When I personalize the Token, I do that on different terminal.
and I don't use gpg-agent for the personalization and I kill scdaemon so that it doesn't interfere to normal operations.
$ unset GPG_AGENT_INFO $ killall -9 scdaemon $ killall -9 scdaemon scdaemon: no process found
Personalize your Gnuk Token
Invoke GnuPG with the option --card-edit.
$ gpg --card-edit gpg: detected reader `FSIJ Gnuk (0.12-34006E06) 00 00' Application ID ...: D276000124010200F517000000010000 Version ..........: 2.0 Manufacturer .....: FSIJ Serial number ....: 00000001 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none]
It shows the status of the card (as same as the output of gpg --card-status). It shows token's name and its USB serial string (0.12-34006E06) from PC/SC-lite.
Then, GnuPG enters its own command interaction mode. The prompt is gpg/card>.
Firstly, I change PIN of card user from factory setting (of "123456"). Note that, only changing PIN of user enables "admin less mode" of Gnuk. Admin password will become same one of user's.
gpg/card> passwd gpg: OpenPGP card no. D276000124010200F517000000010000 detected gpg: gpg-agent is not available in this session Please enter the PIN Enter PIN: 123456 New PIN Enter New PIN: <PASSWORD-OF-GNUK> New PIN Repeat this PIN: <PASSWORD-OF-GNUK> PIN changed.
Secondly, enabling admin command, I put name of mine. Note that I input user's PIN (which I set above) here, because it is "admin less mode".
gpg/card> admin Admin commands are allowed gpg/card> name Cardholder's surname: Niibe Cardholder's given name: Yutaka gpg: 3 Admin PIN attempts remaining before card is permanently locked Please enter the Admin PIN Enter Admin PIN: <PASSWORD-OF-GNUK>
Thirdly, I put some other informations, such as language, sex, login, and URL. URL specifies the place where I put my public keys.
gpg/card> lang Language preferences: ja gpg/card> sex Sex ((M)ale, (F)emale or space): m gpg/card> url URL to retrieve public key: http://www.gniibe.org/gniibe.asc gpg/card> login Login data (account name): gniibe
Since I don't force PIN input everytime, toggle it to non-force-pin-for-signature.
Lastly, I setup reset code. This is optional.
gpg/card> passwd gpg: OpenPGP card no. D276000124010200F517000000010000 detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 4 gpg: 3 Admin PIN attempts remaining before card is permanently locked Please enter the Admin PIN Enter Admin PIN: <PASSWORD-OF-GNUK> New Reset Code Enter New PIN: <RESETCODE-OF-GNUK> New Reset Code Repeat this PIN: <RESETCODE-OF-GNUK> Reset Code set. 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? q
Then, I quit.