SUMMARY I used Kleopatra 3.1.10 installed as part of the Gpg4Win package on Windows 10. When generating a new key on a smartcard, Kleopatra presents a drop-down box of available RSA key sizes. The "4096" option is gated behind an incorrect version check, checking that the OpenPGP smartcard's version is exactly "2.1": ``` mIs21 = version == QLatin1String("2.1"); ``` ``` sizes.push_back(1024); sizes.push_back(2048); sizes.push_back(3072); // There is probably a better way to check for capabilities if (mIs21) { sizes.push_back(4096); } ``` This means the option doesn't show up on smartcards implementing later versions of the OpenPGP on ISO Smart Card spec, which is up to version 3.4. This affects the latest YubiKey 5, which reports version 3.4. STEPS TO REPRODUCE 1. Open Kleopatra 2. Insert YubiKey 5 3. Select 'Manage Smartcards' from menu 4. Click "Generate new Keys" button OBSERVED RESULT "4096" not listed as an option EXPECTED RESULT "4096" should be listed as an option SOFTWARE/OS VERSIONS Windows: Windows 10 macOS: untested Linux/KDE Plasma: untested ADDITIONAL INFORMATION
Whoops, I mean Kleopatra 3.1.8 as part of Gpg4win 3.1.10.
Yeah on it. Just a sec.
Git commit d989c281a64dca7cd9f6ce1081e05f6b4e73f6ab by Andre Heinecke. Committed on 12/09/2019 at 11:59. Pushed by aheinecke into branch 'master'. Fix version check for pgp cards The check for card version 2.1 should have been only temporary. Now it is a bit better by refactoring the code in gnupg-helper for engine versions a bit so that it generally works with string versions. This is probably the millionth implementation of version parsing but it works for me. M +62 -10 src/utils/gnupg-helper.cpp M +5 -0 src/utils/gnupg-helper.h M +3 -1 src/view/pgpcardwidget.cpp https://commits.kde.org/kleopatra/d989c281a64dca7cd9f6ce1081e05f6b4e73f6ab
This was a classical case of a todo that lived too long. The idea behind this was "I have to talk to Werner and Gniibe how we can detect the capabilities" and in the meantime I do this. Then we talked about it. Did not reach a conclusion and the code was left. Btw. As GnuPG master and stable now support generating OpenPGP pubkeys for S/MIME Smartcards I have to rework the card widgets a bit. In this process I'll also add some basic ECC support but that will also only check for the version >.< I have not tested my commit fully. I only added temporary debug code like "Is 3.0 larger then 2.1" true. To check the basic functionality of the version parsing. The version parsing code is also old and just refactored now. So it should be fine. Btw. Could you also send me a Yubikey for testing? I know Werner got some but it would help me, too to have one for testing. I only have a 2.0 Test smartcard all my others are in productive use. If yes please send a quick mail to aheinecke@gnupg.org asking for my address.
Thanks for the super-fast fix! I'll contact you via e-mail about getting keys. There is a new DO in version 3.4 of the spec, called "Algorithm Information", which returns a table of supported algorithms. That would be the most correct way to determine what is supported. But I think it still needs to be plumbed through GPG, and most devices probably don't support it yet.
Your bug report was great. Even a bit too detailed like "not tested on MacOS" and you pointed out a shameful piece of "quick hack". And you had the luck that I was working on Kleo today anyway. Regarding the addition: If it is in the spec GnuPG will support it. I'll make sure of it because I really need something like that. E.g. we want to add Brainpool to GnuK but how could I determine in the GUI if I could offer that?! It's even so bad in the card edit interface of GnuPG. It offers all the options but if you have a card that does not support it you get strange errors.