Page MenuHome GnuPG
Create Task
Maniphest T5409

scdaemon: 'Operation not supported by device' error under macOS after upgrading to 2.3.1
Closed, ResolvedPublic
Actions

Description

Hi,

Thanks for developing this fantastic project.

I'm running GnuPG under macOS Big Sur 11.2.3 and recently upgraded to GPG 2.3.1 via Homebrew. After the upgrade, my YubiKey stopped working and it seems that there are some permission issues in scdaemon.

GPG output:

$ gpgconf --kill all
$ gpg --card-status -vvv
gpg: using character set 'utf-8'
gpg: Note: RFC4880bis features are enabled.
gpg: no running gpg-agent - starting '/usr/local/Cellar/gnupg/2.3.1/bin/gpg-agent'
gpg: waiting for the agent to come up ... (5s)
gpg: connection to the agent established
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

gpg-agent logs (debug-all):

2021-04-23 14:10:09 gpg-agent[15443] listening on socket '/Users/frederick/.gnupg/S.gpg-agent'
2021-04-23 14:10:09 gpg-agent[15443] listening on socket '/Users/frederick/.gnupg/S.gpg-agent.extra'
2021-04-23 14:10:09 gpg-agent[15443] listening on socket '/Users/frederick/.gnupg/S.gpg-agent.browser'
2021-04-23 14:10:09 gpg-agent[15443] listening on socket '/Users/frederick/.gnupg/S.gpg-agent.ssh'
2021-04-23 14:10:09 gpg-agent[15444] gpg-agent (GnuPG) 2.3.1 started
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 -> OK Pleased to meet you, process 15442
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 <- RESET
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 <- OPTION ttyname=/dev/ttys013
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 <- OPTION ttytype=tmux-256color
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 <- OPTION lc-ctype=en_AU.UTF-8
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 <- OPTION lc-messages=en_AU.UTF-8
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 <- GETINFO version
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 -> D 2.3.1
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 <- OPTION allow-pinentry-notify
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 <- OPTION agent-awareness=2.1.0
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 <- SCD GETINFO version
2021-04-23 14:10:09 gpg-agent[15444] no running /usr/local/Cellar/gnupg/2.3.1/libexec/scdaemon daemon - starting it
2021-04-23 14:10:09 gpg-agent[15444] DBG: agent_flush_cache (pincache only)
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_9 <- OK GNU Privacy Guard's Smartcard server ready
2021-04-23 14:10:09 gpg-agent[15444] first connection to daemon /usr/local/Cellar/gnupg/2.3.1/libexec/scdaemon established
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_9 -> GETINFO socket_name
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_9 <- D /Users/frederick/.gnupg/S.scdaemon
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_9 <- OK
2021-04-23 14:10:09 gpg-agent[15444] DBG: additional connections at '/Users/frederick/.gnupg/S.scdaemon'
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_9 -> OPTION event-signal=31
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_9 <- OK
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_9 -> GETINFO version
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_9 <- D 2.3.1
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_9 <- OK
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 -> D 2.3.1
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 <- SCD SERIALNO
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_9 -> SERIALNO
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_9 <- ERR 100696144 Operation not supported by device <SCD>
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 -> ERR 100696144 Operation not supported by device <SCD>
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_8 <- [eof]
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_9 -> RESTART
2021-04-23 14:10:09 gpg-agent[15444] DBG: chan_9 <- OK
2021-04-23 14:10:13 gpg-agent[15444] DBG: agent_cache_housekeeping
2021-04-23 14:10:17 gpg-agent[15444] DBG: agent_cache_housekeeping
2021-04-23 14:10:21 gpg-agent[15444] DBG: agent_cache_housekeeping
2021-04-23 14:10:25 gpg-agent[15444] DBG: agent_cache_housekeeping
2021-04-23 14:10:29 gpg-agent[15444] DBG: agent_cache_housekeeping
2021-04-23 14:10:33 gpg-agent[15444] DBG: agent_cache_housekeeping
2021-04-23 14:10:37 gpg-agent[15444] DBG: agent_cache_housekeeping
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 -> OK Pleased to meet you, process 16774
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 <- RESET
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 <- OPTION ttytype=tmux-256color
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 <- GETINFO tpm2d_running
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 -> ERR 67109144 IPC parameter error <GPG Agent> - unknown value for WHAT
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 <- [eof]
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 -> OK Pleased to meet you, process 16775
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 <- RESET
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 <- OPTION ttytype=tmux-256color
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 <- GETINFO scd_running
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 <- scd killscd
2021-04-23 14:10:41 gpg-agent[15444] new connection to /usr/local/Cellar/gnupg/2.3.1/libexec/scdaemon daemon established (reusing)
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_9 -> killscd
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_9 <- OK closing connection
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 <- [eof]
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_9 -> RESTART
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_9 <- [eof]
2021-04-23 14:10:41 gpg-agent[15444] daemon /usr/local/Cellar/gnupg/2.3.1/libexec/scdaemon finished (status 2)
2021-04-23 14:10:41 gpg-agent[15444] DBG: agent_flush_cache (pincache only)
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 -> OK Pleased to meet you, process 16776
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 <- RESET
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 <- OPTION ttytype=tmux-256color
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 -> OK
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 <- KILLAGENT
2021-04-23 14:10:41 gpg-agent[15444] DBG: chan_8 -> OK closing connection
2021-04-23 14:10:41 gpg-agent[15444] random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
2021-04-23 14:10:41 gpg-agent[15444] secmem usage: 0/32768 bytes in 0 blocks

scdaemon logs (debug-level guru):

2021-04-23 14:10:09 scdaemon[15445] listening on socket '/Users/frederick/.gnupg/S.scdaemon'
2021-04-23 14:10:09 scdaemon[15445] handler for fd -1 started
2021-04-23 14:10:09 scdaemon[15445] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready
2021-04-23 14:10:09 scdaemon[15445] DBG: chan_7 <- GETINFO socket_name
2021-04-23 14:10:09 scdaemon[15445] DBG: chan_7 -> D /Users/frederick/.gnupg/S.scdaemon
2021-04-23 14:10:09 scdaemon[15445] DBG: chan_7 -> OK
2021-04-23 14:10:09 scdaemon[15445] DBG: chan_7 <- OPTION event-signal=31
2021-04-23 14:10:09 scdaemon[15445] DBG: chan_7 -> OK
2021-04-23 14:10:09 scdaemon[15445] DBG: chan_7 <- GETINFO version
2021-04-23 14:10:09 scdaemon[15445] DBG: chan_7 -> D 2.3.1
2021-04-23 14:10:09 scdaemon[15445] DBG: chan_7 -> OK
2021-04-23 14:10:09 scdaemon[15445] DBG: chan_7 <- SERIALNO
2021-04-23 14:10:09 scdaemon[15445] DBG: apdu_open_reader: BAI=141102
2021-04-23 14:10:09 scdaemon[15445] DBG: apdu_open_reader: new device=141102
2021-04-23 14:10:09 scdaemon[15445] ccid open error: skip
2021-04-23 14:10:09 scdaemon[15445] check permission of USB device at Bus 020 Device 017
2021-04-23 14:10:09 scdaemon[15445] DBG: chan_7 -> ERR 100696144 Operation not supported by device <SCD>
2021-04-23 14:10:09 scdaemon[15445] DBG: chan_7 <- RESTART
2021-04-23 14:10:09 scdaemon[15445] DBG: chan_7 -> OK
2021-04-23 14:10:41 scdaemon[15445] DBG: chan_7 <- killscd
2021-04-23 14:10:41 scdaemon[15445] DBG: chan_7 -> OK closing connection

Details

Version
2.3.1

Related Objects

Event Timeline

FrederickZh created this task.Apr 23 2021, 6:40 AM
FrederickZh added a project: scd.
werner closed this task as Resolved.Apr 23 2021, 9:08 AM
werner claimed this task.
werner edited projects, added Support, MacOS; removed Bug Report.
werner added a subscriber: werner.

Please have a look at the log:

2021-04-23 14:10:09 scdaemon[15445] check permission of USB device at Bus 020 Device 017

you need to make sure that this USB device (i.e. the Yubikey) has sufficient permissions. GnuPG can't do anything about it. You may however switch to PC/SC based access by adding "disable-ccid" to scdaemon.conf.

FrederickZh added a comment.Apr 23 2021, 9:25 AM

I can confirm disable-ccid works, thank you!

Regarding YubiKey permissions, one probably needs to play around with macOS-specific commands like sc_auth, which I'm not familiar with...

cristianrivera added a subscriber: cristianrivera.Apr 25 2021, 9:08 PM

Thank you for the suggestion of disable-ccid that seems to have solved the problem.

Would you be able to explain why this broke when upgrading to 2.3? I know 2.3 added many new features around SCD such as multi-card support.

Was CCID not used in 2.2?

I am on a Mac running Big Sur.

colemickens added a subscriber: colemickens.Apr 26 2021, 11:12 PM

Hi, as a contributor to NixOS I'd also like some guidance. I'm testing the 2.3 upgrade ahead of 2.4, and it "breaks" Yubikey UX that I know many of us use. This might be because we appear to not yet install gnupg's CCID udev rules installed. A few questions:

  1. Is the switch from defaulting to PC/SC to CCID a breaking change? Or worth calling more attention to in release notes?
  2. Is there wide coverage from distros when it comes to install gnupg's ccid udev rules?
  3. Are the gnupg ccid udev rules available from a Git repo (I've only been able to find them in the online gnupg docs)?
  4. Is the OpenPGP app on Yubikeys even accessible via CCID, or do we need to encourage users to use the "disable-ccid" workaround?

Thanks.

gniibe added a subscriber: gniibe.Apr 28 2021, 3:59 AM
  1. It's a breaking change for system with both of PC/SC and CCID. T4673 due to T3300
    • If you configure with no libusb, users don't need 'disable-ccid' option.
  2. I don't know how "wide".
  3. In Debian, it is maintained here: https://salsa.debian.org/debian/gnupg2/-/blob/debian/main/debian/scdaemon.udev
  4. Yes.
gniibe added a comment.Apr 28 2021, 4:05 AM

Perhaps, if a distro haven't offered setting of USB, it would be better to configure GnuPG build with --disable-ccid-driver and only support scdaemon with PC/SC. GPG for Windows does so.

colemickens added a comment.Apr 28 2021, 5:03 AM

Thanks @gniibe, that's very helpful advice and pointers. Very appreciated, cheers.

colemickens added a comment.Apr 28 2021, 11:23 PM

@gniibe can you provide any commentary on why the gnupg ccid udev rule is so much smaller than the one debian maintains? Is the debian one considered authoritative these days?

gniibe added a comment.May 3 2021, 6:29 AM

@colemickens We don't maintain any ccid udev rules in GnuPG. What do you refer?

colemickens added a comment.May 3 2021, 6:56 AM

I'm referring to this: https://www.gnupg.org/howtos/card-howto/en/ch02s03.html

But it's okay, I've already packaged up the Debian rules for NixOS, I assume the one in the manpages is old/reference/etc.

gniibe mentioned this in T5415: YubiKey no longer recognized in GnuPG 2.3.1 on macOS 10.15.7.May 6 2021, 3:54 AM
brianacton added a subscriber: brianacton.May 6 2021, 10:15 PM

I am also a MacOS Big Sur user who recently upgraded to 2.3.1 and had problems after upgrading. In my use case, I use the yubikey as the authentication for pass password manager which uses gpg under the hood.

Even after setting 'disable-ccid' in scdaemon.conf, I was still having the problem -- "gpg: keydb_search failed: Invalid argument"

I did some more digging and I found Werner's comments about building the pubring.kbx file from the older pubring.gpg file. His comments are here.

The summary solution is to do this --

cd ~/.gnupg
gpg --export-options backup --export >allkeys.gpg
mv pubring.gpg pubring.gpg-saved
gpg --import-options restore --import <allkeys.gpg
rm allkeys.gpg

Once I completed both steps, I was back in business.

rickard.von.essen added a subscriber: rickard.von.essen.Jun 3 2021, 9:36 PM
ncts mentioned this in T6729: scdaemon 'Operation not supported by device' on macOS unless racing for first (?) read on boot.Sep 22 2023, 1:58 PM