Can't use stored gpg keys

flumm · April 28, 2023, 8:15am

Hi,

i can’t use my stored gpg keys.
i can upload them fine but when i try to init it i get:

# onlykey-gpg init "XXXX <email@example.com>" -sk RSA2 -dk RSA1 -e rsa -i publickey.asc   
gpg: inserting ownertrust of 6
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: keydb_search failed: End of file
gpg: error reading key: End of file
Traceback (most recent call last):
  File "/home/xxxx/.local/bin/onlykey-gpg", line 8, in <module>
    sys.exit(gpg_tool())
  File "/home/xxxx/.local/bin/onlykey_agent.py", line 6, in <lambda>
    gpg_tool = lambda: libagent.gpg.main(DeviceType)
  File "/home/xxxx/.local/lib/python3.9/site-packages/libagent/gpg/__init__.py", line 392, in main
    return args.func(device_type=device_type, args=args)
  File "/home/xxxx/.local/lib/python3.9/site-packages/libagent/gpg/__init__.py", line 226, in run_init
    check_call(keyring.gpg_command(['--homedir', homedir,
  File "/home/xxxx/.local/lib/python3.9/site-packages/libagent/gpg/__init__.py", line 114, in check_call
    subprocess.check_call(args=args, stdin=stdin, env=env)
  File "/usr/lib/python3.9/subprocess.py", line 373, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['/usr/bin/gpg', '--homedir', '/home/xxxx/.gnupg/onlykey', '--list-secret-keys', 'XXXX <email@example.com>']' returned non-zero exit status 2.

AFAIU from Adding GPG Stored Keys - #12 by t11

it’s because the stored key user input mode is not set to button, but if i want to do that it does not seem to work:

# onlykey-cli storedkeymode 0
Successfully set stored key challenge mode
# onlykey-cli storedkeymode 1
Successfully set stored key challenge mode

i get ‘set stored key challenge mode’ either way, the same when using the onlykey app, regardless which button i press, i get the message from above

my fwversion is v2.1.2-prodc

what could be wrong here?

EDIT: saw that there was a newer firmware, upgraded to v3.0.4-prodc but still the same issues

t11 · April 28, 2023, 12:25pm

It looks like its having trouble reading your public key.
gpg: error reading key: End of file

Can you follow the steps here to create a standard GPG key, you can then set stored keys through the OnlyKey desktop app:

flumm · April 28, 2023, 12:43pm

the key was created with

gpg --full-generate-key

on debian 11. i just followed the wizard and chose
RSA and RSA (default)
4096 bits long
no expiry

flumm · May 2, 2023, 12:21pm

ok, i did some further testing and it seems there is something off with public key calculation somewhere?

with ‘-v’ i got the following output:

# onlykey-gpg init -v "XXXX <email@example.com>" -sk RSA2 -dk RSA1 -e rsa --homedir ~/.gnupg/onlykey_test                   
2023-05-02 14:16:08,609 INFO         device name: onlykey                                                                                 [__init__.py:136]
2023-05-02 14:16:08,609 INFO         GPG home directory: /home/xxxx/.gnupg/onlykey_test                                                   [__init__.py:144]
2023-05-02 14:16:08,659 INFO         Key Slot =2                                                                                          [onlykey.py:130] 
2023-05-02 14:16:08,659 INFO         Requesting public key from key slot =2                                                               [onlykey.py:134] 
2023-05-02 14:16:08,659 INFO         Identity to hash =b'gpg://XXXX <email@example.com>'                                                  [onlykey.py:148]
2023-05-02 14:16:08,659 INFO         Identity hash =0000000000000000000000000000000000000000000000000000000000000000                      [onlykey.py:152] 
2023-05-02 14:16:08,660 INFO         curve name= 'rsa'                                                                                    [onlykey.py:168] 
2023-05-02 14:16:08,717 INFO         received part= [redacted] [onlykey.py:212]                      
2023-05-02 14:16:08,718 INFO         received part= [redacted] [onlykey.py:212]                      
2023-05-02 14:16:08,719 INFO         received part= [redacted] [onlykey.py:212]                      
2023-05-02 14:16:08,720 INFO         received part= [redacted] [onlykey.py:212]                      
2023-05-02 14:16:08,721 INFO         received part= [redacted] [onlykey.py:212]                      
2023-05-02 14:16:08,722 INFO         received part= [redacted] [onlykey.py:212]                      
2023-05-02 14:16:08,723 INFO         received part= [redacted] [onlykey.py:212]                      
2023-05-02 14:16:10,224 INFO         Received Public Key generated by OnlyKey= [redacted] [onlykey.py:220]                         
2023-05-02 14:16:10,224 INFO         448                                                                                                  [onlykey.py:221] 
2023-05-02 14:16:10,224 INFO         disconnected from OnlyKey                                                                            [onlykey.py:117] 
Traceback (most recent call last):                                                                   
  File "/home/xxxx/.local/bin/onlykey-gpg", line 8, in <module>                                      
    sys.exit(gpg_tool())                                                                             
  File "/home/xxxx/.local/bin/onlykey_agent.py", line 6, in <lambda>                                 
    gpg_tool = lambda: libagent.gpg.main(DeviceType)                                                 
  File "/home/xxxx/.local/lib/python3.9/site-packages/libagent/gpg/__init__.py", line 392, in main    
    return args.func(device_type=device_type, args=args)                                             
  File "/home/xxxx/.local/lib/python3.9/site-packages/libagent/gpg/__init__.py", line 210, in run_init    
    export_public_key(device_type, args))                                                            
  File "/home/xxxx/.local/lib/python3.9/site-packages/libagent/gpg/__init__.py", line 49, in export_public_key    
    verifying_key = c.pubkey(identity=identity, ecdh=False)                                          
  File "/home/xxxx/.local/lib/python3.9/site-packages/libagent/gpg/client.py", line 28, in pubkey    
    return self.device.pubkey(ecdh=ecdh, identity=identity)                                          
  File "/home/xxxx/.local/lib/python3.9/site-packages/libagent/device/onlykey.py", line 241, in pubkey    
    raise interface.DeviceError("Error response length is not a valid public key")                   
libagent.device.interface.DeviceError: Error response length is not a valid public key

so the received public key is only 448 byte (instead of the expected 512 byte)

i tried with an ecc key (generated with the same gpg version) and that works

lindenaar · May 29, 2023, 4:58pm

Hi,

I am having similar issues with importing existing RSA OpenSSH Keys. When doing this for 2048 bits keys things seem to work but for 4096 bits key I get similar messages / output:

me@macbook ~ % onlykey-agent -v -e rsa4096 -sk RSA3 my@mylaptop.tld
2023-05-29 18:52:39,825 INFO         identity #0: <ssh://my@mylaptop.tld|rsa4096>                                                         [__init__.py:287]
2023-05-29 18:52:39,856 INFO         Key Slot =3                                                                                          [onlykey.py:130]
2023-05-29 18:52:39,857 INFO         Requesting public key from key slot =3                                                               [onlykey.py:134]
2023-05-29 18:52:39,857 INFO         Identity to hash =b'my@mylaptop.tld'                                                                 [onlykey.py:148]
2023-05-29 18:52:39,857 INFO         Identity hash =b4bf1619056120234a24ce5125eac33983e232849d44686a43f50861c0b8e566                      [onlykey.py:152]
2023-05-29 18:52:39,857 INFO         curve name= 'rsa4096'                                                                                [onlykey.py:168]
2023-05-29 18:52:39,916 INFO         received part= [203, 112, 192, 61, 216, 143, 66, 81, 173, 240, 165, 51, 195, 18, 27, 197, 158, 188, 37, 229, 122, 107, 172, 130, 62, 150, 137, 242, 249, 202, 120, 166, 11, 249, 158, 138, 9, 246, 66, 78, 248, 245, 61, 195, 124, 167, 178, 147, 192, 110, 164, 128, 149, 73, 16, 135, 113, 63, 214, 207, 32, 96, 69, 49] [onlykey.py:212]
2023-05-29 18:52:39,916 INFO         received part= [213, 242, 14, 188, 242, 87, 160, 104, 65, 173, 149, 184, 204, 141, 217, 217, 74, 195, 6, 89, 109, 234, 28, 184, 118, 50, 18, 129, 119, 244, 117, 97, 231, 140, 203, 35, 248, 3, 72, 87, 81, 93, 126, 91, 32, 168, 98, 173, 47, 82, 214, 91, 111, 26, 87, 178, 134, 227, 147, 186, 144, 18, 12, 7] [onlykey.py:212]
2023-05-29 18:52:39,917 INFO         received part= [148, 7, 225, 92, 91, 95, 63, 185, 56, 112, 2, 50, 44, 192, 112, 249, 196, 243, 244, 169, 15, 36, 12, 107, 49, 245, 72, 208, 117, 96, 220, 209, 213, 136, 161, 5, 178, 132, 147, 238, 228, 10, 24, 223, 53, 78, 26, 146, 188, 100, 171, 50, 26, 77, 141, 50, 206, 228, 205, 61, 174, 6, 110, 184] [onlykey.py:212]
2023-05-29 18:52:39,919 INFO         received part= [204, 85, 73, 10, 218, 237, 148, 72, 37, 136, 56, 155, 111, 6, 113, 94, 82, 66, 75, 1, 101, 218, 207, 84, 138, 195, 247, 208, 207, 25, 32, 208, 52, 95, 226, 249, 117, 110, 144, 250, 127, 204, 137, 126, 109, 173, 44, 68, 140, 19, 149, 47, 181, 132, 33, 3, 59, 164, 233, 195, 224, 45, 240, 225] [onlykey.py:212]
2023-05-29 18:52:39,920 INFO         received part= [41, 155, 118, 78, 203, 16, 41, 84, 24, 254, 22, 121, 92, 169, 250, 40, 81, 60, 211, 220, 75, 27, 94, 42, 31, 22, 61, 98, 243, 129, 34, 10, 142, 130, 89, 21, 152, 67, 172, 70, 208, 33, 15, 150, 219, 46, 175, 73, 42, 113, 234, 249, 118, 189, 77, 152, 235, 172, 80, 0, 12, 241, 29, 24] [onlykey.py:212]
2023-05-29 18:52:39,921 INFO         received part= [186, 182, 171, 152, 58, 48, 58, 90, 209, 96, 47, 118, 27, 22, 53, 88, 115, 69, 135, 182, 26, 223, 29, 167, 170, 45, 35, 58, 41, 71, 138, 39, 80, 156, 141, 186, 197, 206, 122, 243, 68, 131, 2, 72, 151, 243, 223, 202, 110, 207, 44, 129, 107, 255, 215, 76, 77, 17, 189, 3, 132, 132, 8, 91] [onlykey.py:212]
2023-05-29 18:52:39,922 INFO         received part= [88, 126, 59, 12, 183, 209, 204, 249, 65, 44, 99, 69, 117, 99, 224, 61, 90, 206, 159, 185, 139, 206, 175, 192, 8, 95, 126, 111, 149, 244, 74, 255, 145, 130, 33, 247, 102, 65, 28, 114, 14, 171, 162, 118, 33, 28, 139, 12, 128, 226, 93, 63, 210, 15, 157, 199, 142, 7, 93, 77, 157, 47, 87, 146] [onlykey.py:212]
2023-05-29 18:52:41,366 INFO         Received Public Key generated by OnlyKey= [203, 112, 192, 61, 216, 143, 66, 81, 173, 240, 165, 51, 195, 18, 27, 197, 158, 188, 37, 229, 122, 107, 172, 130, 62, 150, 137, 242, 249, 202, 120, 166, 11, 249, 158, 138, 9, 246, 66, 78, 248, 245, 61, 195, 124, 167, 178, 147, 192, 110, 164, 128, 149, 73, 16, 135, 113, 63, 214, 207, 32, 96, 69, 49, 213, 242, 14, 188, 242, 87, 160, 104, 65, 173, 149, 184, 204, 141, 217, 217, 74, 195, 6, 89, 109, 234, 28, 184, 118, 50, 18, 129, 119, 244, 117, 97, 231, 140, 203, 35, 248, 3, 72, 87, 81, 93, 126, 91, 32, 168, 98, 173, 47, 82, 214, 91, 111, 26, 87, 178, 134, 227, 147, 186, 144, 18, 12, 7, 148, 7, 225, 92, 91, 95, 63, 185, 56, 112, 2, 50, 44, 192, 112, 249, 196, 243, 244, 169, 15, 36, 12, 107, 49, 245, 72, 208, 117, 96, 220, 209, 213, 136, 161, 5, 178, 132, 147, 238, 228, 10, 24, 223, 53, 78, 26, 146, 188, 100, 171, 50, 26, 77, 141, 50, 206, 228, 205, 61, 174, 6, 110, 184, 204, 85, 73, 10, 218, 237, 148, 72, 37, 136, 56, 155, 111, 6, 113, 94, 82, 66, 75, 1, 101, 218, 207, 84, 138, 195, 247, 208, 207, 25, 32, 208, 52, 95, 226, 249, 117, 110, 144, 250, 127, 204, 137, 126, 109, 173, 44, 68, 140, 19, 149, 47, 181, 132, 33, 3, 59, 164, 233, 195, 224, 45, 240, 225, 41, 155, 118, 78, 203, 16, 41, 84, 24, 254, 22, 121, 92, 169, 250, 40, 81, 60, 211, 220, 75, 27, 94, 42, 31, 22, 61, 98, 243, 129, 34, 10, 142, 130, 89, 21, 152, 67, 172, 70, 208, 33, 15, 150, 219, 46, 175, 73, 42, 113, 234, 249, 118, 189, 77, 152, 235, 172, 80, 0, 12, 241, 29, 24, 186, 182, 171, 152, 58, 48, 58, 90, 209, 96, 47, 118, 27, 22, 53, 88, 115, 69, 135, 182, 26, 223, 29, 167, 170, 45, 35, 58, 41, 71, 138, 39, 80, 156, 141, 186, 197, 206, 122, 243, 68, 131, 2, 72, 151, 243, 223, 202, 110, 207, 44, 129, 107, 255, 215, 76, 77, 17, 189, 3, 132, 132, 8, 91, 88, 126, 59, 12, 183, 209, 204, 249, 65, 44, 99, 69, 117, 99, 224, 61, 90, 206, 159, 185, 139, 206, 175, 192, 8, 95, 126, 111, 149, 244, 74, 255, 145, 130, 33, 247, 102, 65, 28, 114, 14, 171, 162, 118, 33, 28, 139, 12, 128, 226, 93, 63, 210, 15, 157, 199, 142, 7, 93, 77, 157, 47, 87, 146] [onlykey.py:220]
2023-05-29 18:52:41,366 INFO         448                                                                                                  [onlykey.py:221]
2023-05-29 18:52:41,366 INFO         disconnected from OnlyKey                                                                            [onlykey.py:117]
Traceback (most recent call last):
  File "/usr/local/bin/onlykey-agent", line 33, in <module>
    sys.exit(load_entry_point('onlykey-agent==1.1.14', 'console_scripts', 'onlykey-agent')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/bin/onlykey_agent.py", line 5, in <lambda>
    ssh_agent = lambda: libagent.ssh.main(DeviceType)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.11/site-packages/libagent/ssh/__init__.py", line 185, in wrapper
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.11/site-packages/libagent/ssh/__init__.py", line 323, in main
    for pk in conn.public_keys():
              ^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.11/site-packages/libagent/ssh/__init__.py", line 221, in public_keys
    self.public_keys_cache = conn.export_public_keys(self.identities)
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.11/site-packages/libagent/ssh/client.py", line 26, in export_public_keys
    vk = self.device.pubkey(identity=i)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/onlykey-agent/1.1.14_1/libexec/lib/python3.11/site-packages/libagent/device/onlykey.py", line 241, in pubkey
    raise interface.DeviceError("Error response length is not a valid public key")
libagent.device.interface.DeviceError: Error response length is not a valid public key

(the key was specially created for this and has been discarded so I don’t mind it being in the log)

I was under the impression (that was the reason to purchase it so I did check) that RSA 4096 bit keys were supported.

Any clue what I am doing wrong? I just upgraded my OnlyKey FW to 3.0.4 and I do have the latest onlykey-agent for MacOs available.

regards,

Frederik

Topic		Replies	Views
GPG stored key initialisation SSH, OpenPGP, GPG	0	23	September 30, 2024
I cannot generate a RSA SSH key on the device SSH, OpenPGP, GPG	2	32	August 11, 2024
SSH RSA Keys not usable SSH, OpenPGP, GPG	8	346	November 16, 2022
Using onlykey-gpg SSH, OpenPGP, GPG	2	990	January 28, 2021
Initialize PASS SSH, OpenPGP, GPG	3	37	October 4, 2024

Can't use stored gpg keys

Related topics