Page MenuHome GnuPG

Serial number detection of Yubikey 5 (Yubikey 5 doesn't work after updating to GnuPG 2.3.1)
Closed, ResolvedPublic

Description

Hi :-)

Yesterday I updated my GnuPG version via homebrew to 2.3.1. After the update my Yubikey 5 NFC was broke :

➜  ~ gpg --card-status
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

My version :

➜  ~ gpg --version
gpg (GnuPG) 2.3.1
libgcrypt 1.9.3
[...]

scdaemon conf

➜  ~ cat ~/.gnupg/scdaemon.conf
reader-port Yubico Yubi
debug-all
debug-level guru
log-file /tmp/scd.log

Some log :

2021-05-19 12:16:35 scdaemon[581] listening on socket '/Users/user/.gnupg/S.scdaemon'
2021-05-19 12:16:35 scdaemon[581] handler for fd -1 started
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 <- GETINFO socket_name
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> D /Users/user/.gnupg/S.scdaemon
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> OK
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 <- OPTION event-signal=31
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> OK
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 <- GETINFO version
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> D 2.3.1
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> OK
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 <- SERIALNO
2021-05-19 12:16:35 scdaemon[581] DBG: apdu_open_reader: BAI=140301
2021-05-19 12:16:35 scdaemon[581] DBG: apdu_open_reader: new device=140301
2021-05-19 12:16:35 scdaemon[581] ccid open error: skip
2021-05-19 12:16:35 scdaemon[581] check permission of USB device at Bus 020 Device 003
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> ERR 100696144 Operation not supported by device <SCD>
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 <- RESTART
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> OK

After a quick search I found two possibility to get a workaround :

Add "disable-ccid" to scdaemon.conf.

The Yubikey works, but.... I use yubikey at large scale, and actually we use the "cardno:" to identify which SSH KEY is to which Yubikey (it is physically engraved on the Yubikey).

An image to better understand :

)

On GnuPG 2.2 without ccid disabled :

➜  ~ ssh-add -L
ssh-rsa AAAA.... == cardno:xxxxxxxxxxxxxx

On GnuPG 2.3 with ccid disabled :

➜  ~ ssh-add -L
ssh-rsa AAAA.... == cardno:FF7F00

Also we lose access to the serial number when ccid is disabled :

➜  ~ gpg --card-status
Reader ...........: Yubico YubiKey OTP CCID
Application ID ...: FF7F00
Application type .: OpenPGP
Version ..........: .�
Manufacturer .....: Yubico
Serial number ....: �

When this work normally :

➜  ~ gpg --card-status
Reader ...........: Yubico YubiKey OTP CCID
Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX  <- I hided that on purpose
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: XXXXXXX <- I hided that on purpose

So .. I can't really disable CCID

RollBack to 2.2 me and all of my co-worker

This is the solution that works for me, but not the ideal in the long run.

I am using macOS Big Sur 11.2.3.

Does anyone have a solution to make it work with last version of GnuPG, without disabling CCID on macOs ? This is really important for me.

In the log I see check permission of USB device at Bus, how can I give the appropriate permissions ?

Sorry for my poor english.

Thank's

Details

Version
2.3.1

Event Timeline

Suertzz created this object in space S1 Public.
werner added a subscriber: werner.

Thanks for the well written report. We had another already, and thus I merged it into T5415.

If possible, please let us know how you configure the permission to access CCID device with 2.2 (and with 2.3)?

If possible, please let us know how you configure the permission to access CCID device with 2.2 (and with 2.3)?

On 2.2 CCID work out of the box, when I update to 2.3 CCID doesn’t work anymore. I did not configure any permissions.

I see your situation

Could you please help me to analyze what's going on?
Please add following lines to your scdaemon.conf to see CCID driver's debug output:

debug-ccid-driver
verbose
verbose
verbose

And share the debug output.

gniibe triaged this task as High priority.

Ah, I think that your problem was fixed in rG53bdc6288f9b: scd: Recover the partial match for PORTSTR for PC/SC. (to be 2.3.2).

In 2.3.1, the partial match of reader-port doesn't work well (because of the bug).

Please try fully specifying it as 'Yubico YubiKey OTP CCID', when using 2.3.1.

I see your situation

Could you please help me to analyze what's going on?
Please add following lines to your scdaemon.conf to see CCID driver's debug output:

debug-ccid-driver
verbose
verbose
verbose

And share the debug output.

I'll give you the debug log tomorrow (it's 2am at home)

Thank-you for your prompt response!

GPG Version :

➜  ~ gpg --version
gpg (GnuPG) 2.3.1
libgcrypt 1.9.3

scdaemon.conf

cat ~/.gnupg/scdaemon.conf
reader-port Yubico Yubi
debug-all
debug-level guru
log-file /tmp/scd.log
debug-ccid-driver
verbose
verbose
verbose

card status:

➜  ~ gpg --card-status
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

scd log :

➜  ~ cat /tmp/scd.log
2021-06-04 11:43:36 scdaemon[652] listening on socket '/Users/user/.gnupg/S.scdaemon'
2021-06-04 11:43:36 scdaemon[652] handler for fd -1 started
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 <- GETINFO socket_name
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> D /Users/user/.gnupg/S.scdaemon
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> OK
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 <- OPTION event-signal=31
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> OK
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 <- GETINFO version
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> D 2.3.1
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> OK
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 <- SERIALNO
2021-06-04 11:43:36 scdaemon[652] DBG: apdu_open_reader: BAI=140301
2021-06-04 11:43:36 scdaemon[652] DBG: apdu_open_reader: new device=140301
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver: using CCID reader 0 (ID=1050:0405:X:0)
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver: idVendor: 1050  idProduct: 0405  bcdDevice: 0524
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver: ChipCard Interface Descriptor:
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bLength                54
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bDescriptorType        33
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bcdCCID              1.00
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   nMaxSlotIndex           0
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bVoltageSupport         7  ?
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwProtocols             2  T=1
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwDefaultClock       4000
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwMaxiumumClock      4000
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bNumClockSupported      0
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwDataRate         307200 bps
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwMaxDataRate      307200 bps
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bNumDataRatesSupp.      0
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwMaxIFSD            3062
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwSyncProtocols  00000000
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwMechanical     00000000
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwFeatures       000400FE
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     Auto configuration based on ATR (assumes auto voltage)
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     Auto activation on insert
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     Auto voltage selection
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     Auto clock change
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     Auto baud rate change
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     Auto parameter negotiation made by CCID
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     WARNING: conflicting negotiation features
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     Short and extended APDU level exchange
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwMaxCCIDMsgLen      3072
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bClassGetResponse    echo
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bClassEnvelope       echo
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   wlcdLayout           none
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bPINSupport             0
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bMaxCCIDBusySlots       1
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver: usb_claim_interface failed: -3
2021-06-04 11:43:36 scdaemon[652] ccid open error: skip
2021-06-04 11:43:36 scdaemon[652] check permission of USB device at Bus 020 Device 003
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> ERR 100696144 Operation not supported by device <SCD>
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 <- RESTART
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> OK

scdaemon conf with Yubico YubiKey OTP CCID instead of Yubico Yubi

cat ~/.gnupg/scdaemon.conf
reader-port Yubico YubiKey OTP CCID
debug-all
debug-level guru
log-file /tmp/scd.log
debug-ccid-driver
verbose
verbose
verbose

scd log :

➜  ~ cat /tmp/scd.log
2021-06-04 11:50:41 scdaemon[898] listening on socket '/Users/user/.gnupg/S.scdaemon'
2021-06-04 11:50:41 scdaemon[898] handler for fd -1 started
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 <- GETINFO socket_name
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> D /Users/user/.gnupg/S.scdaemon
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> OK
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 <- OPTION event-signal=31
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> OK
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 <- GETINFO version
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> D 2.3.1
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> OK
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 <- SERIALNO
2021-06-04 11:50:41 scdaemon[898] DBG: apdu_open_reader: BAI=140301
2021-06-04 11:50:41 scdaemon[898] DBG: apdu_open_reader: new device=140301
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver: using CCID reader 0 (ID=1050:0405:X:0)
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver: idVendor: 1050  idProduct: 0405  bcdDevice: 0524
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver: ChipCard Interface Descriptor:
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bLength                54
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bDescriptorType        33
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bcdCCID              1.00
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   nMaxSlotIndex           0
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bVoltageSupport         7  ?
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwProtocols             2  T=1
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwDefaultClock       4000
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwMaxiumumClock      4000
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bNumClockSupported      0
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwDataRate         307200 bps
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwMaxDataRate      307200 bps
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bNumDataRatesSupp.      0
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwMaxIFSD            3062
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwSyncProtocols  00000000
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwMechanical     00000000
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwFeatures       000400FE
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     Auto configuration based on ATR (assumes auto voltage)
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     Auto activation on insert
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     Auto voltage selection
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     Auto clock change
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     Auto baud rate change
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     Auto parameter negotiation made by CCID
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     WARNING: conflicting negotiation features
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     Short and extended APDU level exchange
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwMaxCCIDMsgLen      3072
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bClassGetResponse    echo
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bClassEnvelope       echo
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   wlcdLayout           none
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bPINSupport             0
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bMaxCCIDBusySlots       1
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver: usb_claim_interface failed: -3
2021-06-04 11:50:41 scdaemon[898] ccid open error: skip
2021-06-04 11:50:41 scdaemon[898] check permission of USB device at Bus 020 Device 003
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> ERR 100696144 Operation not supported by device <SCD>
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 <- RESTART
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> OK

I need to see how we can pass the check permission notice up to gpg. This is a too common problem and thus serves some special treatment.

Sorry, I was wrong.

Specifying:

reader-port Yubico YubiKey OTP CCID

is the one for PC/SC.

When using CCID driver, it's something like:

1050:0405:X:0

In your log, it says:

usb_claim_interface failed: -3

... which means the error of LIBUSB_ERROR_ACCESS.
Access denied (insufficient permissions)

So, I think that with 2.2, you didn't use CCID driver, but use PC/SC.

In 2.3, the logic to identify Yubikey has been changed (to support PIV application).

It seems that https://dev.gnupg.org/source/gnupg/browse/master/scd/app.c$520
doesn't work well for your device.

The device with serial number 10000003, it is represented as three bytes: 00989683

The code assumed that serial number is represented by four bytes.

Fixed in rGc3a9ee0b6588: scd: Fix serial number detection for Yubikey 5..

FWIW: Actually the old code assumed that the s/n is at least 4 bytes. IIRC, I once checked the source of the Yubico tools to get this info.

gniibe renamed this task from Yubikey 5 doesn't work after updating to GnuPG 2.3.1 on macOS Big Sur 11.2.3 to Serial number detection of Yubikey 5 (Yubikey 5 doesn't work after updating to GnuPG 2.3.1).Jun 9 2021, 2:18 AM