Yubikeys and GnuPG 2.2/2.3
Marko Božiković
marko.bozikovic at gmail.com
Fri Jan 7 16:12:35 CET 2022
Hi all,
I run GnuPG 2.2.27 on Windows 10 and gpg-agent + ssh-pageant (from Cygwin)
with Yubikey NEO for my SSH needs.
For some time now, gpg-agent has problems detecting my Yubikey. Windows
sometimes detects Yubikey as "Unknown Smart Card" and I used to resort to
manually updating the driver to get it recognised as "Identity Device (NIST SP
800-73 [PIV])" and then reinserting my Yubikey a few times until gpg
--card-status command recognised Yubikey. This used to "hold" between computer
reboots, but lately has been happening almost every time I reinsert Yubikey NEO.
To avoid furiously reinserting the key and risk breaking something, I wrote a
small PowerShell function that does this (kill scdaemon, restart Windows Smart
Card service and try reading card status):
do {
& gpgconf --kill scdaemon
Restart-Service SCardSvr
& gpg --card-status -vvv
} while ($LASTEXITCODE -ne 0)
This usually works after a few loops. I have both Yubikey NEO and Yubikey 5
and both have the same problem.
My scdaemon.conf has a single line:
card-timeout 1
I tried debugging scdaemon a bit, so I added these lines to scdaemon.conf:
log-file <path to log file>
debug-level basic
verbose
After killing scdaemon.exe and running gpg --card-status, I get:
2022-01-07 15:53:58 scdaemon[9960] listening on socket '<home
dir>\.gnupg\S.scdaemon'
2022-01-07 15:53:58 scdaemon[9960] handler for fd -1 started
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> OK GNU Privacy
Guard's Smartcard server ready
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 <- GETINFO socket_name
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> D <home
dir>\.gnupg\S.scdaemon
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> OK
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 <- OPTION
event-signal=0x00000284
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> OK
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 <- GETINFO version
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> D 2.2.27
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> OK
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 <- SERIALNO
2022-01-07 15:53:58 scdaemon[9960] detected reader 'Yubico Yubikey NEO
OTP+U2F+CCID 0'
2022-01-07 15:53:58 scdaemon[9960] reader slot 0: not connected
2022-01-07 15:53:58 scdaemon[9960] pcsc_connect failed: sharing violation
(0x8010000b)
2022-01-07 15:53:58 scdaemon[9960] reader slot 0: not connected
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> ERR 100696144 No
such device <SCD>
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 <- RESTART
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> OK
When I run my "fixing" loop, I'll get a few of these blocks and then a success.
Recently, I tried upgrading to GnuPG 2.3.4 and my "fixing" loop does not work
at all. Debugging scdaemon with Yubikey NEO, I get something like this:
2022-01-07 15:48:05 scdaemon[24108] listening on socket '<home
dir>\\AppData\\Local\\gnupg\\d.3b7nddgeibkoou7f\\S.scdaemon'
2022-01-07 15:48:05 scdaemon[24108] handler for fd -1 started
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> OK GNU Privacy
Guard's Smartcard server ready
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 <- GETINFO socket_name
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> D <home
dir>\AppData\Local\gnupg\d.3b7nddgeibkoou7f\S.scdaemon
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> OK
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 <- OPTION
event-signal=290
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> OK
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 <- GETINFO version
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> D 2.3.4
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> OK
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 <- SERIALNO
2022-01-07 15:48:05 scdaemon[24108] detected reader 'Yubico Yubikey NEO
OTP+U2F+CCID 0'
2022-01-07 15:48:05 scdaemon[24108] reader slot 0: not connected
2022-01-07 15:48:05 scdaemon[24108] reader slot 0: active protocol: T1
2022-01-07 15:48:05 scdaemon[24108] slot 0:
ATR=3bfc1300008131fe15597562696b65794e454f7233e1
2022-01-07 15:48:05 scdaemon[24108] no supported card application found: Card
error
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> S PINCACHE_PUT 0//
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> ERR 100696144 No
such device <SCD>
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 <- RESTART
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> OK
With Yubikey 5, I get:
2022-01-07 15:48:46 scdaemon[15680] listening on socket '<home
dir>\\AppData\\Local\\gnupg\\d.3b7nddgeibkoou7f\\S.scdaemon'
2022-01-07 15:48:46 scdaemon[15680] handler for fd -1 started
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> OK GNU Privacy
Guard's Smartcard server ready
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 <- GETINFO socket_name
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> D <home
dir>\AppData\Local\gnupg\d.3b7nddgeibkoou7f\S.scdaemon
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> OK
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 <- OPTION
event-signal=290
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> OK
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 <- GETINFO version
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> D 2.3.4
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> OK
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 <- SERIALNO
2022-01-07 15:48:46 scdaemon[15680] detected reader 'Yubico YubiKey
OTP+FIDO+CCID 0'
2022-01-07 15:48:46 scdaemon[15680] reader slot 0: not connected
2022-01-07 15:48:46 scdaemon[15680] pcsc_connect failed: sharing violation
(0x8010000b)
2022-01-07 15:48:46 scdaemon[15680] reader slot 0: not connected
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> S PINCACHE_PUT 0//
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> ERR 100696144 No
such device <SCD>
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 <- RESTART
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> OK
If I add "psc-shared" option to scdaemon.conf and use Yubikey 5, gpg
--card-status works every time, but I still get "no supported card application
found: Card error" for Yubikey NEO.
Is there any way to get Yubikey NEO working with GnuPG 2.3?
Thank you,
--
Marko Božiković
More information about the Gnupg-users
mailing list