Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"gpg: KEYTOCARD failed: General error" with ed25519 key type on branch eddsa #26

Closed
13pgeiser opened this issue Jan 4, 2025 · 2 comments
Closed

"gpg: KEYTOCARD failed: General error" with ed25519 key type on branch eddsa #26

13pgeiser opened this issue Jan 4, 2025 · 2 comments

Comments

@13pgeiser
Copy link

Hello Pol,

First of all, thank you for sharing this work.

I'm trying to send ed25519 keys to use my tiny2530 board as a smartcard with gnupg. I've tried many different combinations (of VIDPID and boards: pico, tiny2530) without success. Even if it looks similar to #20, it seems it's not the same problem.

Here is the script I use to rebuild the firmware and test it.

WARNING: the script deletes ".gnupg" folder.

#!/bin/bash
set -ex
# Using debian 12
cat /etc/os-release
sudo apt install -y cmake gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib  opensc gnupg
# Clone both pico-sdk & pico-openpgp
git clone https://github.com/raspberrypi/pico-sdk.git --branch 2.0.0 --recurse-submodules
git clone https://github.com/polhenarejos/pico-openpgp.git --branch eddsa --recurse-submodules
# Build
mkdir -p pico-build
cd pico-build
cmake -DPICO_BOARD=pimoroni_tiny2350 -DVIDPID=Gnuk -DPICO_SDK_PATH="../pico-sdk/" ../pico-openpgp
make -j"$(nproc)"
# Copy to board and wait a bit.
cp pico_openpgp.uf2 "/media/$USER/RP2350/"
sleep 30
# WARNING deletes actual gnupg installation.
rm -rf ~/.gnupg
gpg --card-status
# Create new keys
export IDENTITY="pico openpgp<pico@openpgp.me>"
export CERTIFY_PASS="test"
echo "$CERTIFY_PASS" | gpg --batch --passphrase-fd 0 --quick-generate-key "$IDENTITY" ed25519 cert never
export KEYFP=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^fpr:/ { print $10; exit }')
echo "$CERTIFY_PASS" | gpg --batch --pinentry-mode=loopback --passphrase-fd 0 --quick-add-key "$KEYFP" ed25519 sign 1y
gpg -K
# Put key on card
export KEYID=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^pub:/ { print $5; exit }')
gpg --command-fd=0 --pinentry-mode=loopback --edit-key $KEYID <<EOF
key 1
keytocard
1
$CERTIFY_PASS
EOF

Attached, the full log: pico-log.txt

If I try to send a RSA key with this firmware, I get same failure.

If I try to send RSA keys with main branches, it seems to work

If I send a ed25519 with the main branches, I get "gpg: KEYTOCARD failed: Not supported".
@polhenarejos
Copy link
Owner

I think there's a problem with your code. You are missing the Admin PIN after the passphrase:

gpg --command-fd=0 --pinentry-mode=loopback --edit-key $KEYID <<EOF
key 1
keytocard
1
$CERTIFY_PASS
$ADMIN_PASS
$ADMIN_PASS
EOF

By default admin pass is `12345678`.

@13pgeiser
Copy link
Author

In fact, the problem was happening before asking for Admin Pin but you're right, these 2 were missing!

I don't know precisely what I did to put the board in this state but downloading flash_nuke.uf2 to fully erase the flash solved the issue.

Sorry for the noise and many thanks for sharing this code!

BR,

Pascal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@13pgeiser @polhenarejos