Yubikeys and GnuPG 2.2/2.3

Marko Božiković marko.bozikovic at gmail.com
Fri Jan 7 16:12:35 CET 2022 

Hi all,

I run GnuPG 2.2.27 on Windows 10 and gpg-agent + ssh-pageant (from Cygwin)
with Yubikey NEO for my SSH needs.

For some time now, gpg-agent has problems detecting my Yubikey. Windows
sometimes detects Yubikey as "Unknown Smart Card" and I used to resort to
manually updating the driver to get it recognised as "Identity Device (NIST SP
800-73 [PIV])" and then reinserting my Yubikey a few times until gpg
--card-status command recognised Yubikey. This used to "hold" between computer
reboots, but lately has been happening almost every time I reinsert Yubikey NEO.

To avoid furiously reinserting the key and risk breaking something, I wrote a
small PowerShell function that does this (kill scdaemon, restart Windows Smart
Card service and try reading card status):

do {
    & gpgconf --kill scdaemon
    Restart-Service SCardSvr
    & gpg --card-status -vvv
} while ($LASTEXITCODE -ne 0)

This usually works after a few loops. I have both Yubikey NEO and Yubikey 5
and both have the same problem.

My scdaemon.conf has a single line:

card-timeout 1

I tried debugging scdaemon a bit, so I added these lines to scdaemon.conf:

log-file <path to log file>
debug-level basic
verbose

After killing scdaemon.exe and running gpg --card-status, I get:

2022-01-07 15:53:58 scdaemon[9960] listening on socket '<home
dir>\.gnupg\S.scdaemon'
2022-01-07 15:53:58 scdaemon[9960] handler for fd -1 started
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> OK GNU Privacy
Guard's Smartcard server ready
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 <- GETINFO socket_name
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> D <home
dir>\.gnupg\S.scdaemon
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> OK
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 <- OPTION
event-signal=0x00000284
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> OK
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 <- GETINFO version
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> D 2.2.27
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> OK
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 <- SERIALNO
2022-01-07 15:53:58 scdaemon[9960] detected reader 'Yubico Yubikey NEO
OTP+U2F+CCID 0'
2022-01-07 15:53:58 scdaemon[9960] reader slot 0: not connected
2022-01-07 15:53:58 scdaemon[9960] pcsc_connect failed: sharing violation
(0x8010000b)
2022-01-07 15:53:58 scdaemon[9960] reader slot 0: not connected
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> ERR 100696144 No
such device <SCD>
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 <- RESTART
2022-01-07 15:53:58 scdaemon[9960] DBG: chan_0x00000288 -> OK


When I run my "fixing" loop, I'll get a few of these blocks and then a success.


Recently, I tried upgrading to GnuPG 2.3.4 and my "fixing" loop does not work
at all. Debugging scdaemon with Yubikey NEO, I get something like this:

2022-01-07 15:48:05 scdaemon[24108] listening on socket '<home
dir>\\AppData\\Local\\gnupg\\d.3b7nddgeibkoou7f\\S.scdaemon'
2022-01-07 15:48:05 scdaemon[24108] handler for fd -1 started
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> OK GNU Privacy
Guard's Smartcard server ready
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 <- GETINFO socket_name
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> D <home
dir>\AppData\Local\gnupg\d.3b7nddgeibkoou7f\S.scdaemon
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> OK
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 <- OPTION
event-signal=290
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> OK
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 <- GETINFO version
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> D 2.3.4
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> OK
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 <- SERIALNO
2022-01-07 15:48:05 scdaemon[24108] detected reader 'Yubico Yubikey NEO
OTP+U2F+CCID 0'
2022-01-07 15:48:05 scdaemon[24108] reader slot 0: not connected
2022-01-07 15:48:05 scdaemon[24108] reader slot 0: active protocol: T1
2022-01-07 15:48:05 scdaemon[24108] slot 0:
ATR=3bfc1300008131fe15597562696b65794e454f7233e1
2022-01-07 15:48:05 scdaemon[24108] no supported card application found: Card
error
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> S PINCACHE_PUT 0//
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> ERR 100696144 No
such device <SCD>
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 <- RESTART
2022-01-07 15:48:05 scdaemon[24108] DBG: chan_0x000002d4 -> OK


With Yubikey 5, I get:

2022-01-07 15:48:46 scdaemon[15680] listening on socket '<home
dir>\\AppData\\Local\\gnupg\\d.3b7nddgeibkoou7f\\S.scdaemon'
2022-01-07 15:48:46 scdaemon[15680] handler for fd -1 started
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> OK GNU Privacy
Guard's Smartcard server ready
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 <- GETINFO socket_name
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> D <home
dir>\AppData\Local\gnupg\d.3b7nddgeibkoou7f\S.scdaemon
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> OK
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 <- OPTION
event-signal=290
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> OK
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 <- GETINFO version
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> D 2.3.4
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> OK
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 <- SERIALNO
2022-01-07 15:48:46 scdaemon[15680] detected reader 'Yubico YubiKey
OTP+FIDO+CCID 0'
2022-01-07 15:48:46 scdaemon[15680] reader slot 0: not connected
2022-01-07 15:48:46 scdaemon[15680] pcsc_connect failed: sharing violation
(0x8010000b)
2022-01-07 15:48:46 scdaemon[15680] reader slot 0: not connected
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> S PINCACHE_PUT 0//
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> ERR 100696144 No
such device <SCD>
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 <- RESTART
2022-01-07 15:48:46 scdaemon[15680] DBG: chan_0x00000308 -> OK


If I add "psc-shared" option to scdaemon.conf and use Yubikey 5, gpg
--card-status works every time, but I still get "no supported card application
found: Card error" for Yubikey NEO.

Is there any way to get Yubikey NEO working with GnuPG 2.3?

Thank you,
-- 
Marko Božiković

More information about the Gnupg-users mailing list