Page MenuHome GnuPG

YubiKey no longer recognized in GnuPG 2.3.1 on macOS 10.15.7
Open, HighPublic

Description

I use GnuPG installed via Homebrew. The recent upgrade to GnuPG 2.3.1 broke my YubiKey 4 integration.

$ gpg --version
gpg (GnuPG) 2.3.1
libgcrypt 1.9.3
$ gpg --card-status
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

The YubiKey was still recognized by the YubiKey Manager and by System Report of macOS. Downgrading GnuPG with the following commands solved the issue for me:

$ brew install gnupg@2.2
$ echo 'export PATH="/usr/local/opt/gnupg@2.2/bin:$PATH"' >> ~/.bash_login

Maybe you're already aware of this. I just wanted to let you know about this issue and document the workaround for others.

Details

Version
2.3.1

Event Timeline

werner added a subscriber: werner.

Run gpg --debug ipc --card-status to quickly see the communication with the scdaemon.

$ gpg --version
gpg (GnuPG) 2.3.1
libgcrypt 1.9.3
$ gpg --debug ipc --card-status
gpg: reading options from '/Users/user/.gnupg/gpg.conf'
gpg: reading options from '[cmdline]'
gpg: enabled debug flags: ipc
gpg: DBG: chan_3 <- OK Pleased to meet you, process 15218
gpg: DBG: connection to the gpg-agent established
gpg: DBG: chan_3 -> RESET
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> OPTION ttyname=/dev/ttys007
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> OPTION ttytype=xterm-256color
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> OPTION lc-ctype=en_US.UTF-8
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> OPTION lc-messages=en_US.UTF-8
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.3.1
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> OPTION allow-pinentry-notify
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> OPTION agent-awareness=2.1.0
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> SCD GETINFO version
gpg: DBG: chan_3 <- D 2.3.1
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> SCD SERIALNO
gpg: DBG: chan_3 <- ERR 100696144 Operation not supported by device <SCD>
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device
gpg: secmem usage: 0/32768 bytes in 0 blocks

Before downgrading to GnuPG 2.2.27, I created the file ~/.gnupg/scdaemon.conf with a content of reader-port Yubico Yubikey according to this article. The file didn't solve the problem but I haven't removed it yet. Let me know if I shall remove it again.

Also let me know if there are any daemons I have to kill/restart when switching between GnuPG versions by changing the $PATH. Whenever I have problems with my YubiKey, I run gpgconf --kill gpg-agent, which I also executed when I switched from version 2.2.27 back to 2.3.1 but I have no idea whether this is required or sufficient.

If it is built with LIBUSB enabled, please try adding the following to your scdaemon.conf:

disable-ccid

If it works and the distribution doesn't offer appropriate USB configuration, I think that it's good for the distribution to use --disable-ccid-driver for building GnuPG.

Sorry for your inconvenience, this is breaking change in GnuPG 2.3.
Please also see: T5409: scdaemon: 'Operation not supported by device' error under macOS after upgrading to 2.3.1

gniibe triaged this task as High priority.

Or... we could add --disable-ccid-driver as default for macOS.

That would required that we also add an option --enable-ccid-driver - better tell the macOS folks to put diable-ccid-driver into /etc/gnupg/scdaemon.conf

werner removed a subscriber: gillcovid19.

(I disabled this boor and restored the state)