Bug 1460226
Summary: | gnupg stopped working for yubikey 4 | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Christian Kellner <ckellner> | ||||
Component: | gnupg2 | Assignee: | Tomas Mraz <tmraz> | ||||
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 27 | CC: | bcl, jamielinux, jjelen, js, klember, ludovic.rousseau+fedoraproject, nmavrogi, oxdef+redhat, rrelyea, tmraz | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-11-30 21:58:17 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Christian Kellner
2017-06-09 12:16:23 UTC
Shouldn't that be reported against gnupg? (In reply to Nikos Mavrogiannopoulos from comment #1) > Shouldn't that be reported against gnupg? I wasn't totally sure either, I guess it is hard to say who actually is the culprit without having found the root cause. If pcsc-lite is installed, using it seems to to not work: - gpg fails with: "pcsc_connect failed: sharing violation (0x8010000b)" - gpg2 is using scdaemon, which first tries the ccid backend itself, and when that fails, also tires to use pcscd, which in turn also fails with the same error: "pcsc_connect failed: sharing violation (0x8010000b)" Relevant log: --- 8< --- 2017-06-09 14:03:40 scdaemon[31856] ccid open error: skip 2017-06-09 14:03:40 scdaemon[31856] DBG: enter: apdu_open_reader: portstr=(null) 2017-06-09 14:03:40 scdaemon[31856] detected reader 'Yubico Yubikey 4 OTP+U2F+CCID 00 00' 2017-06-09 14:03:40 scdaemon[31856] detected reader '' 2017-06-09 14:03:40 scdaemon[31856] reader slot 0: not connected 2017-06-09 14:03:40 scdaemon[31856] DBG: leave: apdu_open_reader => slot=0 [pc/sc] 2017-06-09 14:03:40 scdaemon[31856] DBG: enter: apdu_connect: slot=0 2017-06-09 14:03:40 scdaemon[31856] pcsc_connect failed: sharing violation (0x8010000b) --- >8 --- The error code description, btw, is "The smart card cannot be accessed because of other connections outstanding." Uninstalling pcsc makes at least gpg2 work (gpg of course, relying on pcsc doesn't work anymore). So pcsc was my sophisticated guess. What I meant with the "race" was a total shot in the dark: maybe pcscd tries to access the yubikey at the same time as scdaemon tries to use the ccid backend and then they both fail. Although on a second though that might be non-sense because then at least one should win, I guess. I guess I should get a debug log output from pcscd. I will try to get that later today. Created attachment 1286657 [details]
pcscd log
log obtained via:
sudo LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu --color | tee log.txt
from a quick look it seems that there is already a client connected, which would explain the sharing violations. Maybe (another shot in the dark) gsd-smartcard?
Well pcsc-daemon is the system daemon for smart cards. If gnupg doesn't work with it, it is a problem of gnupg. I do not believe there is more we can do on that. Christian, I'd suggest reporting the issue upstream as I do not have the Yubikey 4. The same problem on the latest Fedora 26. Can you please report the problem upstream to https://dev.gnupg.org/ ? This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. FYI this is the same issue as currently discussed in OpenSC upstream and the same as I am hitting just now: https://github.com/OpenSC/OpenSC/issues/953#issuecomment-345551430 The gpg2 wants exclusive access, but something is accessing the yk before you do (either automatically or I do manually). From what I see, the easiest would be for gpg not to require exclusive access, but it is probably something that is not acceptable for gpg developers. We should be able to address this issue by using different scdaemon (gnupg-pkcs11-scd), which does not require exclusive locking and uses standard PKCS#11 driver, such as OpenSC: https://bodhi.fedoraproject.org/updates/FEDORA-2018-bfc98963aa But * currently released OpenSC does not work with this version of OpenPGP applet in current Yubikey (upstream PR [1]), * there is no way to work with both PIV and OpenPGP applets at the same time from the same PKCS#11 module without configuration change (ongoing work in upstream [2]) * the configuration of gnupg-pkcs11-scd itself is not exactly trivial. [1] https://github.com/OpenSC/OpenSC/pull/1232 [2] https://github.com/OpenSC/OpenSC/issues/962 Furthermore gnupg-pkcs11-scd config does not support PKCS#11 URIs. I see a similar issue with Thunderbird + Enigmail and my Yubikey NEO. Restarting pcscd helps until I unplug the Yubikey and plug it back in. This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |