Bug 33065

Summary: Smartcard support in gpg does not work
Product: Mageia Reporter: Dan Fandrich <dan>
Component: RPM PackagesAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact:
Severity: normal    
Priority: Normal Keywords: IN_ERRATA9
Version: 9   
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Source RPM: gnupg2-2.3.8-1.mga9.src.rpm CVE:
Status comment:

Description Dan Fandrich 2024-04-08 20:50:38 CEST
Description of problem:
gpg does not see a Yubikey, meaning smartcard features don't work:

$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

This is the case for gnupg2-2.3.81.mga9 as well as gnupg2-2.4.5-1 (rebuilt for mga9).

Downgrading to the gnupg2-2.2.36-1.mga8 package (on mga9) allows gpg --card-status to work properly again.

Running gnupg2-2.3.81.mga9 but replacing the executable binary /usr/libexec/gnupg2/scdaemon with the one from gnupg2-2.2.36-1.mga8 allows gpg --card-status to detect the card, but it outputs a version incompatibility warning and some card functions still don't work.

When rebuilding the RPM, configure states "Smartcard: yes" so it appears like it should be working. And the fact that it detects the card after replacing scdaemon or downgrading means that it's not a permissions issue. Adding "reader-port Yubico Yubi" to ~/.gnupg/scdaemon.conf (as suggested in some places) did not help.

Version-Release number of selected component (if applicable):
gnupg2-2.3.81.mga9


How reproducible:
100%

Steps to Reproduce:
1. install a properly-configured Yubikey in a USB port
2. run: gpg --card-status
Comment 1 Dan Fandrich 2024-04-10 05:30:22 CEST
I opened a thread on gnupg-users on this issue and made some interesting discoveries. It turns out that gnupg >=2.3.x no longer uses pcscd for its card interactions, but goes to USB directly. If pcscd is running, then that grabs the device and gpg (via scdaemon) doesn't have access and returns an error.

Disabling pcscd (pcscd.service and pcscd.socket) would solve the problem, but since pcscd is needed for yubioath-desktop, rather than disable it I added the line "disable-ccid" to ~/.gnupg/scdaemon.conf. That fixes the problem while still allowing pcscd to work.

Resolution: (none) => INVALID
Status: NEW => RESOLVED

Comment 2 katnatek 2024-04-10 19:44:45 CEST
(In reply to Dan Fandrich from comment #1)
> I opened a thread on gnupg-users on this issue and made some interesting
> discoveries. It turns out that gnupg >=2.3.x no longer uses pcscd for its
> card interactions, but goes to USB directly. If pcscd is running, then that
> grabs the device and gpg (via scdaemon) doesn't have access and returns an
> error.
> 
> Disabling pcscd (pcscd.service and pcscd.socket) would solve the problem,
> but since pcscd is needed for yubioath-desktop, rather than disable it I
> added the line "disable-ccid" to ~/.gnupg/scdaemon.conf. That fixes the
> problem while still allowing pcscd to work.

Can you please add this in the Erratas?

Keywords: (none) => FOR_ERRATA9

Comment 3 Dan Fandrich 2024-04-10 20:05:31 CEST
Added to https://wiki.mageia.org/en/Mageia_9_Errata
Comment 4 katnatek 2024-04-10 20:38:04 CEST
(In reply to Dan Fandrich from comment #3)
> Added to https://wiki.mageia.org/en/Mageia_9_Errata

Thank you

Keywords: FOR_ERRATA9 => IN_ERRATA9