Cannot generate GPG keys
Closed this issue · 9 comments
First I try to set derivedkeymode 1. With both the OnlyKey app and onlykey-cli I am reminder to enter config mode pressing 6 for 5 seconds. After I press 6 for 5 seconds the light turns off, and I need to enter my PIN again. After entering the PIN the light is blinking red.
Then I can change the derived key mode to 1 ("button press required"). I've tried this with both the OnlyKey app and onlykey-cli.
I read that the way to exit config mode is to remove the OnlyKey and insert it again. But I've found repeatedly that if I do so then derivedkeymode is again set to 0 (Challenge Code Required).
So with the light still blinking red, I try to generate the GPG key pair:
$ onlykey-gpg init "example@example.com" --verbose
2021-06-03 06:00:51,336 WARNING This GPG tool is still in EXPERIMENTAL mode, so please note that the API and features may change without backwards compatibility! [__init__.py:128]
2021-06-03 06:00:51,366 INFO device name: onlykey [__init__.py:136]
2021-06-03 06:00:51,367 INFO GPG home directory: /home/user/.gnupg/onlykey [__init__.py:141]
2021-06-03 06:00:51,381 WARNING NOTE: in order to re-generate the exact same GPG key later, run this command with "--time=0" commandline flag (to set the timestamp of the GPG key manually). [__init__.py:41]
2021-06-03 06:00:51,923 INFO Requesting public key from key slot =132 [onlykey.py:111]
2021-06-03 06:00:51,924 INFO Identity to hash =b'gpg://example@example.com' [onlykey.py:125]
2021-06-03 06:00:51,924 INFO Identity hash =9cd6f7bc1a8fd7d10742b6539e59967752512e67f85279d33e2d683122f12616 [onlykey.py:129]
2021-06-03 06:00:51,927 INFO curve name= 'ed25519' [onlykey.py:145]
2021-06-03 06:00:53,433 INFO received= [] [onlykey.py:156]
2021-06-03 06:00:53,434 INFO disconnected from OnlyKey [onlykey.py:94]
2021-06-03 06:00:53,972 INFO Requesting public key from key slot =132 [onlykey.py:111]
2021-06-03 06:00:53,973 INFO Identity to hash =b'gpg://example@example.com' [onlykey.py:125]
2021-06-03 06:00:53,974 INFO Identity hash =9cd6f7bc1a8fd7d10742b6539e59967752512e67f85279d33e2d683122f12616 [onlykey.py:129]
2021-06-03 06:00:53,977 INFO curve name= 'curve25519' [onlykey.py:145]
2021-06-03 06:00:54,454 INFO disconnected from OnlyKey [onlykey.py:94]
Traceback (most recent call last):
File "/home/user/.local/lib/python3.7/site-packages/libagent/device/onlykey.py", line 150, in pubkey
ok_pubkey = self.ok.read_bytes(timeout_ms=100)
File "/home/user/.local/lib/python3.7/site-packages/onlykey/client.py", line 336, in read_bytes
out = self._hid.read(n, timeout_ms=timeout_ms)
File "hid.pyx", line 122, in hid.device.read
OSError: read error
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/user/.local/bin/onlykey-gpg", line 10, in <module>
sys.exit(gpg_tool())
File "/home/user/.local/bin/onlykey_agent.py", line 6, in <lambda>
gpg_tool = lambda: libagent.gpg.main(DeviceType)
File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 375, in main
return args.func(device_type=device_type, args=args)
File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 207, in run_init
export_public_key(device_type, args))
File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 50, in export_public_key
decryption_key = c.pubkey(identity=identity, ecdh=True)
File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/client.py", line 29, in pubkey
pubkey = self.device.pubkey(ecdh=ecdh, identity=identity)
File "/home/user/.local/lib/python3.7/site-packages/libagent/device/onlykey.py", line 154, in pubkey
raise interface.DeviceError(e)
libagent.device.interface.DeviceError: read errorThere doesn't seem to be a workaround because, as said, if I remove the OnlyKey and insert it again, then I'm asked to enter a challenge code, and this will fail too:
$ onlykey-gpg init "example@example.com" --verbose
2021-06-03 06:17:41,339 WARNING This GPG tool is still in EXPERIMENTAL mode, so please note that the API and features may change without backwards compatibility! [__init__.py:128]
2021-06-03 06:17:41,345 INFO device name: onlykey [__init__.py:136]
2021-06-03 06:17:41,346 INFO GPG home directory: /home/user/.gnupg/onlykey [__init__.py:141]
2021-06-03 06:17:41,359 WARNING NOTE: in order to re-generate the exact same GPG key later, run this command with "--time=0" commandline flag (to set the timestamp of the GPG key manually). [__init__.py:41]
2021-06-03 06:17:41,439 INFO Requesting public key from key slot =132 [onlykey.py:111]
2021-06-03 06:17:41,440 INFO Identity to hash =b'gpg://example@example.com' [onlykey.py:125]
2021-06-03 06:17:41,441 INFO Identity hash =9cd6f7bc1a8fd7d10742b6539e59967752512e67f85279d33e2d683122f12616 [onlykey.py:129]
2021-06-03 06:17:41,444 INFO curve name= 'ed25519' [onlykey.py:145]
2021-06-03 06:17:41,761 INFO received= [200, 199, 61, 114, 163, 35, 19, 53, 56, 210, 183, 48, 218, 126, 254, 140, 27, 197, 236, 239, 130, 233, 192, 58, 128, 82, 254, 225, 38, 53, 255, 84, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] [onlykey.py:156]
2021-06-03 06:17:41,761 INFO Received Public Key generated by OnlyKey= 'c8c73d72a323133538d2b730da7efe8c1bc5ecef82e9c03a8052fee12635ff54' [onlykey.py:161]
2021-06-03 06:17:41,761 INFO vk= <nacl.signing.VerifyKey object at 0x76ce5947d860> [onlykey.py:164]
2021-06-03 06:17:41,762 INFO disconnected from OnlyKey [onlykey.py:94]
2021-06-03 06:17:41,827 INFO Requesting public key from key slot =132 [onlykey.py:111]
2021-06-03 06:17:41,828 INFO Identity to hash =b'gpg://example@example.com' [onlykey.py:125]
2021-06-03 06:17:41,828 INFO Identity hash =9cd6f7bc1a8fd7d10742b6539e59967752512e67f85279d33e2d683122f12616 [onlykey.py:129]
2021-06-03 06:17:41,832 INFO curve name= 'curve25519' [onlykey.py:145]
2021-06-03 06:17:43,338 INFO received= [] [onlykey.py:156]
2021-06-03 06:17:43,339 INFO disconnected from OnlyKey [onlykey.py:94]
2021-06-03 06:17:43,343 INFO creating new ed25519 GPG primary key for "example@example.com" [__init__.py:73]
2021-06-03 06:17:43,345 INFO please confirm GPG signature on OnlyKey for "<gpg://example@example.com|ed25519>"... [client.py:40]
2021-06-03 06:17:43,372 INFO Identity to hash =b'gpg://example@example.com' [onlykey.py:243]
2021-06-03 06:17:43,372 INFO Identity hash =b'\x9c\xd6\xf7\xbc\x1a\x8f\xd7\xd1\x07B\xb6S\x9eY\x96wRQ.g\xf8Ry\xd3>-h1"\xf1&\x16' [onlykey.py:244]
2021-06-03 06:17:43,372 INFO Key type ed25519 [onlykey.py:251]
2021-06-03 06:17:43,372 INFO Key Slot =201 [onlykey.py:275]
Enter the 3 digit challenge code on OnlyKey to authorize <gpg://example@example.com|ed25519>
2 1 4
2021-06-03 06:17:46,213 INFO received= [92, 164, 40, 87, 37, 126, 64, 146, 177, 95, 244, 44, 242, 75, 23, 127, 237, 239, 211, 158, 25, 40, 147, 157, 198, 226, 101, 18, 70, 66, 150, 90, 188, 21, 238, 198, 202, 167, 224, 222, 4, 130, 142, 110, 54, 183, 65, 73, 233, 18, 157, 159, 101, 112, 202, 126, 145, 68, 217, 63, 125, 110, 172, 9] [onlykey.py:291]
2021-06-03 06:17:46,213 INFO disconnected from OnlyKey [onlykey.py:294]
2021-06-03 06:17:46,216 INFO disconnected from OnlyKey [onlykey.py:94]
Traceback (most recent call last):
File "/home/user/.local/bin/onlykey-gpg", line 10, in <module>
sys.exit(gpg_tool())
File "/home/user/.local/bin/onlykey_agent.py", line 6, in <lambda>
gpg_tool = lambda: libagent.gpg.main(DeviceType)
File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 375, in main
return args.func(device_type=device_type, args=args)
File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 207, in run_init
export_public_key(device_type, args))
File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 88, in export_public_key
signer_func=signer_func)
File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/encode.py", line 54, in create_subkey
blob=(subkey.data() + secret_bytes))
File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/protocol.py", line 221, in data
blob = self.curve_info['serialize'](self.verifying_key)
File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/protocol.py", line 96, in _serialize_ed25519
util.bytes2num(vk.encode(encoder=nacl.encoding.RawEncoder)))
AttributeError: 'NoneType' object has no attribute 'encode'My main reason for buying an OnlyKey was generating GPG keys in a trusted way :-(
I'm using Debian 10 in Qubes. I attach the device to the virtual machine.
$ onlykey-cli fwversion
v0.2-beta.8c
I would recommend upgrading firmware to 2.1.1 - https://github.com/trustcrypto/OnlyKey-Firmware/releases/tag/v2.1.1-prod
https://docs.crp.to/upgradeguide.html
I think the trouble might be the old firmware as your error messages do not indicate that an incorrect challenge was entered, which is what would be expected if the challenge mode was not correctly set.
Not sure if I was able to generate the keys correctly. I get not error generating the keys. However, following the command line example to use the generated key produces an error:
$ echo 123 | gpg2 --sign
gpg: Warning: not using 'Daniel Gonzalez Gasull <***@*****.***>' as default key: No secret key
gpg: all values passed to '--default-key' ignored
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
(Masked my email address above to prevent spam).
~/.gnupg/onlykey/ was generated and contains my public key, that I can see with gpa (but it shows only the public key, not the private one).
The previous error is because I did't call onlykey-agent. However, now I can only encrypt, not sign or decrypt:
$ onlykey-agent myemail@example.com -- gpg --sign hi.txt
gpg: using "Daniel Gonzalez Gasull <myemail@example.com>" as default secret key for signing
gpg: signing failed: End of file
gpg: signing failed: End of file
Same problem with gpg2:
$ onlykey-agent myemail@example.com -- gpg2 --sign hi.txt
gpg: using "Daniel Gonzalez Gasull <myemail@example.com>" as default secret key for signing
gpg: signing failed: End of file
gpg: signing failed: End of file
And even with gpa. After running onlykey-agent myemail@example.com -- gpa, and going to Windows -> Clipboard, writing some text and clicking on "Sign" I get a popup window with this error:
The GPGME library returned an unexpected
error at gpafilesignop.c:532. The error was:End of file
This is either an installation problem or a bug in GPA.
GPA will now try to recover from this error.
Clicking on the button "Details" shows this text:
[GPA 0.10.0, GPGME 1.12.0, GnuPG 2.2.12]
gpg: signing failed: End of file
gpg: -&11: clear-sign failed: End of file
Encrypting works fine, both in the command line and with gpa, but when trying to decrypt I have the same problem again.
$ onlykey-agent myemail@example.com -- gpg --decrypt hi.txt.asc
gpg: encrypted with 256-bit ECDH key, ID 106C443E4D4B34A2, created 1970-01-01
"Daniel Gonzalez Gasull <myemail@example.com>"
gpg: public key decryption failed: End of file
gpg: decryption failed: No secret key
$ onlykey-agent myemail@example.com -- gpg2 --decrypt hi.txt.asc
gpg: encrypted with 256-bit ECDH key, ID 106C443E4D4B34A2, created 1970-01-01
"Daniel Gonzalez Gasull <myemail@example.com>"
gpg: public key decryption failed: End of file
gpg: decryption failed: No secret key
$ onlykey-agent myemail@example.com -- gpg2 -k
/home/user/.gnupg/onlykey/pubring.kbx
-------------------------------------
pub ed25519 1970-01-01 [SCA]
7D140CA52C820093EE26F85CFF771D2301D17F90
uid [ultimate] Daniel Gonzalez Gasull <myemail@example.com>
sub cv25519 1970-01-01 [E]
$ onlykey-agent myemail@example.com -- gpa
And then in the gpa clipboard, I copy paste the file hi.txt.asc and click on "Decrypt", obtaining a popup window with this error:
The GPGME library returned an unexpected
error at gpafiledecryptop.c:538. The error was:End of file
This is either an installation problem or a bug in GPA.
GPA will now try to recover from this error.
And clicking on the "Details" buton of such popup window I get this text:
[GPA 0.10.0, GPGME 1.12.0, GnuPG 2.2.12]
gpg: encrypted with 256-bit ECDH key, ID 106C443E4D4B34A2, created 1970-01-01
"Daniel Gonzalez Gasull myemail@example.com"
gpg: public key decryption failed: End of file
gpg: decryption failed: No secret key
Is onlykey-gpg encrypting with a different key than the one I generated? I only seem to one one public key in my keyring:
onlykey-agent myemail@example.com -- gpg2 --list-public-keys
/home/user/.gnupg/onlykey/pubring.kbx
-------------------------------------
pub ed25519 1970-01-01 [SCA]
7D140CA52C820093EE26F85CFF771D2301D17F90
uid [ultimate] Daniel Gonzalez Gasull <myemail@example.com>
sub cv25519 1970-01-01 [E]
(Still posting on this GitHub issue because I don't know if the problem means the keypair was not generated properly).
Since only public key operations are working it sounds like it was not initialized correctly. What onlykey-gpg init command did you run and what was the output?
I deleted ~/.gnupg/onlykey and started over with a test keypair:
$ onlykey-gpg init "Example <example@example.com>" --verbose
2021-06-19 04:59:33,774 WARNING This GPG tool is still in EXPERIMENTAL mode, so please note that the API and features may change without backwards compatibility! [__init__.py:128]
2021-06-19 04:59:33,780 INFO device name: onlykey [__init__.py:136]
2021-06-19 04:59:33,781 INFO GPG home directory: /home/user/.gnupg/onlykey [__init__.py:144]
2021-06-19 04:59:33,793 WARNING NOTE: in order to re-generate the exact same GPG key later, run this command with "--time=0" commandline flag (to set the timestamp of the GPG key manually). [__init__.py:41]
2021-06-19 04:59:33,868 INFO Requesting public key from key slot =132 [onlykey.py:109]
2021-06-19 04:59:33,869 INFO Identity to hash =b'gpg://Example <example@example.com>' [onlykey.py:123]
2021-06-19 04:59:33,869 INFO Identity hash =ab8ed69c52728f13d35c8fde9f7e3ebc3709f2bb907acd53d4507d59bc86af11 [onlykey.py:127]
2021-06-19 04:59:33,871 INFO curve name= 'ed25519' [onlykey.py:143]
2021-06-19 04:59:34,196 INFO received= [53, 97, 242, 181, 161, 159, 99, 176, 169, 247, 211, 44, 61, 180, 170, 137, 140, 146, 150, 202, 182, 172, 222, 161, 246, 188, 155, 138, 246, 254, 251, 53, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] [onlykey.py:154]
2021-06-19 04:59:34,197 INFO Received Public Key generated by OnlyKey= '3561f2b5a19f63b0a9f7d32c3db4aa898c9296cab6acdea1f6bc9b8af6fefb35' [onlykey.py:159]
2021-06-19 04:59:34,197 INFO vk= <nacl.signing.VerifyKey object at 0x77f560c18400> [onlykey.py:162]
2021-06-19 04:59:34,197 INFO disconnected from OnlyKey [onlykey.py:92]
2021-06-19 04:59:34,255 INFO Requesting public key from key slot =132 [onlykey.py:109]
2021-06-19 04:59:34,256 INFO Identity to hash =b'gpg://Example <example@example.com>' [onlykey.py:123]
2021-06-19 04:59:34,256 INFO Identity hash =ab8ed69c52728f13d35c8fde9f7e3ebc3709f2bb907acd53d4507d59bc86af11 [onlykey.py:127]
2021-06-19 04:59:34,260 INFO curve name= 'curve25519' [onlykey.py:143]
2021-06-19 04:59:34,521 INFO received= [238, 198, 88, 118, 9, 249, 14, 165, 26, 79, 188, 251, 37, 150, 142, 61, 112, 37, 202, 76, 220, 87, 6, 11, 138, 107, 100, 9, 142, 65, 152, 51, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] [onlykey.py:154]
2021-06-19 04:59:34,522 INFO Received Public Key generated by OnlyKey= 'eec6587609f90ea51a4fbcfb25968e3d7025ca4cdc57060b8a6b64098e419833' [onlykey.py:159]
2021-06-19 04:59:34,522 INFO vk= <nacl.signing.VerifyKey object at 0x77f560c181d0> [onlykey.py:162]
2021-06-19 04:59:34,522 INFO disconnected from OnlyKey [onlykey.py:92]
2021-06-19 04:59:34,528 INFO creating new ed25519 GPG primary key for "Example <example@example.com>" [__init__.py:73]
2021-06-19 04:59:34,529 INFO please confirm GPG signature on OnlyKey for "<gpg://Example <example@example.com>|ed25519>"... [client.py:40]
2021-06-19 04:59:34,580 INFO Identity to hash =b'gpg://Example <example@example.com>' [onlykey.py:241]
2021-06-19 04:59:34,580 INFO Identity hash =b'\xab\x8e\xd6\x9cRr\x8f\x13\xd3\\\x8f\xde\x9f~>\xbc7\t\xf2\xbb\x90z\xcdS\xd4P}Y\xbc\x86\xaf\x11' [onlykey.py:242]
2021-06-19 04:59:34,580 INFO Key type ed25519 [onlykey.py:249]
2021-06-19 04:59:34,580 INFO Key Slot =201 [onlykey.py:273]
Enter the 3 digit challenge code on OnlyKey to authorize <gpg://Example <example@example.com>|ed25519>
5 3 5
2021-06-19 04:59:42,004 INFO received= [249, 156, 181, 130, 89, 134, 212, 1, 198, 22, 5, 225, 177, 18, 251, 25, 165, 123, 42, 183, 236, 183, 193, 140, 154, 149, 87, 105, 243, 175, 107, 158, 73, 17, 106, 200, 128, 213, 115, 50, 37, 45, 124, 112, 51, 234, 17, 191, 1, 252, 240, 66, 137, 161, 17, 151, 154, 53, 106, 52, 188, 103, 118, 2] [onlykey.py:289]
2021-06-19 04:59:42,005 INFO disconnected from OnlyKey [onlykey.py:292]
2021-06-19 04:59:42,008 INFO disconnected from OnlyKey [onlykey.py:92]
2021-06-19 04:59:42,010 INFO please confirm GPG signature on OnlyKey for "<gpg://Example <example@example.com>|ed25519>"... [client.py:40]
2021-06-19 04:59:42,055 INFO Identity to hash =b'gpg://Example <example@example.com>' [onlykey.py:241]
2021-06-19 04:59:42,055 INFO Identity hash =b'\xab\x8e\xd6\x9cRr\x8f\x13\xd3\\\x8f\xde\x9f~>\xbc7\t\xf2\xbb\x90z\xcdS\xd4P}Y\xbc\x86\xaf\x11' [onlykey.py:242]
2021-06-19 04:59:42,055 INFO Key type ed25519 [onlykey.py:249]
2021-06-19 04:59:42,055 INFO Key Slot =201 [onlykey.py:273]
Enter the 3 digit challenge code on OnlyKey to authorize <gpg://Example <example@example.com>|ed25519>
6 2 3
2021-06-19 04:59:47,334 INFO received= [224, 51, 144, 25, 106, 247, 77, 240, 23, 178, 219, 182, 76, 151, 110, 24, 163, 106, 148, 35, 225, 137, 216, 39, 173, 176, 14, 7, 74, 219, 137, 181, 190, 59, 3, 59, 78, 229, 96, 95, 162, 165, 171, 144, 227, 143, 4, 241, 64, 20, 251, 181, 63, 98, 198, 130, 74, 29, 74, 155, 138, 81, 28, 4] [onlykey.py:289]
2021-06-19 04:59:47,334 INFO disconnected from OnlyKey [onlykey.py:292]
2021-06-19 04:59:47,338 INFO disconnected from OnlyKey [onlykey.py:92]
gpg: keybox '/home/user/.gnupg/onlykey/pubring.kbx' created
gpg: armor header: Version: GnuPG v2
gpg: pub ed25519/4AB5CB4FDB7469B3 1970-01-01 Example <example@example.com>
gpg: /home/user/.gnupg/onlykey/trustdb.gpg: trustdb created
gpg: using pgp trust model
gpg: key 4AB5CB4FDB7469B3: public key "Example <example@example.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: inserting ownertrust of 6
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
sec ed25519 1970-01-01 [SCA]
4580C116CCFF13E0C22B946C4AB5CB4FDB7469B3
uid [ultimate] Example <example@example.com>
ssb cv25519 1970-01-01 [E]
And I'm getting the same error with the gpa clipboard:
$ onlykey-agent example@example.com -- gpa
Error window signing:
The GPGME library returned an unexpected
error at gpafilesignop.c:532. The error was:End of file
This is either an installation problem or a bug in GPA.
GPA will now try to recover from this error.
Encrypting works fine.
Error window decrypting:
The GPGME library returned an unexpected
error at gpafiledecryptop.c:538. The error was:End of file
This is either an installation problem or a bug in GPA.
GPA will now try to recover from this error.
More information:
GPA 0.10.0
(GPGME 1.12.0)
(GnuPG 2.2.12)
$ onlykey-agent --version
onlykey-agent=1.1.11 lib-agent=1.0.2
$ onlykey-cli fwversion
v2.1.1-prodc
$ echo 123 | gpg2 --sign
gpg: Warning: not using 'Daniel Gonzalez Gasull <@.*>' as default key: No secret key
gpg: all values passed to '--default-key' ignored
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
You are seeing this because GPG does not know where your key is. Try this instead:
echo 123 | gpg2 --sign --homedir ~/.gnupg/onlykey | gpg2 --verify --homedir ~/.gnupg/onlykey
You have to add export GNUPGHOME=~/.gnupg/onlykey to your .bashrc or other environment file.
$ export GNUPGHOME=${HOME}/.gnupg/onlykey
Next, you don't need to use onlykey-agent "Bob Smith bob@protonmail.com" -- gpa. Per the docs this method is if you were using SSH not GPG.
Note: This method can also be used for git push, scp, or other mechanisms that are using SSH as their communication protocol:
$ onlykey-agent identity@myhost -- COMMAND --WITH --ARGUMENTS
For some reason I couldn't generate a keypair with Derived Key User Input Mode set to "Button Press Required", so I had to generate the keypair with Derived Key User Input Mode set to "Challenge Code Required". But of course once the keypair is generated, GPG won't ask for the challenge code. So I set back Derived Key User Input Mode to Button Press Required, and it works now for encrypting, decrypting, etc.