[Gnuk-users] Factory-reset on Gnuk with blocked PIN

[Jeremy Drake]

On Thu, 2 Nov 2017, Alexander Paetzelt | Nitrokey wrote:

> I am not sure if I understood you right. From GnuPG 2.2.2 on, even Gnuk
> 1.2.2, 1.2.3. and 1.2.4 will be able to factory-reset with gpg command
> or never at all? And Gnuk 1.2.5 and newer can be reset with use of older
> GnuPG versions as well or only with GnuPG 2.2.2?

1.2.2-4 required a device reset and SELECT DF in between TERMINATE DF and 
ACTIVATE DF commands.  GnuPG prior to 2.2.2 reset and re-selected as part 
of its reset procedure.  The standard does not require a reset and 
re-select between terminate and activate.  Gnuk 1.2.5 and newer do not 
require a reset and select between terminate and activate, and GnuPG 2.2.2 
will not do a reset and select between terminate and activate.

I have to admit, I don't see why doing a device reset in GnuPG should 
cause any problems.  Once you do a TERMINATE DF, you should be able to do 
whatever you like, and the card should remain in the terminated state (and 
return the corresponding error code) until you do an ACTIVATE DF against 
the OpenPGP AID.  In fact, what I've read of "de-bricking" devices when 
GnuPG failed to factory reset them was just doing the select and activate 
(because the card was left in a terminated state).