VMWare Workstation, YubiKey 5Ci, GPG4Win 4.0.0 shows keys, 4.0.3 does not


I test software in a VM before encouraging others in an org to use it.

I have setup a YubiKey 5Ci to work from a x86_64 Linux host in a Windows 11 (64 bit) VM under VMWare Workstation. Pass-through of the USB based YubiKey is working well for OpenPGP slot and PIV slots (S/MIME) from Kleopatra and Outlook using plugin under GPG4Win 4.0.0

After upgrade to GPG4Win 4.0.3, Kleopatra under “SmartCards” tab show the serial number of the YubiKey, but claims all of the slots are empty. Sometimes it shows just 4 “empty” PIV slots, but no OpenPGP slots, other times empty OpenPGP slot, but no PIV slots.

Under GPG4Win 4.0.0, and Kleopatra, under Smartcards, I see a tab for PIV and a tab for OpenPGP with correct information about what each slot contains with mapping to public cert. (Testing for PIV based S/MIME and OpenPGP “GPG” cert/key.)

Because it is a VM, I have snapshots of various stages with working in GPG4Win 4.0.0 and not working in 4.0.3.

(Between each upgrade/downgrade, I purged the program files dir with the application and the gpg / kleopatra directories in the $USERNAME$\AppData* spaces for local and roaming to ensure no legacy junk exists as files in these spaces.)

This was a problem before Windows 11 upgrade to 22H2 and 2022-09 KB5017389 and after. 4.0.3 does not work show keys/certs on Yubikey, but 4.0.0 does.

There are presently no other updates from MS for my Windows 11.

I have the latest Yubico minicard driver, and piv tool and manager which show the correct slot use with data for each card from windows whether running the working GPG4Win 4.0.0 or non-working GPG4Win 4.0.3

As a diagnostics step, I’ve attempted asking Kelopatra to use DLL provided by Yubico for PKCS11 CS, and similar tools, but those have not yet worked in Kleopatra, so it is presently set with the default “winscard.dll”. (Under Linux, testing of Kleopatra trading out the default libpcsclite.so.1 or libpcsclite.so.1.0.0 for the Yubico provided SharedObjects worked fine.)

Suggestions on how to get Yubikey to work with GPG4Win under 4.0.3, which were working under 4.0.0?

Let me know if you want more data/tests. I should be able to revert to a snapshot with 4.0.0 vs 4.0.3, but both on the same latest version of MS Windows 11.

Breaking social rules by replying to myself:

I see in another thread ( https://wald.intevation.org/forum/message.php?msg_id=8508&group_id=11 ) , mention of https://dev.gnupg.org/T6070 for Yubikey 5* series and 4.0.3:

Is this likely the source of issues?

it is a known bug on gpg4win 4.0.3 with gnupg 2.3.7 and yubico firmware 5.2.x, gpg4win 4.0.4 is expected to be released for the solution they have already tested, I suggest you install 4.0.2 and then wait for 4.0.4.

link for 4.0.2



Yes, I tried variations of installs and some of the tests mentioned in the other thread so see the same results (“gpg --card-status” provided similar results under 4.0.3 but worked as expected under 4.0.2.)

Everything tested so far shows the issue I am seeing is the 4.0.3 packaged GnuPG release 2.3.7. All of the tests reported by others with the GnuPG bug with YubiKey seem to be confirmed in my VM.

GPG4Win 4.0.2 works in the VM with YubiKey 5Ci as does 4.0.0, but 4.0.3 does not.


Saw gpg4win 4.0.4 was available.
Set VM snapshot and upgraded from gpg4win 4.0.2 to gpg4win 4.0.4 and this recognizes
my YubiKey 5Ci PIV (S/MIME) and OpenPGP (gpg key) slot/services.
I’ve not completed at of the tests, but so far, everything that was working in 4.0.2 is working
in 4.0.4 unlike 4.0.3.

Glad to hear it. 4.0.4 is quite well tested as we already had it in QA when the Security Issue was reported that required the immediate release (unlike with 4.0.3).

Now, to tell my boss to try it out…

That is very simple. Because of https://gnupg.org/blog/20221017-pepe-left-the-ksba.html you must update ASAP. All previous versions are affected.

Best Regards,