Bug 2007923 - gnupg2-2.3.2-2 depends on pcsc-lite-ccid
Summary: gnupg2-2.3.2-2 depends on pcsc-lite-ccid
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: gnupg2
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Red Hat Crypto Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-26 07:31 UTC by dac.override
Modified: 2021-10-29 22:59 UTC (History)
5 users (show)

Fixed In Version: gnupg2-2.3.2-3.fc35
Clone Of:
Environment:
Last Closed: 2021-10-29 22:59:47 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-289 0 None None None 2021-09-26 07:35:06 UTC

Description dac.override 2021-09-26 07:31:56 UTC 
Description of problem:
https://src.fedoraproject.org/rpms/gnupg2/c/1450ac3691930d70bdb97eed866023c31a51cec2?branch=rawhide

This change effectively adds a dependency to pscs-lite-ccid

The built-in ccid support is often good enough.

Version-Release number of selected component (if applicable):
gnupg2-2.3.2-2.fc36.x86_64

How reproducible:
update

This version also seems to introduce an issue with "pass" failing because it uses "--batch" option. Commenting out "--batch" in /usr/bin/pass addresses that issue.
Comment 1 dac.override 2021-09-26 09:54:06 UTC 
Ignore that last part about pass --batch not working, that seems to have been always an issue with pass. nothing new, i just never noticed it
Comment 2 dac.override 2021-09-26 09:59:54 UTC 
Just in case i am unclear:

Please build gnug2 with ccid support if possible. that works fine for most gpg smart cards AFAIK (it works for me: nitrokey) and it allows one to use that smartcard without installing pcsc-lite-ccid.

With this change you will have to install pcsc-lite-ccid if you use a gpg smartcard redardless whether gnupg would be able to support it without pcsc-lite-ccid.

I really want to avoid having to have to install pcsc-lite-ccid and have that long running privileged pscsd daemon forced on me.
Comment 3 Bob Relyea 2021-09-27 16:25:10 UTC 
It doesn't work fine *with* pcsc-lite-ccid installed and running. If you aren't running pcsc-lite-ccid, then you can't share your tokens with other applications, so our standard setup is with pcscd and pcsc-lite-ccid. You probably want upstream to be able to autodectect pcsc-lite-ccid running and use it if it is running before it goes directly to the token. Then we could probably enable both, but right now only one works at a time, which means our default would be with the standard daemon running.
Comment 4 Jakub Jelen 2021-09-29 14:14:01 UTC 
(In reply to dac.override from comment #2)
> Just in case i am unclear:
> 
> Please build gnug2 with ccid support if possible. that works fine for most
> gpg smart cards AFAIK (it works for me: nitrokey) and it allows one to use
> that smartcard without installing pcsc-lite-ccid.

The issue is that when gpg's scdaemon takes over the USB device, nothing else in
the system can access it. It works the other way round too. If pcscd tries to
access the device first, then gpg's scdaemon can not access it. The pcscd is a 
middle-man through which both of the users can go and coexist. I do not know why
gnupg decided to bundle the ccid driver. Regardless I want to use gpg or not
(and gpg is part of the minimal os I think), neither of the use cases work out of
the box (or it is random which is even worse). It is a smaller issue for nitrokey,
but even larger issue for yubikeys having both piv and openpgp applets on them.

I introduced this change based on the following bug, which also provides a workaround
for the original problem:

https://bugzilla.redhat.com/show_bug.cgi?id=2005714#c1

I think it would be best to provide the opposite switch for users like you to "enable-ccid",
but I am not sure if this is implemented in gnupg right now. I will have to check.

> With this change you will have to install pcsc-lite-ccid if you use a gpg
> smartcard redardless whether gnupg would be able to support it without
> pcsc-lite-ccid.

Right. That is the case if you would need to use a smart card functionality of the gpg.
Otherwise it should not be needed. It should be in recommends at least.

> I really want to avoid having to have to install pcsc-lite-ccid and have
> that long running privileged pscsd daemon forced on me.

The pcscd is not started automatically. There is only the systemd socket and pcscd
has --auto-exit feature which exits when unused for some time. It is also pretty small
daemon with pretty limited functionality. It can be probably locked down even more,
but I did not look into that.

Its hard to accommodate all the different use cases out of the box which include:

 * the ones who want to use gpg with ccid
 * the ones who want to use gpg with pcscd
 * the ones who want to use pkcs11 interface of smart cards/tokens

and their combinations.
Comment 5 Fedora Update System 2021-10-06 09:27:31 UTC 
FEDORA-2021-4bf2879524 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-4bf2879524
Comment 6 Fedora Update System 2021-10-07 15:53:45 UTC 
FEDORA-2021-4bf2879524 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-4bf2879524`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-4bf2879524

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2021-10-29 22:59:47 UTC 
FEDORA-2021-4bf2879524 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.