Page MenuHome GnuPG
Create Task
Maniphest T5415

YubiKey no longer recognized in GnuPG 2.3.1 on macOS 10.15.7
Closed, ResolvedPublic
Actions

Description

I use GnuPG installed via Homebrew. The recent upgrade to GnuPG 2.3.1 broke my YubiKey 4 integration.

$ gpg --version
gpg (GnuPG) 2.3.1
libgcrypt 1.9.3
$ gpg --card-status
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

The YubiKey was still recognized by the YubiKey Manager and by System Report of macOS. Downgrading GnuPG with the following commands solved the issue for me:

$ brew install gnupg@2.2
$ echo 'export PATH="/usr/local/opt/gnupg@2.2/bin:$PATH"' >> ~/.bash_login

Maybe you're already aware of this. I just wanted to let you know about this issue and document the workaround for others.

Details

Version
2.3.1

Related Objects

Event Timeline

KasparEtter created this task.Apr 30 2021, 9:27 AM
werner added a project: MacOS.Apr 30 2021, 10:47 AM
werner added a subscriber: werner.

Run gpg --debug ipc --card-status to quickly see the communication with the scdaemon.

KasparEtter added a comment.Apr 30 2021, 10:58 AM
$ gpg --version
gpg (GnuPG) 2.3.1
libgcrypt 1.9.3
$ gpg --debug ipc --card-status
gpg: reading options from '/Users/user/.gnupg/gpg.conf'
gpg: reading options from '[cmdline]'
gpg: enabled debug flags: ipc
gpg: DBG: chan_3 <- OK Pleased to meet you, process 15218
gpg: DBG: connection to the gpg-agent established
gpg: DBG: chan_3 -> RESET
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> OPTION ttyname=/dev/ttys007
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> OPTION ttytype=xterm-256color
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> OPTION lc-ctype=en_US.UTF-8
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> OPTION lc-messages=en_US.UTF-8
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.3.1
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> OPTION allow-pinentry-notify
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> OPTION agent-awareness=2.1.0
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> SCD GETINFO version
gpg: DBG: chan_3 <- D 2.3.1
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> SCD SERIALNO
gpg: DBG: chan_3 <- ERR 100696144 Operation not supported by device <SCD>
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device
gpg: secmem usage: 0/32768 bytes in 0 blocks

Before downgrading to GnuPG 2.2.27, I created the file ~/.gnupg/scdaemon.conf with a content of reader-port Yubico Yubikey according to this article. The file didn't solve the problem but I haven't removed it yet. Let me know if I shall remove it again.

KasparEtter added a comment.Apr 30 2021, 11:03 AM

Also let me know if there are any daemons I have to kill/restart when switching between GnuPG versions by changing the $PATH. Whenever I have problems with my YubiKey, I run gpgconf --kill gpg-agent, which I also executed when I switched from version 2.2.27 back to 2.3.1 but I have no idea whether this is required or sufficient.

gniibe added a subscriber: gniibe.May 6 2021, 3:54 AM

If it is built with LIBUSB enabled, please try adding the following to your scdaemon.conf:

disable-ccid

If it works and the distribution doesn't offer appropriate USB configuration, I think that it's good for the distribution to use --disable-ccid-driver for building GnuPG.

Sorry for your inconvenience, this is breaking change in GnuPG 2.3.
Please also see: T5409: scdaemon: 'Operation not supported by device' error under macOS after upgrading to 2.3.1

gniibe claimed this task.May 6 2021, 3:55 AM
gniibe triaged this task as High priority.

Or... we could add --disable-ccid-driver as default for macOS.

werner added a comment.May 6 2021, 9:06 AM

That would required that we also add an option --enable-ccid-driver - better tell the macOS folks to put diable-ccid-driver into /etc/gnupg/scdaemon.conf

gillcovid19 closed this task as Resolved.May 10 2021, 12:41 PM
gillcovid19 added a subscriber: gillcovid19.
werner reopened this task as Open.May 10 2021, 6:41 PM
werner removed a subscriber: gillcovid19.

(I disabled this boor and restored the state)

lbogdan mentioned this in T5436: gpg-agent 2.3.1: PIN caching not working for decrypt operations.May 12 2021, 12:51 PM
werner merged a task: T5442: Serial number detection of Yubikey 5 (Yubikey 5 doesn't work after updating to GnuPG 2.3.1).May 19 2021, 9:23 PM
werner mentioned this in T5442: Serial number detection of Yubikey 5 (Yubikey 5 doesn't work after updating to GnuPG 2.3.1).
werner added a subscriber: Suertzz.
werner added a comment.May 19 2021, 9:25 PM

Please read also the report T5442 which is basically the same.

Alan added a subscriber: Alan.May 27 2021, 11:25 AM
Alan added a comment.Jun 1 2021, 8:40 AM

So, has this issue been solved?

KasparEtter added a comment.Jun 3 2021, 9:58 AM

Please excuse my late reply. I was busy with other things over the last few weeks.

Yes, putting disable-ccid into ~/.gnupg/scdaemon.conf works for me with GnuPG 2.3.1 under macOS Catalina (10.15).

I still don't understand what the problem is/was, so I cannot judge whether it's better to recommend this manual configuration for Mac users or to disable CCID by default on macOS.

Suertzz added a comment.Jun 3 2021, 11:20 PM
In T5415#146808, @KasparEtter wrote:

Please excuse my late reply. I was busy with other things over the last few weeks.

Yes, putting disable-ccid into ~/.gnupg/scdaemon.conf works for me with GnuPG 2.3.1 under macOS Catalina (10.15).

I still don't understand what the problem is/was, so I cannot judge whether it's better to recommend this manual configuration for Mac users or to disable CCID by default on macOS.

I need CCID to work, disabling this feature is not an option for me (T5442).

At the moment I just downgraded to 2.2, waiting for a fix :-(

dpereira added a subscriber: dpereira.Jun 10 2021, 4:41 PM
gniibe changed the task status from Open to Testing.Aug 25 2021, 3:27 AM

It must be fixed in 2.3.2. If not, please report.

gniibe closed this task as Resolved.Sep 2 2021, 8:29 AM