Page MenuHome GnuPG

Smartcard card-edit generate fails when off-card backup of encryption key is selected
Closed, ResolvedPublic

Description

I've marked this as a bug because the option is offered and It's a regression
from 2.0.x / 1.x

From g10/keygen.c line 4588 (gen_card_key_with_backup):

#if ENABLE_CARD_SUPPORT && 0

/* FIXME: Move this to gpg-agent.  */

Details

Version
2.1

Event Timeline

gniibe added a subscriber: gniibe.

I'm considering fixing this.

I've tested to generate an rsa2048 key with backup on a v2.0 card and it works
now. I have not tested restoring from backup etc. But as this report was about
the failed generation, this issue is resolved imo.

Thanks!

aheinecke removed a project: Restricted Project.

There is a regression due to the regression fix in rGb30c15bf7c5336c4abb1f9dcd974cd77ba6c61a7 (from Dec 24 2015) or some related commits:

Now that the key is first created in RAM, then secondly stored on the the card, and thirdly stored as a backup we may run in a timeout of the Pinentry for the backup key passphrase. The result is that we have a working key on the card but no backup.

Shall we handle this with additional retry prompts, w/o a timeout? I think this makes sense because creating keys with a backup file and a passphrase is a manual task anyway.

Shall we handle this with additional retry prompts, w/o a timeout? I think this makes sense because creating keys with a backup file and a passphrase is a manual task anyway.

from a UI perspective, it's not obvious that the password prompt (or pinentry in general) does have a timeout and if so how long it will wait. if pinentry was able to show a countdown of some kind, at least you wouldn't be surprised when the dialog is disappearing. i would suggest a behaviour similar to grub, which stops counting down its configured timeout as soon as you enter anything. this, combined with a warning that the key will be written without a backup if you don't react at all for a while, wouldn't really solve the issue itself, but make things much more predictable (seeing there is a timeout, which stops when you start entering a passphrase).

Got a simple fix for this which does two things:

  1. Correctly act upon an error from the backup file writing
  2. Print a warning note.
gpg: key 24CB456488071880AD5BA98AE3A434D57CA8C17C: error receiving key from agent: Timeout - skipped
gpg: error getting secret key from agent: Timeout
Warning: Although the key has been written to the card, a backup file was
         not properly written to the disk.  You may want to repeat the
         entire operation or just create a new encryption key on the card.
Key generation failed: Timeout
werner moved this task from Backlog to Done on the gnupg26 board.
werner moved this task from Backlog to done on the gnupg24 board.