Table of Contents
Whenever your are asked to enter a PIN make sure you know which PIN is meant. There are two PINs for the card - the PIN and the AdminPIN. Please make sure you do not mix them up.
During the writing of this HowTo it seemed that every once in a while GnuPG did not want to talk with the card reader. We were quite sure we have not changed anything in the configuration but for some reason it just did not work. Werner knows this problem and it will hopefully soon be fixed. Note that we never encountered this problem with Linux kernels 2.4.x - only with most 2.6 kernels.
This phenomenom occurs when the card reader has been in use for quite some time. It might help to re-plug the reader.
The error message displayed looks like this:
gpg: ccid_transceive failed: (0x1000a) gpg: apdu_send_simple(0) failed: card I/O error
To check if your card (and installation) is working please put your OpenPGP card in the reader and run gpg --card-status
. For an empty card the output should look like this:
archi@foobar: > gpg --card-status Application ID ...: D2760001240101010001000000490000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 00000049 Name of cardholder: [not set] Language prefs ...: de Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Private DO 1 .....: [not set] Private DO 2 .....: [not set] Signature PIN ....: forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [not set] Encryption key....: [not set] Authentication key: [not set] General key info..: [none]
The information displayed is the standard output for the Fellowship smartcard we are using. Cards from other manufacturers might produce a different output.
The output depends on manufacturer and specification.
The manufacture's ID. This includes the type of the card, the implemented version of the specification, the manufacturer and the serial number. This is a unique identifier for any card.
The used OpenPGP specification.
The card's manufacturer.
A unique number for all cards from this manufacturer.
The holder of this card. Only plain ASCII characters are Allowed here. gpg does not use this field.
The card holder's language preferences. gpg ignores this value.
Male or female. gpg ignores this value.
Used by the fetch
command of gpg --edit-card
. It may contain an URL to be used to retrieve the public key.
This field may be used to store the account name of the card holder. It may be used for login purposes. gpg does not enforce any match of this name with a name used in the key. See the source (app-openpgp.c) for some special features of the login-name field.
This is a field reserved for arbitrary data.
This is a field reserved for arbitrary data.
When set to "forced", gpg requests the entry of a PIN for each signature operation. When set to "non forced", gpg may cache the PIN as long as the card has not been removed from the reader.
This field is unchangeable. The values are put on the card right after personalisation - this is the moment after the chip has been glued on the card.
This field saves how many tries still are left to enter the right PIN. They are decremented whenever a wrong PIN is entered. They are reset whenever a correct AdminPIN is entered. The first and second PIN are for the standard PIN. gpg makes sure that the two numbers are synchronized. The second PIN is only required due to peculiarities of the ISO-7816 standard; gpg tries to keep this PIN in sync with the first PIN. The third PIN represents the retry counter for the AdminPIN.
This number keeps track of the signatures performed with the stored key. It is only reset if a new signature key is created on or imported to the card.
This key is commonly used as the primary OpenPGP key.
This key is commonly used as an encryption subkey.
This key is not used by gpg at all. Other tools like PAM modules or ssh use this key for authentication services.
This primary user ID is shown if the corresponding public OpenPGP key is available.