[Bug 1197723] New: GPG does not detect cards
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 Bug ID: 1197723 Summary: GPG does not detect cards Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Major Priority: P5 - None Component: Other Assignee: screening-team-bugs@suse.de Reporter: cosmin.tanczel@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- After the last update gpg does not detect any of the 3 Yubikey cards I have. If I boot from a read only snapshot (28th), the gpg --card-status show the hw key. lsusb Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 003 Device 005: ID 06cb:00da Synaptics, Inc. Bus 003 Device 004: ID 5986:212b Acer, Inc Integrated Camera Bus 003 Device 003: ID 046d:c52b Logitech, Inc. Unifying Receiver Bus 003 Device 002: ID 1050:0407 Yubico.com Yubikey 4/5 OTP+U2F+CCID Bus 003 Device 006: ID 8087:0026 Intel Corp. AX201 Bluetooth Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub gpg --card-status gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 Cosmin Tanczel <cosmin.tanczel@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High Found By|--- |Community User Target Milestone|--- |Current -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c1 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P2 - High |P5 - None CC| |Andreas.Stieger@gmx.de, | |cosmin.tanczel@gmail.com Flags| |needinfo?(cosmin.tanczel@gm | |ail.com) Severity|Major |Normal --- Comment #1 from Andreas Stieger <Andreas.Stieger@gmx.de> --- (In reply to Cosmin Tanczel from comment #0)
After the last update
Which update? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c2 --- Comment #2 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Hi Andreas, There was an update on 28th of March. If needed I can later check the zypper logs. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c3 --- Comment #3 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- On 28th off March I did the usual zypper dup and since then gpg doesn't detected any of the cards I have. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c4 --- Comment #4 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Created attachment 857548 --> http://bugzilla.opensuse.org/attachment.cgi?id=857548&action=edit zypper package updates on 2022-03-28 Not a permission issue since I got the same error when running as root. Yubikey manager shows that there is a slot configure for openpgp -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c5 --- Comment #5 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Created attachment 857550 --> http://bugzilla.opensuse.org/attachment.cgi?id=857550&action=edit zypper package updates on 2022-03-29 adding the install log on 29 since I'm not sure when was the day that affected the gpg. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c6 Cosmin Tanczel <cosmin.tanczel@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High --- Comment #6 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Are there any workaround?? Since I am using ssh agent (with HW keys) it's quite urgent. Is there any other info needed? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c7 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P2 - High |P5 - None Flags|needinfo?(cosmin.tanczel@gm | |ail.com) | --- Comment #7 from Andreas Stieger <Andreas.Stieger@gmx.de> --- I think we need you to cut down the list of packages - there is no obvious candidate. Can you please selectively upgrade some of them until you find a set or single package that causes this? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c8 --- Comment #8 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- That's kind of hard to do it in a short time. I'm traveling on this weekend so the earliest I can do this is tomorrow night, but I am forced to temporary use another distro just because of this :( -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c9 --- Comment #9 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- After the update: #echo scd getinfo reader_list | gpg-connect-agent --decode D 1050:0407:X:0 OK #ykman list --serials ******* #ykman --device ******* info Device type: YubiKey 5 Nano Serial number: ******* Firmware version: 5.2.7 Form factor: Nano (USB-A) Enabled USB interfaces: OTP, FIDO, CCID Applications FIDO2 Enabled OTP Enabled FIDO U2F Enabled OATH Enabled YubiHSM Auth Not available OpenPGP Enabled PIV Enabled #gpg --card-status gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c10 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|screening-team-bugs@suse.de |pmonrealgonzalez@suse.com Flags| |needinfo?(cosmin.tanczel@gm | |ail.com) --- Comment #10 from Andreas Stieger <Andreas.Stieger@gmx.de> --- Well none of gpg2 or it's dependencies were touched in your update logs. Hence me asking. Please also provide an strace of the gpg execition. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c11 --- Comment #11 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Created attachment 857725 --> http://bugzilla.opensuse.org/attachment.cgi?id=857725&action=edit strace gpg not detecting keys strace gpg not detecting keys -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c12 --- Comment #12 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Created attachment 857726 --> http://bugzilla.opensuse.org/attachment.cgi?id=857726&action=edit strace gpg detecting keys I am also adding a strace of the gpg --card-status from another computer that was not yet updated, where it works. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(cosmin.tanczel@gm | |ail.com) | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c13 --- Comment #13 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Sorry but I really don't have time to debug further, but the problem seems to be related to pcscd. The workaround is to stop pcscd socket and the cards are detected: systemctl stop pcscd.socket Can you please check further? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c14 --- Comment #14 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Ok, found some spare time: It seems after the last update we enable pcscd.service by default at boot time. On the computer that was not updated and gpg works (detects the cards), the pcscd service is NOT enabled by default at boot time. So this is what it was changed. Anyways... it should also work with pcscd service enabled, but I think the service is starting with 'disable-ccid' instead of 'pcsc-shared'. And ... to be honest, I am not sure how secure it is to start with pcsc-shared, because if we start it with pcsc-share, scdaemon gets exclusive access to the card and for it can cache some information from the card. But again... I am just a user, so I am not sure if what I said above makes any sense for you :) Bottom line, after the last update we enable pcscd.service by default and this makes gpg not able to detect the card, so the solution was to disable this service. I think it's just a workaround since pcscd service might be used for something else, so it's not really a solution for those who really need it. But again... I am just a user, so I am not sure if what I said above makes any sense for you :) Please let me know if I can provide any other information to get this solved. Thank you! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c15 --- Comment #15 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Can someone please check if the pcscd.service is enabled by default with the latest update? Just trying to make sure it was not a manual action that I did. Thanks, -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c16 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pmonrealgonzalez@suse.com Assignee|pmonrealgonzalez@suse.com |wolfgang@rosenauer.org Summary|GPG does not detect cards |default enabled | |pcscd.service prevents | |gnupg from detecting GPG | |cards --- Comment #16 from Andreas Stieger <Andreas.Stieger@gmx.de> --- We auto-start pcscd.socket since bug 1063983 but not pcscd.socket. Wolfgang? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c17 --- Comment #17 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Don't really understand. I just installed the OS again and this how it is for me: systemctl status pcscd.service * pcscd.service - PC/SC Smart Card Daemon Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled) Active: inactive (dead) TriggeredBy: * pcscd.socket Docs: man:pcscd(8) systemctl status pcscd.socket * pcscd.socket - PC/SC Smart Card Daemon Activation Socket Loaded: loaded (/usr/lib/systemd/system/pcscd.socket; enabled; vendor preset: enabled) Active: active (listening) since Mon 2022-04-04 19:23:21 EEST; 14min ago Until: Mon 2022-04-04 19:23:21 EEST; 14min ago Triggers: * pcscd.service Listen: /run/pcscd/pcscd.comm (Stream) CGroup: /system.slice/pcscd.socket So pcscd.service enabled but not active and pcscd.socket enabled AND started ! I guess you meant to say: We auto-start pcscd.socket since bug 1063983 but not pcscd.service. ?? Thanks -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c18 --- Comment #18 from Wolfgang Rosenauer <wolfgang@rosenauer.org> --- That is how it was and is intended, yes. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c19 --- Comment #19 from Wolfgang Rosenauer <wolfgang@rosenauer.org> --- There is also nothing new about it. That is how pcsc is "enabled" in openSUSE since quite a while. If something changed it might be some application which is accessing the pcscd socket and then starts up the service for you. The behavior seems to be the best approach to run pcscd for those with corresponding cardreaders. I'm also using a cyberjack reader via pcscd and at the same time an OpenPGP enabled yubikey. To make those work in parallel I had to configure ~/.gnupg/scdaemon.conf: disable-ccid pcsc-driver /usr/lib64/libpcsclite.so reader-port "Yubico YubiKey OTP+FIDO+CCID 00 00" -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1197723 http://bugzilla.opensuse.org/show_bug.cgi?id=1197723#c20 Cosmin Tanczel <cosmin.tanczel@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #20 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Not sure what has been fixed but it works out of the box now. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com