Page MenuHome GnuPG

[windows] Smartcards are less reliable under 2.3.1 (requires restarting gpg-agent.exe)
Open, NormalPublic

Description

(While this relates to Windows, I am using the "vanilla" gpg build, not the gpg4win bundle build. I get the old school pinentry dialog, etc. Hopefully this is in the right place.)

I upgraded my machines to gpg-2.3.1, as I was hoping to test gpg-card for some certain scenarios (unfortunately it doesn't seem to support --fake-system-time as I need, but that's a separate issue).

On my Windows machine, I removed gpg4win, ensured all traces of it were gone (including killed any running gpg/gpg-agent/scdaemon procesess). Then I installed gpg-2.3.1.

For the most part, it works as expected, however, I am having to regularly kill gpg-agent.exe in order for my Yubikey-based OpenPGP smart-card to work.

This clearly shows the issue. I did not touch my yubikey at any point during this sequence:

# step 1: be connected to SSH via yubikey
# step 2: disconnect, remove yubikey, go for walk
# step 3: return home, plug in yubikey again
# step 4:

PS C:\Users\colem> gpg --card-status
gpg: OpenPGP card not available: General error

PS C:\Users\colem> taskkill /IM "gpg-agent.exe" /F
SUCCESS: The process "gpg-agent.exe" with PID 16004 has been terminated.

PS C:\Users\colem> gpg --card-status
Reader ...........: Yubico Yubikey 4 OTP U2F CCID 0
Application ID ...: D2760001240100000006071267080000
Application type .: OpenPGP
# ...etc

Details

Version
2.3.1

Event Timeline

To note, this is in contrast to my experience with gpg-2.2 (provided by gpg4win). With gpg-2.2, I was reliably using my Yubikey for a variety of things, and it handled hotplugging perfectly, as one would expect.

werner added a subscriber: werner.

Meanwhile we did some more tests on Windows and so you many want to try our betas at

http://gnupg.org/ftp/gcrypt/binary/unstable/gnupg-w32-2.3.2-beta27_20210429.exe
http://gnupg.org/ftp/gcrypt/binary/unstable/gnupg-w32-2.3.2-beta27_20210429.exe.sig

tarballs etc at the usual location. I would be interested to hear whether this solves your problems. BTW. if you run into problems it is enough to "gpgconf --kill scdaemon". The agent will the restart it as needed.

After upgrade:

  1. The problem reported in the OP is resolved. I no longer seem to be able to trigger this bad case - I hotplugged numerous times, with existing ssh sessions open, etc, it all seems great.
  1. ... things seem noticeably faster. I don't know what was tweaked, but my PowerShell profile checks the keys known to the ssh agent, which triggers gpg to check the smart card. Before this beta update, sometimes this would take many, many seconds (nearly 10+ seconds sometimes). Now, it seems that is is always very snappy.

Thank you! for the fast turn around and the binary Windows build to test. This can be closed, or tied to 2.3.2 release or whatever y'all do.

werner claimed this task.
werner triaged this task as Normal priority.

Thanks for testing. I hope to get 2.3.2 out in two weeks.

gniibe claimed this task.
gniibe added a subscriber: gniibe.

The commit rGbb8e3996e44f: scd: Fix problem with reader list becoming empty. removed READER_TABLE_LOCK holding between apdu_dev_list_start and apdu_dev_list_finish, that opens possible stale resource access for CCID driver: reader_table[slot].ccid.handle

The problem is accesses to reader_table by
(1) scanning reader(s) to open new one
(2) closing reader

For multiple accesses to (1), we don't need the lock actually because the access is serialized by another resource control by card_list_lock in select_application.

But there may be a thread of (1) and another thread of (2).

Technical commentary on smartcard operation and/or Windows is going to be over my head, so I can't help (just in case you're looking for anything from me). But always happy to drive-test another build. (I've still had no issues, personally, with the build above.) I'll assume you don't need me unless you link another binary build to test or tag me. Thanks again, all.