-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Factory Reset fails on old gpg (2.2.21) #144
Comments
This does reproduce the issue on my end, however it does not crash the device, I don't need to power cycle it to get it to work again. However it indeed does not appear to be actually resetting the device. Newer version of gpg don't have this issue. Looking at the logs coming from a dev device do not give any insight as to what could be the issue, and I don't seem to find references to such an error message elsewhere. |
FYI: you can check GnuPG logs with this config: https://github.com/Nitrokey/gnupg-docker/blob/test-suite/scdaemon.conf |
From the point of view of the key it looks like it reads the keys, some more data and then stops, despite no error being returned.
The logs from scdaemon and gpg-agent are not really helpful:
It works correctly on a yubikey. |
GnuPG should show raw APDU sent - check log level. |
You're right I was missing the first line. |
The only suspicious thing I see is the |
I’ve been digging through the GnuPG sources trying to interpret this error: This line originates from As we don’t see a log entry from Comparing this with the current master, one obvious difference is that From the logs, it is clear that this really occurs inside a So the next question is why this happens with the Nitrokey 3 and not the Yubikey. Can you share a log from the Yubikey test case so that we can try to identify the differences? |
Successful log with a yubikey: |
Ah, I think I was misled by the commit comment. The problematic call is not triggered by
To me this looks like a timing issue. The |
Doesn't look like it helps. I tried gpg --card-status;\
sleep 3
echo -e 'admin\\nfactory-reset\\ny\\nyes' | gpg --command-fd=0 --card-edit and echo -e 'list\\nadmin\\nfactory-reset\\ny\\nyes' | gpg --command-fd=0 --card-edit without success |
Maybe making the request just fast enough could work? I think a lot of optimization could be done, though it's probably a bit complex. I tried with a firmware compiled with |
I’ve submitted a bug report for the misleading log message: https://dev.gnupg.org/T6476 |
To sum up our recent discussion on this topic:
|
This particular one-line patch fixes the issue: https://dev.gnupg.org/rG3c3765405de02b9a57fdc9a3cf901f6e3aca8586 |
No such device after gpg2 factory reset thread on the forum suggests one user managed to kill their OpenPGP applet completely. Could this be related? |
So far I understand "kill" means here that the two step procedure failed to be executed by gpg - this might be related, @sosthene-nitrokey any ideas? |
I responded on the forum post with information on how to fix the case where the reset procedure failed after the |
Yes, saw this - but do you think this is a distinct issue we see there or is this related to gpg's 2.2 weird factory reset behavior ? |
Regarding whether this is what caused the bug, I don't think it is. From my memory this bug made the factory reset fail before doing the |
reproducer:
error:
gpg 2.2.21 is used in debian 10 and for HEADS, so even if this is an old (outdated) version we should take a look...
The text was updated successfully, but these errors were encountered: