Librem Key - 0 Remaining attempts

gusnan · June 18, 2023, 10:03pm

I have just upgraded from Debian Bullseye to Debian Bookworm, and after this when I try to use my Librem Key for keysigning I get that it has “0 remaining attempts”, and it seems like I cannot sign, encrypt or decrypt with it any longer. Is there any smooth way to increase the remaining attempts?

I have seen solutions that involves resetting the key, but that will remove all gpg keys, public and secret keys, from it right? Is that the only way to get it working properly again? I do have a backup of the gpg key… (I just need to find it… )

irvinewade · June 20, 2023, 4:18am

Does using the admin PIN help? i.e. if an incorrect user PIN has been entered too many times.

gusnan · June 20, 2023, 9:59am

Thanks for your reply, but I don’t really know where I would use the admin-pin to be able to increase the user key attempts.

ChriChri · June 20, 2023, 10:26am

The LibremKey contains an OpenPGP card containing your gpg keys.

Have a look at: https://www.gnupg.org/howtos/card-howto/en/ch03s02.html

What does gpg --card-status | grep -i 'pin retry counter' give you? You can interpret the output with the help of the above manual.

gusnan · June 20, 2023, 10:28am

Thanks - I’ll take a look. That command gives me (not surprisingly) 0 0 0.

gusnan · June 20, 2023, 10:43am

And trying to unblock the pin gives this:

gusnan@debian-i7:~/temp > LC_ALL=C gpg --change-pin 
gpg: OpenPGP card no. D2760001240103030005000061800000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 2
Error unblocking the PIN: Bad PIN

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? q

(It doesn’t ask for any passphrase whatsoever…)

gusnan · June 20, 2023, 10:46am

And trying to change the pin:

gpg: pinentry launched (11892 gtk2 1.2.1 /dev/pts/0 xterm-256color :0.0 20620/1000/5 1000/1000 -)
gpg: pinentry launched (11913 gtk2 1.2.1 /dev/pts/0 xterm-256color :0.0 20620/1000/5 1000/1000 -)
gpg: pinentry launched (11929 gtk2 1.2.1 /dev/pts/0 xterm-256color :0.0 20620/1000/5 1000/1000 -)
Error changing the PIN: PIN blocked

irvinewade · June 20, 2023, 11:41am

What about Change or Unblock a PIN on the Librem Key in https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html ?

gusnan · June 20, 2023, 11:47am

That gets me the same numbered menu as described above, and also unfortunately with the same results.

ChriChri · June 20, 2023, 1:02pm

PIN retry counter

This field saves how many tries still are left to enter the right PIN.

https://www.gnupg.org/howtos/card-howto/en/ch03.html

Warning

It is also important to know that entering a wrong AdminPIN three times
in a row destroys(!) the card. There is no way to unblock the card when 
a wrong AdminPIN has been entered three times.

https://www.gnupg.org/howtos/card-howto/en/ch03s02.html

Whatever the reason might be, but it looks like your OpenPGP card is broken. You could try to open your NitroKey and exchange it to preserve the rest of the functionality of the NitroKey.

In the picture you can see the LibremKey open on the right side with a white card installed. As far as i understood that should be the OpenPGP card.

gusnan · June 20, 2023, 1:08pm

Yeah, something like that is what I was afraid of. I don’t see how it would have happened though - I haven’t had any reason to go into any admin menu previously to having these problems.

Anyway, thanks guys, I guess I simply have to accept that I’m in no luck. Man, this complicates things.

ChriChri · June 20, 2023, 2:16pm

Well, before giving up completely I’d try it on a bullseyes version of gpg.

Just in case it is somehow the software.

gusnan · June 20, 2023, 2:46pm

Already tried that - no success…

irvinewade · June 20, 2023, 11:19pm

And a live boot from USB of PureOS?

And contacting Purism Support?