Smartcard Hotplug?

Marc Mercer mmercer at twinprime.com
Wed Nov 4 18:08:49 CET 2015 

Niibe,
Ok, have done that and done some testing this morning.

With disable-ccid, I of course had no actual pcscd service, so determined I
needed to install pcsc-lite,
not just the libs.  Installed that, enabled the service, set disable-ccid
in the scdaemon.conf and attempted
to use gpg2 --card-status, and we are not loading at all at this point.  I
would imagine that has to do with
the fact that there is no pscs configuration for this card right now, so I
will see if I can dig around and find that.

Here is what I am seeing in the debug log with disable-ccid%:

2015-11-04 09:06:56 scdaemon[29294] listening on socket
'/home/mmercer/.gnupg/S.scdaemon'
2015-11-04 09:06:56 scdaemon[29294] handler for fd -1 started
2015-11-04 09:06:56 scdaemon[29294] DBG: enter: apdu_open_reader:
portstr=(null)
2015-11-04 09:06:56 scdaemon[29294] pcsc_list_readers failed: unknown PC/SC
error code (0x8010002e)
2015-11-04 09:06:56 scdaemon[29294] DBG: leave: apdu_open_reader => slot=-1
[pc/sc]
2015-11-04 09:06:56 scdaemon[29294] DBG: chan_5 -> OK GNU Privacy Guard's
Smartcard server ready
2015-11-04 09:06:56 scdaemon[29294] DBG: chan_5 <- GETINFO socket_name
2015-11-04 09:06:56 scdaemon[29294] DBG: chan_5 -> D
/home/mmercer/.gnupg/S.scdaemon
2015-11-04 09:06:56 scdaemon[29294] DBG: chan_5 -> OK
2015-11-04 09:06:56 scdaemon[29294] DBG: chan_5 <- OPTION event-signal=12
2015-11-04 09:06:56 scdaemon[29294] DBG: chan_5 -> OK
2015-11-04 09:06:56 scdaemon[29294] DBG: chan_5 <- SERIALNO openpgp
2015-11-04 09:06:56 scdaemon[29294] DBG: enter: apdu_open_reader:
portstr=(null)
2015-11-04 09:06:56 scdaemon[29294] pcsc_list_readers failed: unknown PC/SC
error code (0x8010002e)
2015-11-04 09:06:56 scdaemon[29294] DBG: leave: apdu_open_reader => slot=-1
[pc/sc]
2015-11-04 09:06:56 scdaemon[29294] DBG: chan_5 -> ERR 100663404 Card error
<SCD>
2015-11-04 09:06:56 scdaemon[29294] DBG: chan_5 <- RESTART
2015-11-04 09:06:56 scdaemon[29294] DBG: chan_5 -> OK

This was after I cleared up all services and the log so that it would be
easy to see what was happening.

I will continue to see if I can find the settings, but hope this proves to
be useful in the meantime.

Thank you for your assistance and attention to this,


Marc Mercer | *DevOps Architect*
M: (408) 470 - 9256 | E: mmercer at twinprime.com
805 Veterans Blvd, Redwood City CA 94063 | http://www.twinprime.com


On Wed, Nov 4, 2015 at 2:05 AM, NIIBE Yutaka <gniibe at fsij.org> wrote:

> Hello,
>
> For a while, please configure your scdaemon.conf with a line.
>
> ==================== .gnupg/scdaemon.conf
> disable-ccid
> ====================
>
> With this option, scdaemon always use PC/SC service and I believe that
> it will improve the situation of yours.
>
>                         *       *       *
>
> On 2015-11-04 at 00:15 -0800, Marc Mercer wrote:
> > For now, I didn't want to make the posting itself too clumsy, so I
> > have linked the logfile here:  https://gist.github.com/Daemoen/e079a7
> > d0617526661e25
>
> Thanks a lot.  I think that I've finally got a clue to solve this
> issue of Yubikey and Cryptostick; I got some complaints but none was
> reproducible.
>
> IIUC, I think that the situation is like this:
>
> (1) With the configuration of Yubikey and Cryptostick, a user actually
> uses GnuPG's internal CCID driver (instead of PC/SC), if a user
> doesn't specify disable-ccid.
>
> That's because current scdaemon's logic is trying internal CCID driver
> at first and then, going to PC/SC.
>
> Because of Yubikey and Cryptostick's recommended configuration of udev
> (which has other use something like OTP/U2F/PIV), the access by
> internal CCID driver (unfortunately) doesn't fail.
>
> Usually for other card readers, the access by internal CCID fails ang
> goes to PC/SC, but this doesn't happen for Yubikey and Cryptostick.
>
>
> (2) On Fedora, we would have some compatibility issue of old libusb.
> GnuPG's ccid-driver.c expects return value of -ENODEV for bulk write
> when it's gone, but it looks like the return value is different.  So,
> internal CCID driver can't detect unplugging of tokens/reders.
>
>
> While I ask you running scdaemon with disable-ccid option, I should
> fix the problem of internal CCID driver.
> --
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20151104/25847060/attachment.html>

More information about the Gnupg-devel mailing list