我创建了一组经典的身份验证、签名和加密子密钥gpg
,然后将它们移动到智能卡 [ledger nano S] 中,这似乎工作正常,因为我可以看到三个子密钥:
$ gpg --card-status
Serial number ....: 00000000
Signature key ....: F34F 66B8 5D18 A8BC CDD4 C909 4705 D74B 9E2F EFFC
Encryption key....: AD71 E2C1 2E41 C870 3192 D997 78B9 F3F6 7D9B 47DC
Authentication key: D644 70D8 88AB BA93 F9F4 BFE0 2726 E1C4 E4DB E4C3
我是如何降落在那里的
基本信息:
$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.8.8
生成加密、签名和认证子密钥:
$ gpg --expert --edit-key Plup*
gpg> addkey
type: ECC (sign only)
curve: cv25519
Please unlock the card
gpg> addkey
type: ECC (encrypt only)
curve: cv25519
gpg> addkey
type: ECC (set your own capabilities)
allowed actions: Authenticate
curve: cv25519
gpg> save
检查子项:
$ gpg -K Plup*
sec> ed25519 2022-06-03 [SC]
394ED8F3BA05CF4E7866D54657EEBF4BCFF5BFCD
Card serial no. = 2C97 11BFF50F
uid [ultimate] Plup* <[email protected]>
ssb ed25519 2022-06-03 [S]
ssb cv25519 2022-06-03 [E]
ssb ed25519 2022-06-03 [A]
将子密钥移动到新的智能卡插槽(/!\
确保不覆盖主密钥):
$ gpg --card-status
Reader ...........: Ledger Nano S [Nano S] (0001) 00 00
Serial number ....: 7AC3CFF8
Signature key ....: [none]
$ gpg --edit-key Plup*
gpg> key 1
gpg> keytocard
Signature key
Passphrase:
Please entre the Admin PIN
Number: 2C97 7AC3CFF8
gpg> key 1
gpg> key 2
gpg> keytocard
Encryption key
Passphrase:
gpg> key 2
gpg> key 3
gpg> keytocard
Authentication key
Passphrase:
gpg> save
我现在遇到的问题
指纹与密钥环看到的相匹配,但由于某种我不明白的原因,加密密钥存根没有到位,并且私有子密钥仍然存在于计算机密钥环中。解密时它仍然要求输入密码而不是智能卡 PIN:
```
$ gpg --with-keygrip --with-subkey-fingerprints -K Plup*
sec> ed25519 2022-06-03 [SC]
394ED8F3BA05CF4E7866D54657EEBF4BCFF5BFCD
Keygrip = 27D911732841CDB06B3CDFA100DDE95DF420B92E
Card serial no. = 2C97 11BFF50F
uid [ultimate] Plup* <[email protected]>
ssb> ed25519 2022-06-03 [S]
F34F66B85D18A8BCCDD4C9094705D74B9E2FEFFC
Card serial no. = 2C97 7AC3CFF8
Keygrip = AF76C5E4B1DA101E0F3AFEDDDED6276C4D011261
ssb cv25519 2022-06-03 [E]
AD71E2C12E41C8703192D99778B9F3F67D9B47DC
Keygrip = E6D65814CBE230A21001F36BD2BC232E6B7251ED
ssb> ed25519 2022-06-03 [A]
D64470D888ABBA93F9F4BFE02726E1C4E4DBE4C3
Card serial no. = 2C97 7AC3CFF8
Keygrip = 511C8CAAC3A7B8A2DAD4B3E6A512A7F160A02CD5
```
到目前为止我尝试过的
我试图删除私钥并且不能强制存根创建自己:
ssb# cv25519/78B9F3F67D9B47DC created: 2022-06-03 expires: never
在调试中启动向我显示了一个错误的键握把(删除后它继续创建相同的键):
2022-06-06 12:47:44 gpg-agent[12064] id: OPENPGP.2 (grip=C74F8FF13CB491D0C98497C6B77A49FCB156F7E5)
2022-06-06 12:47:44 gpg-agent[12064] DBG: chan_11 -> READKEY OPENPGP.2
2022-06-06 12:47:44 gpg-agent[12064] DBG: chan_11 <- [ 44 20 28 31 30 3a 70 75 62 6c 69 63 2d 6b 65 79 ...(91 byte(s) skipped) ]
2022-06-06 12:47:44 gpg-agent[12064] DBG: chan_11 <- OK
2022-06-06 12:47:44 gpg-agent[12064] id: OPENPGP.2 - shadow key created
确认:
$ gpg-connect-agent 'keyinfo --list' /bye | grep D2760001240103032C977AC3CFF80000
S KEYINFO 705790B1A7609806F633BCCB212784031E42017E T D2760001240103032C977AC3CFF80000 OPENPGP.1 - - - - -
S KEYINFO AF76C5E4B1DA101E0F3AFEDDDED6276C4D011261 T D2760001240103032C977AC3CFF80000 OPENPGP.1 - - - - -
S KEYINFO C74F8FF13CB491D0C98497C6B77A49FCB156F7E5 T D2760001240103032C977AC3CFF80000 OPENPGP.2 - - - - -
S KEYINFO 511C8CAAC3A7B8A2DAD4B3E6A512A7F160A02CD5 T D2760001240103032C977AC3CFF80000 OPENPGP.3 - - - - -
- 我试图用相同的曲线重新创建一个新的加密子密钥,但
keytocard
仍然表现相同:它没有错误地完成,但密钥(下面的新手柄)没有移动:
$ gpg-connect-agent 'keyinfo --list' /bye | grep 5CF6DF65EF080B01F774BCC7F8063814CE5DAEF6
S KEYINFO 5CF6DF65EF080B01F774BCC7F8063814CE5DAEF6 D - - - P - - -