Page MenuHome GnuPG
Create Task
Maniphest T5428

PC/SC detecting removal of card
Closed, ResolvedPublic
Actions

Description

On Windows, removed card is not detected correctly in some cases, and the status will be persistent (even if killed scdaemon).

Possibly, our use of PC/SC is not good. Workarounds would be:

  • Use PCSC_SCOPE_USER instead of PCSC_SCOPE_SYSTEM when establish the context.
  • Change the way to watch the removal:
    • Currently, we periodically calls SCardGetStatusChange with the PC/SC context for each reader, with timeout==0 for non-blocking
    • It may be a single blocking call for all readers, by having a dedicated thread
    • Or, we can use SCardStatus function, instead, with per connection handle (instead of the PC/SC context)

Event Timeline

gniibe created this task.May 10 2021, 5:40 AM
gniibe claimed this task.May 10 2021, 6:32 AM

I wonder if PCSC_SHARE_SHARED is related or not.

werner added a subscriber: werner.May 10 2021, 8:49 AM

I don't think that it is --pcsc-shared related; Andre reported that he noticed such a behaviour before we introduced this.

There is also the thing that we (i.e. Windows PC/SC subsystem) detects the removed-card state and reports it. However, there is no way to get rid of this state. Other programs (like the proprietary CardOS viewer) also don't get out of the sate even after having killed all GnuPG processes.

werner triaged this task as High priority.May 10 2021, 8:51 AM
gillcovid19 removed gniibe as the assignee of this task.May 10 2021, 12:42 PM
gillcovid19 added a subscriber: gillcovid19.
werner assigned this task to gniibe.May 10 2021, 6:43 PM
werner removed a subscriber: gillcovid19.

(I disabled the account of this boor)

gniibe added a comment.EditedMay 11 2021, 3:46 AM

On Windows, smartcard is also used by logon/logout and certificates handling. Those may be related.

Here are some links for Removal Policy Service.

https://support.yubico.com/hc/en-us/articles/360013718040-Troubleshooting-the-Smart-Card-Removal-Policy

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior

https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service

https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings

werner added a comment.May 19 2021, 11:46 AM

Funny thing is that I can't replicate it anymore with the current version (2.2.18-beta77). I tested it on two machines and things just worked. One machine had just one reader and the other had several virtual readers in addition to the scr3500. After adding --reader-port for the latter it worked as well. I don't think I had a Windows update in the meantime.

gniibe closed this task as Resolved.Mar 28 2022, 3:51 AM
gniibe added a project: Info Needed.

When we will find reproducible test case, please reopen.