GPG 缺少预计位于 OpenPGP 卡上的密钥 (YubiKey 5)

tag-icon tag-icon gpg yubikey openpgp-card
GPG 缺少预计位于 OpenPGP 卡上的密钥 (YubiKey 5)

希望得到答案https://unix.stackexchange.com/a/613772/320598会有帮助,我发现它没有在问这个问题后,我发现了一个非常相似的问题https://stackoverflow.com/q/67001320/6607497)。我基本上有同样的问题,答案应该解决,但它没有:

我在本地创建了 GPG 密钥,将它们传输到卡上,然后从密钥环中删除本地密钥并重新导入公钥(从之前导出的导出中)。我以为一切都很好(以下YubiKey 上的 OpenPGP 密钥,我想),直到我尝试签署密钥:

gpg:签名失败:没有密钥

所以我--card-status之前尝试过:

Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240103040006234727620000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 234XXXXX
Name of cardholder: UXXXXX WXXXX
Language prefs ...: de
Salutation .......: Mr.
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 4
KDF setting ......: off
Signature key ....: AC...
      created ....: 2023-01-26 21:05:14
Encryption key....: 6E...
      created ....: 2023-01-26 21:07:30
Authentication key: 61...
      created ....: 2023-01-26 21:11:18
General key info..: sub  rsa4096/B5XXXXXXXXXXXXXX 2023-01-26 UXXXXX WXXXX (XXX)
sec#  rsa4096/A5XXXXXXXXXXXXXX  created: 2023-01-26  expires: 2025-01-25
ssb>  rsa4096/B5XXXXXXXXXXXXXX  created: 2023-01-26  expires: 2025-01-25
                                card-no: 0006 234XXXXX
ssb>  rsa4096/A1XXXXXXXXXXXXXX  created: 2023-01-26  expires: 2025-01-25
                                card-no: 0006 234XXXXX
ssb>  rsa4096/11XXXXXXXXXXXXXX  created: 2023-01-26  expires: 2025-01-25
                                card-no: 0006 234XXXXX

当我用来--edit-key检查我的密钥时,我得到(一些细节用 编辑X):

gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret subkeys are available.

pub  rsa4096/A5XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa4096/B5XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: S   
     card-no: 0006 234XXXXX
ssb  rsa4096/A1XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: E   
     card-no: 0006 234XXXXX
ssb  rsa4096/11XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: A   
     card-no: 0006 234XXXXX
[ultimate] (1). UXXXXX WXXXX (XXX)

所以我觉得这看起来不错。

但是,当尝试签署密钥时,我得到以下信息:

sec  rsa3072/1CXXXXXXXXXXXXXX
     created: 2023-01-28  expires: 2025-01-27  usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa3072/C1XXXXXXXXXXXXXX
     created: 2023-01-28  expires: 2025-01-27  usage: S   
ssb  rsa3072/99XXXXXXXXXXXXXX
     created: 2023-01-28  expires: 2025-01-27  usage: E   
ssb  rsa3072/DEXXXXXXXXXXXXXX
     created: 2023-01-28  expires: 2025-01-27  usage: A   
[ultimate] (1). UXXXXX WXXXX <XXX>
[ultimate] (2)  UXXXXX WXXXX (Work)

Really sign all user IDs? (y/N) y

sec  rsa3072/1CXXXXXXXXXXXXXX
     created: 2023-01-28  expires: 2025-01-27  usage: C   
     trust: ultimate      validity: ultimate
 Primary key fingerprint: E1...

     UXXXXX WXXXX <XXX>
     UXXXXX WXXXX (Work)

This key is due to expire on 2025-01-27.
Are you sure that you want to sign this key with your
key "UXXXXX WXXXX (XXX)" (A5XXXXXXXXXXXXXX)

Really sign? (y/N) y
gpg: signing failed: No secret key
gpg: signing failed: No secret key

Key not changed so no update needed.

我该如何恢复,以及我在卡上设置密钥时最有可能犯的错误是什么?

它似乎https://unix.stackexchange.com/a/393166/320598给出了它不起作用的原因,但是是什么造成了这种情况呢?

答案1

我认为问题是由引用文档的步骤 6 中发现的不正确或不明确的说明引起的:

Unplug the YubiKey, delete the card-migrated keys, and re-import your backed up private keys.

gpg --delete-secret-and-public-key XXXXXXXXXXXXXXXX
gpg --import XXXXXXXXXXXXXXXX_secret.asc

At this point you should shutdown, offline, and safely store your offline keys.
Go to your regular online computer and import the public key and subkeys. Then plug in the YubiKey and check the YubiKey’s card status to connect that YubiKey to the matching public key and subkeys.

gpg --import XXXXXXXXXXXXXXXX_public.asc
gpg --card-status

不应该”安全地存储您的离线密钥“ 来 gpg --delete-secret-and-public-key XXXXXXXXXXXXXXXX

解决方案(嗯,差不多)

所以我使用导入了我的密钥备份gpg --import A5XXXXXXXXXXXXXX_sec.asc,现在的输出是:

gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/A5XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa4096/B5XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: S   
     card-no: 0006 234XXXXX
ssb  rsa4096/A1XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: E   
     card-no: 0006 234XXXXX
ssb  rsa4096/11XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: A   
     card-no: 0006 234XXXXX
[ultimate] (1). UXXXXX WXXXX (XXX)

但是我不确定密钥是否复制到本地密钥环(除了存储在 YubiKey 上之外)。实际上是的:我可以在无需确认 YubiKey PIN 的情况下签署密钥,而不用触摸它。

相关内容