33065 – Smartcard support in gpg does not work

Bug 33065 - Smartcard support in gpg does not work

Summary: Smartcard support in gpg does not work

Status:	RESOLVED INVALID

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	9
Hardware:	x86_64 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Mageia Bug Squad
QA Contact:

URL:
Whiteboard:
Keywords:	IN_ERRATA9

Depends on:
Blocks:

Reported:	2024-04-08 20:50 CEST by Dan Fandrich
Modified:	2024-04-10 20:38 CEST (History)
CC List:	0 users

See Also:
Source RPM:	gnupg2-2.3.8-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dan Fandrich 2024-04-08 20:50:38 CEST

Description of problem:
gpg does not see a Yubikey, meaning smartcard features don't work:

$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

This is the case for gnupg2-2.3.81.mga9 as well as gnupg2-2.4.5-1 (rebuilt for mga9).

Downgrading to the gnupg2-2.2.36-1.mga8 package (on mga9) allows gpg --card-status to work properly again.

Running gnupg2-2.3.81.mga9 but replacing the executable binary /usr/libexec/gnupg2/scdaemon with the one from gnupg2-2.2.36-1.mga8 allows gpg --card-status to detect the card, but it outputs a version incompatibility warning and some card functions still don't work.

When rebuilding the RPM, configure states "Smartcard: yes" so it appears like it should be working. And the fact that it detects the card after replacing scdaemon or downgrading means that it's not a permissions issue. Adding "reader-port Yubico Yubi" to ~/.gnupg/scdaemon.conf (as suggested in some places) did not help.

Version-Release number of selected component (if applicable):
gnupg2-2.3.81.mga9


How reproducible:
100%

Steps to Reproduce:
1. install a properly-configured Yubikey in a USB port
2. run: gpg --card-status

Comment 1 Dan Fandrich 2024-04-10 05:30:22 CEST

I opened a thread on gnupg-users on this issue and made some interesting discoveries. It turns out that gnupg >=2.3.x no longer uses pcscd for its card interactions, but goes to USB directly. If pcscd is running, then that grabs the device and gpg (via scdaemon) doesn't have access and returns an error.

Disabling pcscd (pcscd.service and pcscd.socket) would solve the problem, but since pcscd is needed for yubioath-desktop, rather than disable it I added the line "disable-ccid" to ~/.gnupg/scdaemon.conf. That fixes the problem while still allowing pcscd to work.

Resolution: (none) => INVALID
Status: NEW => RESOLVED

Comment 2 katnatek 2024-04-10 19:44:45 CEST

(In reply to Dan Fandrich from comment #1)
> I opened a thread on gnupg-users on this issue and made some interesting
> discoveries. It turns out that gnupg >=2.3.x no longer uses pcscd for its
> card interactions, but goes to USB directly. If pcscd is running, then that
> grabs the device and gpg (via scdaemon) doesn't have access and returns an
> error.
> 
> Disabling pcscd (pcscd.service and pcscd.socket) would solve the problem,
> but since pcscd is needed for yubioath-desktop, rather than disable it I
> added the line "disable-ccid" to ~/.gnupg/scdaemon.conf. That fixes the
> problem while still allowing pcscd to work.

Can you please add this in the Erratas?

Keywords: (none) => FOR_ERRATA9

Comment 3 Dan Fandrich 2024-04-10 20:05:31 CEST

Added to https://wiki.mageia.org/en/Mageia_9_Errata

Comment 4 katnatek 2024-04-10 20:38:04 CEST

(In reply to Dan Fandrich from comment #3)
> Added to https://wiki.mageia.org/en/Mageia_9_Errata

Thank you

Keywords: FOR_ERRATA9 => IN_ERRATA9

Note You need to log in before you can comment on or make changes to this bug.