GnuPG and smartcards
wk at gnupg.org
Thu Oct 21 18:11:51 CEST 2004
On Thu, 21 Oct 2004 17:51:47 +0200, Peter Palfrader said:
> It didn't say it for me:
I have seen it just yesterday but will check again.
> I created an RSA key (1024 bits primary, 1024 encryptiong subkey), and
> moved the private keys to the card.
> Signing works perfectly, however when I try to decrypt something, I get
> the following:
Might be related to ...
> I also get errors, when I try to generate keys on card:
> | gpg: please wait while key is being generated ...
> | gpg: pcsc_transmit failed: not transacted (0x80100016)
this or there is a real problem.
The "not transacted" comes from pcsc and seems to be a catch-all
error. I am looking into this with Ludovico (pcsclite) and Carlos
(libtowitoko). I don't have these problem with the internal CCID
driver. You should try it: make sure that libusb is available at
build time and stop pcscd - the internal ccid driver will then be
used. You need proper permissions for USB though; see below.
I thought it is a problem with libtowitoko but may be the PC/SC CCID
driver has the same problem - I didn't tested it due to USB stack
problems on the other machine running linux 2.6.8.
> [If you feel this should be moved to the gnupg-devel list, please do.
> Please CC me in that case]
Yep, it might be of interest to others too.
===== Preparing for the inetranl CCID driver ====
The USB stack is here accessed by means of libUSB through the
special usbfd. Thus make sure that this file system has been
mounted; the suggested way of doing so is by using the following
line in /etc/fstab:
none /proc/bus/usb usbfs default 0 0
To get the permission right you may use the lazy way of mounting
the USB filesystem under your uid. For example if your userID is
1000, you may use this line in /etc/fstab
none /proc/bus/usb usbfs default,devuid=1000 0 0
After mounting this file system (using "mount /proc/bus/usb") all
files below /proc/bus/usb are owned by you. You may instead use
devgid to allow access by a group. There is however a major
security problem with this approach: The owner of the files has full
permissions to all connected USB devices not matter what type of
device. Thus it is strongly suggested to use the follwoing method
If your system comes with hotplug support you may assign permissions
on a per devices base. Here we want to give permissions to all CCID
devises to the user in the group "scard". You need to create the
following 2 files.
A mapping file to select what script to run for which device:
=== /etc/hotplug/usb/gnupg-ccid.usermap ===
# The entries below are used to detect CCID devices and run a script
# USB_MATCH_VENDOR 0x0001
# USB_MATCH_PRODUCT 0x0002
# USB_MATCH_DEV_LO 0x0004
# USB_MATCH_DEV_HI 0x0008
# USB_MATCH_DEV_CLASS 0x0010
# USB_MATCH_DEV_SUBCLASS 0x0020
# USB_MATCH_DEV_PROTOCOL 0x0040
# USB_MATCH_INT_CLASS 0x0080
# USB_MATCH_INT_SUBCLASS 0x0100
# USB_MATCH_INT_PROTOCOL 0x0200
# script match_flags idVendor idProduct bcdDevice_lo bcdDevice_hi
# bDeviceClass bDeviceSubClass bDeviceProtocol
# bInterfaceClass bInterfaceSubClass bInterfaceProtocol driver_info
# flags V P Bcd C S Prot Clas Sub Prot Info
# Generic CCID device
gnupg-ccid 0x0080 0x0 0x0 0 0 0 0 0x00 0x0B 0x00 0x00 0x00000000
# SPR532 is CCID but without the proper CCID class
gnupg-ccid 0x0003 0x04e6 0xe003 0 0 0 0 0x00 0x0B 0x00 0x00 0x00000000
This file states that the script "gnupg-ccid" should be run if a
devices matching the parameters comes available by plugging it into
the USB. The script to actually assign the permissions is:
=== /etc/hotplug/usb/gnupg-ccid ===
# This script changes the permissions and ownership of a USB device
# under /proc/bus/usb to grant access to this device to users in the
# "scard" group.
# Arguments :
# latest hotplug doesn't set DEVICE on 2.6.x kernels
if [ -z "$DEVICE" ] ; then
IF=`echo $DEVPATH | sed 's/\(bus\/usb\/devices\/\)\(.*\)-\(.*\)/\2/'`
DEV=`echo $DEVPATH | sed 's/\(bus\/usb\/devices\/\)\(.*\)-\(.*\)/\3/'`
DEV=`expr $DEV + 1`
DEVICE=`printf '/proc/bus/usb/%.03d/%.03d' $IF $DEV`
if [ "$ACTION" = "add" -a "$TYPE" = "usb" ]; then
chgrp scard "$DEVICE"
chmod g=rw "$DEVICE"
Don't forget to "chmod +x" this script.
More information about the Gnupg-devel