Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

YubiKey(s) recognised "wrongly" #193

Closed
mirko opened this issue Jun 25, 2024 · 6 comments
Closed

YubiKey(s) recognised "wrongly" #193

mirko opened this issue Jun 25, 2024 · 6 comments

Comments

@mirko
Copy link

mirko commented Jun 25, 2024
edited
Loading

Versions

pcsc-lite version 2.0.3.
Copyright (C) 1999-2002 by David Corcoran <[email protected]>.
Copyright (C) 2001-2022 by Ludovic Rousseau <[email protected]>.
Copyright (C) 2003-2004 by Damien Sauveron <[email protected]>.
Report bugs to <[email protected]>.
Enabled features: Linux x86_64-pc-linux-gnu libsystemd serial usb libudev polkit usbdropdir=/usr/lib/pcsc/drivers ipcdir=/run/pcscd filter configdir=/etc/reader.conf.d
MAX_READERNAME: 128, PCSCLITE_MAX_READERS_CONTEXTS: 16

Platform

  • Debian Linux (testing/trixie)
  • gnupg / pcsc lite
  • YubiKey 5

Issue

  • What do you do?
$ cat .gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-gnome3
#disable-ssh-support
scdaemon-program /usr/bin/gnupg-pkcs11-scd

$ cat .gnupg/gnupg-pkcs11-scd.conf 
# PKCS#11 provider
providers opensc
provider-opensc-library /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

$ gpg --card-status
  • What result do you expect?
    I'd expect the same or similar output as I when using scdaemon instead of pcscd:
$ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: PURGED
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 23793478
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: on
Signature key ....: PURGED
      created ....: 2024-06-22 12:24:21
Encryption key....: PURGED
      created ....: 2024-06-22 12:26:16
Authentication key: PURGED
      created ....: 2024-06-22 12:24:36
General key info..: sub  ed25519/PURGED
sec#  ed25519/PURGED  created: 2024-06-22  expires: never
ssb>  ed25519/PURGED  created: 2024-06-22  expires: 2029-06-21
              PURGED  card-no: 0006 23793478
ssb>  ed25519/PURGED  created: 2024-06-22  expires: 2029-06-21
              PURGED  card-no: 0006 23793478
ssb>  cv25519/PURGED  created: 2024-06-22  expires: 2029-06-21
                                card-no: 0006 23793478
  • What result do you get instead?
$ gpg --card-status
gpg: WARNING: server 'scdaemon' is older than us (0.10.0 < 2.2.40)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
Reader ...........: [none]
Application ID ...: PURGED
Application type .: OpenPGP
Version ..........: 11.50
Manufacturer .....: ?
Serial number ....: 609B28DD
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa48 rsa48 rsa48
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Log

Then you shall generate a complete log (do not truncate it).

Nice try :)

 There was an error creating your Issue: body is too long (maximum is 65536 characters).

https://paste.nanl.de/?2bcadd71ab215dba#6Nqk2LSSK7ZDTHQj5dBFAP68c5tzAzdukJtg8aTyxvR9
@LudovicRousseau
Copy link
Owner

I see no error in you logs.

If I understand correctly the problem is when you use scdaemon.
When you use pcscd it all works fine.
Exact?

@mirko
Copy link
Author

mirko commented Jun 25, 2024
edited
Loading

No, the other way round. "What result do you expect?" shows the (correct) scdaemon output. "What result do you get instead?" shows gpg-agent using the libpcsc while pcscd is running (linked log corresponds to that one).

@LudovicRousseau
Copy link
Owner

I think you inverted the 2 situations.
Case 1: it works fine

  • "Yubico YubiKey OTP FIDO CCID 00 00" is a typocal pcsc-lite reader name.
  • so this test is using pcsc-lite. You can remove the "pcscd" package just to be sure

Case 2: does not work

  • You get: "gpg: WARNING: server 'scdaemon' is older than us (0.10.0 < 2.2.40)"
  • it looks like scdaemon is used here.

@mirko
Copy link
Author

mirko commented Jun 26, 2024
edited
Loading

All I can do is paste what I'm doing and seeing:

user@COMPUTER:~$ ps faux | grep -iE "(pcsc|scdaemon)"
user    3244491  0.0  0.0   6708  2304 pts/20   S+   19:26   0:00      |   \_ grep -iE (pcsc|scdaemon)
user@COMPUTER:~$ /usr/bin/gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: X
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
user@COMPUTER:~$ ps faux | grep -iE "(pcsc|scdaemon)"
user    3244534  0.0  0.0 164228  4352 ?        SLl  19:27   0:00      \_ scdaemon --multi-server
user    3244542  0.0  0.0   6708  2304 pts/20   S+   19:27   0:00      |   \_ grep -iE (pcsc|scdaemon)

@LudovicRousseau
Copy link
Owner

That is a completely different user name here: Reader ...........: 1050:0407:X:0

See https://blog.apdu.fr/posts/2024/04/gnupg-and-pcsc-conflicts-episode-2/

@mirko
Copy link
Author

mirko commented Jun 28, 2024

Okay, this is confusing. I'll report back once I sorted things out. Thanks and sorry for the noise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mirko @LudovicRousseau