New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gnupg-2.3: scdaemon disables PC/SC fallback if CCID is enabled, breaks smartcards #38034
Comments
Thanks for the report. I'll be packaging up the udev rules later and look into why this didn't break for me with my yubikey. |
The problem is much worse than it seems at first. The internal CCID driver is not what's new; it's quite old and there's traces of it breaking pcscd all over the web from before gnupg 2.3 (
What's new is that gnupg 2.3 dropped the automatic fallback to pcscd when the internal driver fails (https://dev.gnupg.org/T4673). That fallback was what we all used since void and (most) distros never shipped any udev rules that would allow the built-in driver to work. I think that option 1 would be fine, but would imo require at minimum a But it's unclear to me if option 3 is realistic at all, seeing how there's no official or otherwise recognised set of udev rules, and the Debian ones are so barebones that they don't even include any Yubico devices from after the Yubikey 4, like my Yubikey 5. We'd have to maintain a set of rules and that seems like a major task. Regarding my previous comment on plugdev/uaccess, it seems it might not be relevant since rules like the ones Debian ships appear to use a completely different permission mechanism that I don't quite comprehend. Maybe it's some weirder logind stuff that might not work here, or Debian-specific things. |
@0x5c I think the situation isn't as bad as you make it out to be: I'm running GnuPG 2.3.7 on Void, and I'm using a Yubikey 5 without any of those workarounds just fine. I think what masked this issue for me is having ykpers installed, which ships udev rules for current yubikeys as well. My current plan for now would be:
|
Quick update: |
NixOS does not appear to be using those rules, at least not in the gnupg package https://github.com/NixOS/nixpkgs/tree/master/pkgs%2Ftools%2Fsecurity%2Fgnupg EDIT: found the actual package they plonked the rules in https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/hardware/gpgsmartcards.nix |
From what I understand pcscd has to not be running, is that right? In that case it remains a problem for anyone who has to use pcsc for other reasons I also suspect that the rules debian ships depend on logind |
To be clear, I did not add any 3rd party
They can disable the Either way this probably warrants a install message as @jcgruenhage suggested, possibly linking to the updated documentation. |
Right, the people using pcscd need to set ccid to disabled in the scdaemon config. |
Is this a new report?
Yes
System Info
Void 5.15.52_1 x86_64 AuthenticAMD uptodate hold rrrmFFFFFFFFFFFFFFF
Package(s) Affected
gnupg-2.3.7_1
Does a report exist for this bug with the project's home (upstream) and/or another distro?
https://dev.gnupg.org/T5409#145581
Expected behaviour
Current setups that (need) to use
pcscd
for smartcard access (like yubikeys) should work.Actual behaviour
scdaemon
disabled the fallback to thePC/SC
driver when the internalCCID
driver is used.Solutions I can see so far:
echo disable-ccid >> ~/.gnupg/scdaemon.conf
gnupg
with--disable-ccid-driver
gnupg
package shipsudev
rules that allow users to access the smartcard with the internalCCID
and users disablepcscd
Apparently debian ships udev rules, though I have not tested them.
Tough I can confirm that manually changing the permissions on the usb device and disabling
pcscd
works.I think we should prefer 3 over 2 over 1.
Steps to reproduce
pcscd
running to access smartcardsgpgconf --kill all
gpg --card-status
@jcgruenhage
The text was updated successfully, but these errors were encountered: