Add / use RSA gpg [A] Authentication key?

jonf3n · December 26, 2022, 11:35am

I’m having an issue trying to put my existing PGP subkeys onto the OnlyKey as a “stored key”.
I have 3 subkeys I’d like to use (as I currently do on my Yubikey)

My gpg key looks like this:

sec#  rsa4096/0xC0C076132FFA7695 2016-02-01 [C]
      Key fingerprint = 9386 A2FB 2DA9 D0D3 1FAF  0818 C0C0 7613 2FFA 7695
uid                              Jonathan Cross <jcross[at]gmail.com>
uid                              [jpeg image of size 2772]
uid                              website (jonathancross.com)
ssb>  rsa2048/0xD8578DF8EA7CCF1B 2016-02-01 [S]
ssb>  rsa2048/0x8E1719FE1E8DA9B9 2016-02-01 [E]
ssb>  rsa2048/0x397428FC5BA60C24 2016-02-01 [A]
--------------------------------------------------------------------------

I don’t see any documentation or clear explanation on how to add / use the [A] (authentication) key.
If you are not aware, these are commonly used with ssh.

Can you please point me to detailed instructions on how to add these subkeys to my OnlyKey using the GUI desktop app? I am not interested in adding the primary (aka Master) key.

I tried for an hour and just kept getting strange errors, or no response at all from the app.

Questions:

Should each subkey be done separately?
Why is there no explicit [A] Authentication key option?
How do I know if it was successful?

** One tricky issue is that I am doing all of this on an air-gapped computer which is extremely locked down… so no onlykey-agent and very few options to install packages.

jonf3n · December 26, 2022, 5:06pm

Okay, I did a bunch more hunting and found this:

github.com/trustcrypto/OnlyKey-App

Add support for GPG keys with multiple subkeys

opened 02:22AM - 16 Jun 21 UTC

LRitzdorf

While the OnlyKey documentation specifically [mentions](https://docs.crp.to/impo…rtpgp.html#:~:text=decryption%20and%20signing.-,What%20are%20subkeys%3F,-Each%20OpenPGP%20key) the case of OpenPGP keys with multiple subkeys (i.e. the primary signing key, the encryption subkey, and a secondary signing key), the app does not seem to support this case. I tested this by generating a new Ed25519 keypair, which loaded onto the OnlyKey successfully. This process included a dialog that asked me to choose between loading the primary key and the first subkey (for signing and decryption, respectively). However, after adding a secondary signing subkey to this same original keypair (using `gpg --expert --edit-key MY-KEYGRIP-HERE`), the loading process failed. I attempted to load the full keypair, as given by `gpg --armor --export-secret-key MY-KEYGRIP-HERE`, which gave a `TypeError: Cannot read property 'data' of undefined` in the app. I also tried the encryption subkey on its own, as given by `gpg --armor --export-secret-subkey MY-KEYGRIP-HERE`, but this gave an `Error parsing PGP key: Invalid enum value.` Ideally, when reading in a key with multiple subkeys, we would simply add options to the subkey selection dialog mentioned above. At the moment, however, it appears that the app doesn't even parse the input correctly, so that's probably the first piece to fix.

It seems there is a crude way to extract multiple subkeys with a python script and then load them onto the OnlyKey. Much more hassle than I’d expect (can’t run pip to install packages on an air-gapped machine for example). I hope this evolves into proper support for subkeys eventually.

Here I am asking about 2048bit RSA Authentication subkey:

github.com/trustcrypto/OnlyKey-App

How to use a separate authentication key?

opened 08:28AM - 29 Jul 21 UTC

closed 10:21AM - 05 Aug 21 UTC

altsalt

I am attempting to load a new ECC Curve25519 master-key which was generated with… GnuPG 2.2.27 using OnlyKey-App 5.3.3 and OnlyKey-Firmware 2.1.1. I then generated three subkeys and assigned the Signing, Encryption, and Authentication functions to each, keeping them separate from each other and from the Certification ability. Finally, I backed up the entire keychain for cold storage, removing the master-key and exporting the root-less key, as well as each individual subkey, [with and without the keychain](https://github.com/trustcrypto/OnlyKey-App/issues/166#issuecomment-888768380). None of these files were considered valid by the OnlyKey-App which is likely due to an issue similar to that outlined in #98 and #166 and which will hopefully be addressed by [updating OpenPGP.js](https://github.com/trustcrypto/OnlyKey-App/issues/98#issuecomment-888761197). However, I could not fully test the suggestion to have ["Stored Key User Input Mode" set to "Button Press Required"](https://onlykey.discourse.group/t/adding-gpg-stored-keys/250/9) because when I try to modify this, either via the OnlyKey-App or onlykey-cli, [the setting reverts to "Challenge Code Required"](https://github.com/trustcrypto/OnlyKey-App/issues/170). If issues blocking the loading of these subkeys are resolved, then another question will arise about using a separate subkey for Authentication. Currently, the OnlyKey-App only has options for Signing keys and Decryption keys. Hopefully we can work on addressing this before it poses a problem! Since I'm using a test-key for all of this, happy to share the various files being used if they would be helpful. Thank you for any suggestions and assistance!

t11 · December 28, 2022, 2:52pm

Yes, while the app supports common GPG keys in OpenPGP format there are variations with multiple subkeys that are not supported currently. We will add support in the app for this soon.

Why is there no explicit [A] Authentication key option?

Authentication keys are just signing keys that GPG knows to use for signing authentication blobs. There is no difference in the keys themselves on the device so the device does not have this flag.

Topic		Replies	Views
SSH RSA Keys not usable SSH, OpenPGP, GPG	8	346	November 16, 2022
Clarity on PGP support SSH, OpenPGP, GPG	1	267	February 15, 2023
Adding OK Subkey to existing GPG identity fails SSH, OpenPGP, GPG	0	238	March 5, 2023
Using onlykey-gpg SSH, OpenPGP, GPG	2	990	January 28, 2021
GPG/PGP: Non-OnlyKey subkey of OnlyKey master-key SSH, OpenPGP, GPG	1	311	December 29, 2021

Add / use RSA gpg [A] Authentication key?

Related topics