Problems transfering subkeys if you don't set attributes #461
Description
In the guide there is a step to Set attributes before transfering subkeys.
It is not mentioned why one would want to do this but I have discovered that if you don't do it the first transfer of a subkey will fail with Bad PIN
The output from gpg looks like
[GNUPG:] KEY_CONSIDERED 1E3B99CEDC2F927B19BA9742933A8A2EA0C63373 0
Secret key is available.
sec rsa4096/0x933A8A2EA0C63373
created: 2024-10-07 expires: never usage: C
trust: ultimate validity: ultimate
ssb ed25519/0x66C92C3A3DAB0DE9
created: 2024-10-07 expires: 2026-10-07 usage: S
ssb cv25519/0x184881132871E1A4
created: 2024-10-07 expires: 2026-10-07 usage: E
ssb ed25519/0x4164F614690501D0
created: 2024-10-07 expires: 2026-10-07 usage: A
[ultimate] (1). John Doe <[email protected]>
[GNUPG:] GET_LINE keyedit.prompt
[GNUPG:] GOT_IT
sec rsa4096/0x933A8A2EA0C63373
created: 2024-10-07 expires: never usage: C
trust: ultimate validity: ultimate
ssb* ed25519/0x66C92C3A3DAB0DE9
created: 2024-10-07 expires: 2026-10-07 usage: S
ssb cv25519/0x184881132871E1A4
created: 2024-10-07 expires: 2026-10-07 usage: E
ssb ed25519/0x4164F614690501D0
created: 2024-10-07 expires: 2026-10-07 usage: A
[ultimate] (1). John Doe <[email protected]>
[GNUPG:] GET_LINE keyedit.prompt
[GNUPG:] GOT_IT
[GNUPG:] CARDCTRL 3 D2760001240103040006120603330000
Please select where to store the key:
(1) Signature key
(3) Authentication key
[GNUPG:] GET_LINE cardedit.genkeys.storekeytype
[GNUPG:] GOT_IT
[GNUPG:] INQUIRE_MAXLEN 100
[GNUPG:] GET_HIDDEN passphrase.enter
[GNUPG:] GOT_IT
[GNUPG:] INQUIRE_MAXLEN 100
[GNUPG:] GET_HIDDEN passphrase.enter
[GNUPG:] GOT_IT
[GNUPG:] INQUIRE_MAXLEN 100
[GNUPG:] GET_HIDDEN passphrase.enter
[GNUPG:] GOT_IT
[GNUPG:] SC_OP_FAILURE 2
gpg: KEYTOCARD failed: Bad PIN
[GNUPG:] GET_LINE keyedit.prompt
[GNUPG:] GOT_IT
If I use the instructions for setting the values for login then this doesn't happen. Even stranger is the fact that if I try to set the attribute for name instead, then that command fails with Bad PIN
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240103040006120603330000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 12345678
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: ed25519 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 9 9 9
Signature counter : 0
KDF setting ......: on
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
Admin commands are allowed
gpg: error setting Name: Bad PIN
I'm using
gpg (GnuPG) 2.2.40
YubiKey Manager (ykman) version: 4.0.9
Device type: YubiKey 5 NFC
Firmware version: 5.2.4