07-07 11:34:08
Encryption key....: 88FA 7314 795F 5F19 F258  3B70 E18B C1D9 03E0 21FE
      created ....: 2015-07-07 11:38:08
Authentication key: E0E5 13F9 AA97 8C8E 1BF5  27FB B6BF D0F7 8B40 6748
      created ....: 2015-07-07 20:15:08
General key info..: pub  2048R/988E7DDD 2015-07-07 Josef Schneider
<josef at schneider.wf>
sec>  4096R/9BE45ED0  erzeugt: 2012-12-10  verfällt: 2017-04-13
                      Kartennummer:0005 XXXXXXXX
ssb>  4096R/B641DD11  erzeugt: 2012-12-10  verfällt: niemals
                      Kartennummer:0005 XXXXXXXX
ssb>  4096R/CA02F8EA  erzeugt: 2012-12-10  verfällt: niemals
                      Kartennummer:0005 XXXXXXXX
ssb#  2048R/988E7DDD  erzeugt: 2015-07-07  verfällt: 2017-07-06
ssb#  2048R/03E021FE  erzeugt: 2015-07-07  verfällt: 2017-07-06
ssb#  2048R/8B406748  erzeugt: 2015-07-07  verfällt: 2017-10-24


I can't use this key.
After deleting it and import https://j0s.at/gpg.asc :
C:\Users\Josef Schneider>gpg --card-status
Application ID ...: DXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: XXXXXXXX
Name of cardholder: Josef Schneider
Language prefs ...: de
Sex ..............: männlich
URL of public key : https://j0s.at/gpg.asc
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 40
Signature key ....: 50FD 3663 AB67 A8FD 64BD  C208 1272 58BE 988E 7DDD
      created ....: 2015-07-07 11:34:08
Encryption key....: 88FA 7314 795F 5F19 F258  3B70 E18B C1D9 03E0 21FE
      created ....: 2015-07-07 11:38:08
Authentication key: E0E5 13F9 AA97 8C8E 1BF5  27FB B6BF D0F7 8B40 6748
      created ....: 2015-07-07 20:15:08
General key info..: pub  2048R/988E7DDD 2015-07-07 Josef Schneider
<josef at schneider.wf>
sec#  4096R/9BE45ED0  erzeugt: 2012-12-10  verfällt: 2017-04-13
ssb#  4096R/B641DD11  erzeugt: 2012-12-10  verfällt: niemals
ssb#  4096R/CA02F8EA  erzeugt: 2012-12-10  verfällt: niemals
ssb>  2048R/988E7DDD  erzeugt: 2015-07-07  verfällt: 2017-07-06
                      Kartennummer:0006 XXXXXXXX
ssb>  2048R/03E021FE  erzeugt: 2015-07-07  verfällt: 2017-07-06
                      Kartennummer:0006 XXXXXXXX
ssb>  2048R/8B406748  erzeugt: 2015-07-07  verfällt: 2017-10-24
                      Kartennummer:0006 XXXXXXXX

I can use the 2048bit keys, but not the 4096

After inserting the first card again:

C:\Users\Josef Schneider>gpg --card-status
Application ID ...: DXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: XXXXXXXX
Name of cardholder: Schneider Josef
Language prefs ...: de
Sex ..............: männlich
URL of public key : https://netpage.dk/gpg.asc
Login data .......: -
Signature PIN ....: zwingend
Key attributes ...: 4096R 4096R 4096R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 250
Signature key ....: CA77 342B 856C 9D5B B0B6  C23C 3140 E873 9BE4 5ED0
      created ....: 2012-12-10 00:01:57
Encryption key....: DE61 0EF1 5124 2A64 400B  9968 4CBB 978B B641 DD11
      created ....: 2012-12-10 00:01:57
Authentication key: 3E9E 5480 F676 B9D6 6632  49A2 E1D8 2ECC CA02 F8EA
      created ....: 2012-12-10 00:03:06
General key info..: pub  4096R/9BE45ED0 2012-12-10 Josef Schneider
<josef at schneider.wf>
sec#  4096R/9BE45ED0  erzeugt: 2012-12-10  verfällt: 2017-04-13
ssb#  4096R/B641DD11  erzeugt: 2012-12-10  verfällt: niemals
ssb#  4096R/CA02F8EA  erzeugt: 2012-12-10  verfällt: niemals
ssb>  2048R/988E7DDD  erzeugt: 2015-07-07  verfällt: 2017-07-06
                      Kartennummer:0006 XXXXXXXX
ssb>  2048R/03E021FE  erzeugt: 2015-07-07  verfällt: 2017-07-06
                      Kartennummer:0006 XXXXXXXX
ssb>  2048R/8B406748  erzeugt: 2015-07-07  verfällt: 2017-10-24
                      Kartennummer:0006 XXXXXXXX

Still can't use the 4096bit keys. If I want to use the 2048bit keys, GPG
asks me correctly to inert the other card and then it works.


All with gpg (GnuPG) 2.0.28 (Gpg4win 2.2.5)

I hope someone can help me figure that out.

Best regards,
Josef



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150727/d429408a/attachment.sig>

More information about the Gnupg-users mailing list