Smartcard Hotplug?

Marc Mercer mmercer at twinprime.com
Wed Nov 4 01:22:01 CET 2015 

Niibe,
Thank you for the response :).

Below is the information I have based on what you were looking for (For
now, I will focus on Fedora, and assuming I can get it working, I can
handle ubuntu from there):


Showing no existing gpg-agent or scdaemon:

┌[Tue Nov  3 16:09:04]-(mmercer at localhost)-[○]
└[~/.gnupg]> ps aux | grep gpg
mmercer  22438  0.0  0.0 114332  2264 pts/3    S+   16:09   0:00 grep
--color=auto --exclude-dir=.bzr --exclude-dir=.cvs --exclude-dir=.git
--exclude-dir=.hg --exclude-dir=.svn gpg
┌[Tue Nov  3 16:09:08]-(mmercer at localhost)-[○]
└[~/.gnupg]> ps aux | grep scd
mmercer  22485  0.0  0.0 114332  2316 pts/3    S+   16:09   0:00 grep
--color=auto --exclude-dir=.bzr --exclude-dir=.cvs --exclude-dir=.git
--exclude-dir=.hg --exclude-dir=.svn scd

Plug in the card:

┌[Tue Nov  3 16:09:13]-(mmercer at localhost)-[○]
└[~/.gnupg]> gpg2 --card-status

Application ID ...: D2760001240102000006002DCDD90000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 002DCDD9
Name of cardholder: Marc Mercer
Language prefs ...: en
Sex ..............: male
URL of public key : [not set]
Login data .......: ec2-user
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 4
Signature key ....: 740B 6B95 61A9 63C4 5165  D211 E909 31CA 2BFD 523A
      created ....: 2015-10-23 22:31:58
Encryption key....: A56E 701A C61B D8DC 4711  95BD D05C 0510 1565 738B
      created ....: 2015-10-23 22:32:52
Authentication key: 47EA 327C DB5D DD0F F38E  145E C74A 2066 D586 B7A3
      created ....: 2015-10-23 22:33:15
General key info..: sub  rsa2048/2BFD523A 2015-10-23 Marc Mercer <
mmercer at twinprime.com>
sec#  rsa2048/3DC2FE11  created: 2015-10-23  expires: 2020-10-21
ssb>  rsa2048/2BFD523A  created: 2015-10-23  expires: 2020-10-21
                        card-no: 0006 002DCDD9
ssb>  rsa2048/1565738B  created: 2015-10-23  expires: 2020-10-21
                        card-no: 0006 002DCDD9
ssb>  rsa2048/D586B7A3  created: 2015-10-23  expires: 2020-10-21
                        card-no: 0006 002DCDD9


We can now see that there are running gpg-agents and scdaemon:

┌[Tue Nov  3 16:09:20]-(mmercer at localhost)-[○]
└[~/.gnupg]> ps aux | grep gpg
mmercer  22535  0.0  0.0 197076   864 ?        Ss   16:09   0:00 gpg-agent
--homedir /home/mmercer/.gnupg --use-standard-socket --daemon
mmercer  22587  0.0  0.0 114332  2112 pts/3    S+   16:09   0:00 grep
--color=auto --exclude-dir=.bzr --exclude-dir=.cvs --exclude-dir=.git
--exclude-dir=.hg --exclude-dir=.svn gpg
┌[Tue Nov  3 16:09:27]-(mmercer at localhost)-[○]
└[~/.gnupg]> ps aux |grep scd
mmercer  22538  0.0  0.0 234324  4480 ?        SLl  16:09   0:00 scdaemon
--multi-server
mmercer  22634  0.0  0.0 114332  2304 pts/3    S+   16:09   0:00 grep
--color=auto --exclude-dir=.bzr --exclude-dir=.cvs --exclude-dir=.git
--exclude-dir=.hg --exclude-dir=.svn scd


Unplug the card:
┌[Tue Nov  3 16:09:47]-(mmercer at localhost)-[○]
└[~/.gnupg]> gpg2 --card-status
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error

Replug the card in:
┌[Tue Nov  3 16:09:57]-(mmercer at localhost)-[○]
└[~/.gnupg]> gpg2 --card-status
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error


Additional info:
Using pcsc:
Installed Packages
Name        : pcsc-lite-libs
Arch        : x86_64
Epoch       : 0
Version     : 1.8.13
Release     : 1.fc22
Size        : 51 k
Repo        : @System
Summary     : PC/SC Lite libraries
URL         : http://pcsclite.alioth.debian.org/
License     : BSD
Description : PC/SC Lite libraries.

The only udev rules I have in place are ones that I had to write in order
to obtain access to the device due to permissions:

└[/usr/lib/udev/rules.d]> cat 70-yubikey.rules
SUBSYSTEMS=="usb", DRIVERS=="usb", ATTRS{idVendor}=="1050", \
ATTRS{version}==" 2.00", ATTRS{manufacturer}=="Yubico", \
ATTRS{removable}=="removable", ATTRS{idProduct}=="0111", \
ATTRS{product}=="Yubikey NEO OTP+CCID", \
OWNER="mmercer", GROUP="mmercer"


Unfortunately, I cannot get scdaemon to output any debug logs.  I have
adjusted the path, killed and restarted the scdaemon (or rather, let gpg2
restart it), etc.  No output data via that medium.  (Have used
/var/run/user/myuid/scd-debug.log,  ~/.gnupg/scd-debug.log and a few
others,  no change -- no logs)

Let me know what to do/where to go next.

Thank you,

Marc Mercer | *DevOps Architect*
M: (408) 470 - 9256 | E: mmercer at twinprime.com
805 Veterans Blvd, Redwood City CA 94063 | http://www.twinprime.com


On Tue, Nov 3, 2015 at 3:45 PM, NIIBE Yutaka <gniibe at fsij.org> wrote:

> Hello,
>
> Thank you for your report and I'm sorry I couldn't respond to your
> question in gnupg-users, in time.
>
> On 11/04/2015 07:06 AM, Marc Mercer wrote:
> > Fedora/Other Linuxes:
> > When we use the same setup as above, we get similar results, but with one
> > major difference.  On the linux distributions, I have been forced to kill
> > the gpg-agent and restart it to force the agent to reload the "replugged"
> > card.  Everything else works, except the "hotplug" support.
>
> It should just work with no special configuration.  And it works for
> me (at least) on Debian for three years (squeeze, wheezy, jessie,
> current sid).
>
> We need more information to figure out what's wrong on in your
> environemnt.
>
> Please let me know if you use PC/SC or not.  For GnuPG, there are two
> ways to access smartcard; one is through PC/SC service and another is
> accessing directly with libusb.
>
> If you have other applications which use PC/SC service, you need to
> use PC/SC service.  If not, you can just use smartcard with GnuPG (not
> to install PC/SC at all).  For the latter, you need udev configuration
> for your smartcard reader.  An example configuration can be seen in the
> bug report of Debian:
>
>     https://bugs.debian.org/bug=543217
>
> In my case, it's in /lib/udev/rules.d/60-gnupg.rules
> (Similar configuration is done by PC/SC service.)
>
> You can get debug output of scdaemon by configuration of:
>
> ============================= .gnupg/scdaemon.conf
> debug-level guru
> debug-all
> log-file /run/user/1000/scd-debug.log
> =============================
>
> Please note that it may include your passphrase for smartcard, so be
> careful to share the debug output.
>
> (1) With card inserted, invoke gpg --card-status
>     Works or not?
>
> (2) Remove the card
>
> (3) With card inserted, again, invoke gpg --card-status
>     Works or not?
>
> Please give me your /run/user/1000/scd-debug.log
> --
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20151103/dfcc3ad0/attachment.html>

More information about the Gnupg-devel mailing list