Page MenuHome GnuPG
Create Task
Maniphest T5416

[windows] Smartcards are less reliable under 2.3.1 (requires restarting gpg-agent.exe)
Closed, ResolvedPublic
Actions

Description

(While this relates to Windows, I am using the "vanilla" gpg build, not the gpg4win bundle build. I get the old school pinentry dialog, etc. Hopefully this is in the right place.)

I upgraded my machines to gpg-2.3.1, as I was hoping to test gpg-card for some certain scenarios (unfortunately it doesn't seem to support --fake-system-time as I need, but that's a separate issue).

On my Windows machine, I removed gpg4win, ensured all traces of it were gone (including killed any running gpg/gpg-agent/scdaemon procesess). Then I installed gpg-2.3.1.

For the most part, it works as expected, however, I am having to regularly kill gpg-agent.exe in order for my Yubikey-based OpenPGP smart-card to work.

This clearly shows the issue. I did not touch my yubikey at any point during this sequence:

# step 1: be connected to SSH via yubikey
# step 2: disconnect, remove yubikey, go for walk
# step 3: return home, plug in yubikey again
# step 4:

PS C:\Users\colem> gpg --card-status
gpg: OpenPGP card not available: General error

PS C:\Users\colem> taskkill /IM "gpg-agent.exe" /F
SUCCESS: The process "gpg-agent.exe" with PID 16004 has been terminated.

PS C:\Users\colem> gpg --card-status
Reader ...........: Yubico Yubikey 4 OTP U2F CCID 0
Application ID ...: D2760001240100000006071267080000
Application type .: OpenPGP
# ...etc

Details

Version
2.3.1

Revisions and Commits

rG GnuPG
rG1565baa93ae3 scd: Don't release the context until list_finish for PC/SC.
rG32baa9acfb15 scd: Serialize READER_TABLE access for PC/SC.
rGcccc9bd5db1f scd: Make sure releasing PC/SC context.
rGec5591dc4e1f scd: Fix close_pcsc_reader.

Related Objects

Event Timeline

colemickens created this task.Apr 30 2021, 10:44 PM
colemickens added a comment.Apr 30 2021, 10:46 PM

To note, this is in contrast to my experience with gpg-2.2 (provided by gpg4win). With gpg-2.2, I was reliably using my Yubikey for a variety of things, and it handled hotplugging perfectly, as one would expect.

werner added projects: gnupg (gpg23), scd, yubikey.May 3 2021, 2:00 PM
werner added a subscriber: werner.

Meanwhile we did some more tests on Windows and so you many want to try our betas at

http://gnupg.org/ftp/gcrypt/binary/unstable/gnupg-w32-2.3.2-beta27_20210429.exe
http://gnupg.org/ftp/gcrypt/binary/unstable/gnupg-w32-2.3.2-beta27_20210429.exe.sig

tarballs etc at the usual location. I would be interested to hear whether this solves your problems. BTW. if you run into problems it is enough to "gpgconf --kill scdaemon". The agent will the restart it as needed.

colemickens added a comment.May 4 2021, 8:08 PM

After upgrade:

  1. The problem reported in the OP is resolved. I no longer seem to be able to trigger this bad case - I hotplugged numerous times, with existing ssh sessions open, etc, it all seems great.
  1. ... things seem noticeably faster. I don't know what was tweaked, but my PowerShell profile checks the keys known to the ssh agent, which triggers gpg to check the smart card. Before this beta update, sometimes this would take many, many seconds (nearly 10+ seconds sometimes). Now, it seems that is is always very snappy.

Thank you! for the fast turn around and the binary Windows build to test. This can be closed, or tied to 2.3.2 release or whatever y'all do.

werner closed this task as Resolved.May 5 2021, 8:13 AM
werner claimed this task.
werner triaged this task as Normal priority.

Thanks for testing. I hope to get 2.3.2 out in two weeks.

gniibe reopened this task as Open.May 7 2021, 6:34 AM
gniibe claimed this task.
gniibe added a subscriber: gniibe.

The commit rGbb8e3996e44f: scd: Fix problem with reader list becoming empty. removed READER_TABLE_LOCK holding between apdu_dev_list_start and apdu_dev_list_finish, that opens possible stale resource access for CCID driver: reader_table[slot].ccid.handle

gniibe added a comment.May 7 2021, 6:54 AM

I'm testing D531: Keep holding READER_LOCK_TABLE and make clear distinction among close/releasing_PCSC_context/nullify_rdrname, but I'm not sure about the impact on Windows.

gniibe added a comment.EditedMay 7 2021, 6:59 AM

The problem is accesses to reader_table by
(1) scanning reader(s) to open new one
(2) closing reader

For multiple accesses to (1), we don't need the lock actually because the access is serialized by another resource control by card_list_lock in select_application.

But there may be a thread of (1) and another thread of (2).

colemickens added a comment.May 7 2021, 7:22 AM

Technical commentary on smartcard operation and/or Windows is going to be over my head, so I can't help (just in case you're looking for anything from me). But always happy to drive-test another build. (I've still had no issues, personally, with the build above.) I'll assume you don't need me unless you link another binary build to test or tag me. Thanks again, all.

gniibe added a commit: rGec5591dc4e1f: scd: Fix close_pcsc_reader..May 10 2021, 3:56 AM
gniibe added a commit: rGcccc9bd5db1f: scd: Make sure releasing PC/SC context..
gniibe added a commit: rG32baa9acfb15: scd: Serialize READER_TABLE access for PC/SC..May 11 2021, 3:39 AM
gniibe added a commit: rG1565baa93ae3: scd: Don't release the context until list_finish for PC/SC..Aug 20 2021, 8:25 AM
werner mentioned this in T5405: Release GnuPG 2.3.2.Aug 24 2021, 7:55 PM
werner closed this task as Resolved.Aug 24 2021, 7:59 PM