Page MenuHome GnuPG
Create Task
Maniphest T4620

no support for multiple (yubikey) smartcards plugged in at the same time
Closed, ResolvedPublic
Actions

Description

I have two Yubikey 5s: one for personal use and one for work. Each have a full set of subkeys; what I use most often is the authentication subkey for SSH authentication.

When the first card is plugged in already, plugging in the second card doesn't cause its key to show up in gpg-agent's SSH agent, or to be visible in any way. scdaemon seems unaware of the other card in all ways I can see -- from within gpg-connect-agent, I can see that scd getinfo card_list shows just the first one. The output of scd getinfo reader_list under Debian Buster running gpg 2.2.12 is similar -- just the one reader is listed. Under Windows with gpg4win 3.1.9 (which packages gpg 2.2.16), scd getinfo reader_list returns ERR 100663354 No data <SCD>

Furthermore, on gpg4win, unplugging the first card does not cause the second card to be recognized: instead, gpg --card-status as well as ssh-add -L report the old, now-unplugged card! (Unplugging the second card fixes this.) Fortunately I cannot reproduce this behavior on Debian -- there, unplugging the first card means the second card is immediately recognized.

I realize that it's probably quite a big project to add multi-card support to scdaemon, gpg-agent, and the gpg UI itself when it wasn't built in from the start, but I'd love to see any of the following:

  • On Windows, unplugging the first card should be recognized by scdaemon, instead of reporting stale data; ideally the second card is recognized without replugging it (as it is under Debian)
  • The ability to issue Assuan command(s) to scdaemon to switch between cards/readers when multiple Yubikeys are plugged in
  • Even if gpg proper cannot use both cards at once, the ability for gpg-agent to serve the SSH keys of each card simultaneously

I'm happy to split this up into a bug report and a feature request, or multiple of each -- please let me know what makes the most sense. Thanks!

Details

Version
2.2.16

Related Objects
Search...

Event Timeline

chrisd created this task.Jul 13 2019, 7:57 AM
szpak added a subscriber: szpak.Jul 13 2019, 10:52 PM
szpak removed a subscriber: szpak.
werner added subscribers: gniibe, werner.Jul 15 2019, 8:14 AM

The card frame works received a lot of changes in master but we won't backport it to 2.2. Sorry.

Unrelated:
@gniibe: I recently introduced a regression in master so that multiple cards using the same application don't work anymore. This was in particualr annopying when doing a release. Would you mind to have a look at it?

asv added a subscriber: asv.Jul 26 2019, 10:55 AM

we won't backport it to 2.2

@werner , could you please elaborate? As far as I understand v2.2.1.7 is the current latest stable release... Do you plan to introduce results of framework update in 2.3.X branch? Thank you.

werner added a comment.Jul 31 2019, 8:54 AM

Right, master will be 2.3.

gniibe claimed this task.Sep 11 2019, 4:39 AM
gniibe triaged this task as High priority.

I created a branch for this task: https://dev.gnupg.org/source/gnupg/repository/gniibe%252FT4620/

gniibe changed the task status from Open to Testing.Sep 19 2019, 1:30 AM

And it is merged into master.
Along with the support of multiple readers/token, the parts which assumes Windows 32-bit are fixed, too.

asv awarded a token.Sep 28 2019, 4:36 PM
gniibe added a project: Restricted Project.Sep 28 2019, 6:53 PM
gniibe added a subtask: T4702: Deadline for the GnuPG 2.3.0 release.Dec 6 2019, 3:08 AM
avemilia added a subscriber: avemilia.Sep 2 2020, 1:54 PM
TaaviE awarded a token.Jan 27 2021, 5:46 PM
TaaviE added a subscriber: TaaviE.
werner closed this task as Resolved.Mar 12 2021, 8:49 AM

More than a year in testing, and I have not seen problems myself anymore.

werner closed subtask T4702: Deadline for the GnuPG 2.3.0 release as Resolved.Mar 16 2021, 4:53 PM