Unable to sign or decrypt with card

Thu Sep 14 07:26:07 CEST 2017

Philip Jackson <philip.jackson at nordnet.fr> wrote:
> I have the log file which I attach.
>
> It shows  a number of reports of the same error  (lines 89,91,97,99,101)
> ERR 83886254 Unknown option <PINentry>, before it asks me for the pin
> (line 111). It says 'confidential data not shown' three times but I only
> entered the pin once.
>
> Can you determine anything from this ?

Not much.  It fails just after sending a command to the card.  It seems
that there is some communication problem between host and card reader.

How 'gpg --card-status' works?

You can try to debug scdaemon by having .gnupg/scdaemon.conf:

=============================
debug-level guru
debug-all
verbose
debug-ccid-driver
log-file /run/user/1000/scd.log
=============================

Here is what we can see in your log.

> 2017-09-11 18:10:21 gpg-agent[8972] gpg-agent (GnuPG) 2.1.11 started
[...]

gpg-agent started.

> 2017-09-11 18:10:22 gpg-agent[8972] no running SCdaemon - starting it
[...]

And then, scdaemon started after PKDECRYPT command from gpg to gpg-agent.

> 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_7 -> SERIALNO
> 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_7 <- S SERIALNO D2760001240102000005000028700000 0
> 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_7 <- OK
[...]

Card works fine to answer its serial number.

> 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_7 -> PKDECRYPT OPENPGP.2
> 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_7 <- INQUIRE NEEDPIN ||Please enter the PIN
> 2017-09-11 18:10:22 gpg-agent[8972] starting a new PIN Entry
[...]

gpg-agent asks PKDECRYPT command to scdaemon, and scdaemon inquires PIN
for the authentication.

> 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_8 -> SETDESC Please enter the PIN
> 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_8 <- OK
> 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_8 -> SETPROMPT PIN
> 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_8 <- OK
> 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_8 -> [[Confidential data not shown]]
> 2017-09-11 18:10:23 gpg-agent[8972] SIGUSR2 received - updating card event counter
> 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_8 <- [[Confidential data not shown]]
> 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_8 <- [[Confidential data not shown]]
> 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_8 -> BYE
[...]

This is interaction between pinentry and gpg-agent.

SIGUSR2 (it means: a card is found) comes from scdaemon to gpg-agent,
because scdaemon periodically checks if card is inserted.

> 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_7 -> END
> 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_7 <- ERR 100663395 Operation cancelled <SCD>
> 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_7 -> CAN
> 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_7 <- ERR 100663571 Unknown IPC command <SCD>
> 2017-09-11 18:10:30 gpg-agent[8972] smartcard decryption failed: Operation cancelled
> 2017-09-11 18:10:30 gpg-agent[8972] command 'PKDECRYPT' failed: Operation cancelled <SCD>
> 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_6 -> ERR 100663395 Operation cancelled <SCD>
[...]

gpg-agent sends the PIN to scdaemon (until "END"), and I think that
scdaemon sends command to the card through card reader.  But it fails.

There are two ways to access card reader for GnuPG.  One is through
PC/SC, and another is internal CCID driver of GnuPG.  If it doesn't work
well with PC/SC, it's worth to try the internal CCID driver (or vice virsa).
-- 