Prevents gnupg to work with a smartcard/yubikey

[bigon]

Hello,

Problem Description

I'm running on debian unstable. I've issue for a long time to use my gpg card and/or my yubikey to sign messages with gpg.

It seems that the problem comes from the opensc-pkcs11 module being loaded by GNOME

I need to restart pcscd to be able to use my gpg card.

I tried to use ignored_readers and card_drivers to ignore my yubikey but it seems that opensc is still locking it?

Proposed Resolution

Steps to reproduce

1. Install the opensc package on debian
2. Reboot, and login in GNOME, pkcs11-register will add the module to the user configuration and browser (which is a good thing!)
3. Plug the yubikey
4. Run gpg --card-status

gpg --card-status complains that:

gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

Logs

Is that a bug? Any advises here would be nice

[mouse07410]

Does it look like another burp of the exclusive open that GnuPG deamons do?

[bigon]

Yes maybe, but I would expect that if the reader is ignored, opensc wouldn't take a lock on it at all

[popovec]

When I tried to use MyEID card with gpg I found this page.. gpg can be used with any pkcs#11 token so it can also be used with Yubikey

https://sztsian.github.io/2022/02/20/Using-PKCS11-Token-With-GPG.html

[Jakuje]

One more option is to use pcsc-shared option to the scdaemon, that should prevent it using the exclusive access to the pcscd. Unless the Debian builds the gnupg with the bundled ccid driver which makes things much more ugly:

https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=configure.ac;h=c21138641f031d425fbca8b46a0471e77e51b644;hb=HEAD#l452

[bigon]

gnupg in debian is indeed built with the internal ccid driver, but it can be disabled with an option at runtime: https://sources.debian.org/src/gnupg2/2.2.40-1.1/doc/scdaemon.texi/?hl=273#L273

I'll try the pcsc-shared option

[bigon]

pcsc-shared doesn't seems to work either ?!

[frankmorgner]

Since this topic regularely comes up, I've created some information in the wiki:

https://github.com/OpenSC/OpenSC/wiki/GnuPG-and-OpenSC

Feel free to add or modify.

[bigon]

@frankmorgner Thanks for the document.

Unfortunately none of the options are working for me

But the real question for opensc, is why doesn't the ignored_readers or card_drivers without openpgp is still locking the reader

Edit: Note that the PIV applet is disabled on the yubikey

[frankmorgner]

Please add a log from OpenSC with ignored_readers and/or card_drivers set. I doubt that the options are ignored and/or that OpenSC is permanently locking the token.

[bigon]

OK I think I found something

If the yubikey is already plugged when the process is started/at boot and then I'm running gpg --card-status, it's working fine:
opensc-debug_already_plugged.txt

But if I'm plugging the Yubikey while opensc is already loaded by a process/after boot, it's not:
opensc-debug.txt

Configuration of opensc is the following:

app default {
        debug = 9;
        debug_file = /home/bigon/opensc-debug.txt;
        ignored_readers = "Yubico YubiKey";
}

Config of scdaemon:

bigon@eriador:~$ cat .gnupg/scdaemon.conf 
pcsc-driver /usr/lib/x86_64-linux-gnu/libpcsclite.so.1
card-timeout 5
disable-ccid
pcsc-shared

[dengert]

I note that your fingerprint reader also uses PCSC.
Google for: Broadcom Corp 58200 "PCSC"

A pcsc log might also help, as it maybe locking up there, as the last line in opensc-debug.txt is waiting it. And the library that called OpenSC was /usr/libexec/gsd-smartcard

Google for: gsd-smartcard

[frankmorgner]

The log shows that OpenSC is ignoring the Yubikey and that it connects using a shared connection. I think you should now debug scdaemon (GnuPG) on what the problem could be.

[bigon]

Thanks for your time, I'll continue to debug this and let you know

[bigon]

Hello

FTR: http://lists.infradead.org/pipermail/pcsclite-muscle/2024-January/001449.html