Serial number detection of Yubikey 5 (Yubikey 5 doesn't work after updating to GnuPG 2.3.1)
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Suertzz
	May 19 2021, 9:04 PM

Description

Hi :-)

Yesterday I updated my GnuPG version via homebrew to 2.3.1. After the update my Yubikey 5 NFC was broke :

➜  ~ gpg --card-status
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

My version :

➜  ~ gpg --version
gpg (GnuPG) 2.3.1
libgcrypt 1.9.3
[...]

scdaemon conf

➜  ~ cat ~/.gnupg/scdaemon.conf
reader-port Yubico Yubi
debug-all
debug-level guru
log-file /tmp/scd.log

Some log :

2021-05-19 12:16:35 scdaemon[581] listening on socket '/Users/user/.gnupg/S.scdaemon'
2021-05-19 12:16:35 scdaemon[581] handler for fd -1 started
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 <- GETINFO socket_name
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> D /Users/user/.gnupg/S.scdaemon
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> OK
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 <- OPTION event-signal=31
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> OK
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 <- GETINFO version
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> D 2.3.1
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> OK
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 <- SERIALNO
2021-05-19 12:16:35 scdaemon[581] DBG: apdu_open_reader: BAI=140301
2021-05-19 12:16:35 scdaemon[581] DBG: apdu_open_reader: new device=140301
2021-05-19 12:16:35 scdaemon[581] ccid open error: skip
2021-05-19 12:16:35 scdaemon[581] check permission of USB device at Bus 020 Device 003
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> ERR 100696144 Operation not supported by device <SCD>
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 <- RESTART
2021-05-19 12:16:35 scdaemon[581] DBG: chan_7 -> OK

After a quick search I found two possibility to get a workaround :

Add "disable-ccid" to scdaemon.conf.

The Yubikey works, but.... I use yubikey at large scale, and actually we use the "cardno:" to identify which SSH KEY is to which Yubikey (it is physically engraved on the Yubikey).

An image to better understand :

)

On GnuPG 2.2 without ccid disabled :

➜  ~ ssh-add -L
ssh-rsa AAAA.... == cardno:xxxxxxxxxxxxxx

On GnuPG 2.3 with ccid disabled :

➜  ~ ssh-add -L
ssh-rsa AAAA.... == cardno:FF7F00

Also we lose access to the serial number when ccid is disabled :

➜  ~ gpg --card-status
Reader ...........: Yubico YubiKey OTP CCID
Application ID ...: FF7F00
Application type .: OpenPGP
Version ..........: .�
Manufacturer .....: Yubico
Serial number ....: �

When this work normally :

➜  ~ gpg --card-status
Reader ...........: Yubico YubiKey OTP CCID
Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX  <- I hided that on purpose
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: XXXXXXX <- I hided that on purpose

So .. I can't really disable CCID

RollBack to 2.2 me and all of my co-worker

This is the solution that works for me, but not the ideal in the long run.

I am using macOS Big Sur 11.2.3.

Does anyone have a solution to make it work with last version of GnuPG, without disabling CCID on macOs ? This is really important for me.

In the log I see check permission of USB device at Bus, how can I give the appropriate permissions ?

Sorry for my poor english.

Thank's

Details

Version: 2.3.1

Revisions and Commits

rG GnuPG
	rGc2f02797cdef scd: Fix serial number detection for Yubikey 5.
	rGc3a9ee0b6588 scd: Fix serial number detection for Yubikey 5.

Related Objects

Mentioned In: T5405: Release GnuPG 2.3.2
T5482: Release GnuPG 2.2.28
T5415: YubiKey no longer recognized in GnuPG 2.3.1 on macOS 10.15.7
Mentioned Here: rGc3a9ee0b6588: scd: Fix serial number detection for Yubikey 5.
rG53bdc6288f9b: scd: Recover the partial match for PORTSTR for PC/SC.
T5415: YubiKey no longer recognized in GnuPG 2.3.1 on macOS 10.15.7

Event Timeline

Suertzz created this task.May 19 2021, 9:04 PM

Suertzz created this object in space S1 Public.

Thanks for the well written report. We had another already, and thus I merged it into T5415.

• werner mentioned this in T5415: YubiKey no longer recognized in GnuPG 2.3.1 on macOS 10.15.7.May 19 2021, 9:25 PM

rickard.von.essen added a subscriber: rickard.von.essen.Jun 3 2021, 9:35 PM

If possible, please let us know how you configure the permission to access CCID device with 2.2 (and with 2.3)?

In T5442#146869, @gniibe wrote:

If possible, please let us know how you configure the permission to access CCID device with 2.2 (and with 2.3)?

On 2.2 CCID work out of the box, when I update to 2.3 CCID doesn’t work anymore. I did not configure any permissions.

I see your situation

Could you please help me to analyze what's going on?
Please add following lines to your scdaemon.conf to see CCID driver's debug output:

debug-ccid-driver
verbose
verbose
verbose

And share the debug output.

• gniibe claimed this task.Jun 4 2021, 1:57 AM

• gniibe triaged this task as High priority.

Ah, I think that your problem was fixed in rG53bdc6288f9b: scd: Recover the partial match for PORTSTR for PC/SC. (to be 2.3.2).

In 2.3.1, the partial match of reader-port doesn't work well (because of the bug).

Please try fully specifying it as 'Yubico YubiKey OTP CCID', when using 2.3.1.

In T5442#146871, @gniibe wrote:
I see your situation

Could you please help me to analyze what's going on?
Please add following lines to your scdaemon.conf to see CCID driver's debug output:
debug-ccid-driver
verbose
verbose
verbose
And share the debug output.

I'll give you the debug log tomorrow (it's 2am at home)

Thank-you for your prompt response!

GPG Version :

➜  ~ gpg --version
gpg (GnuPG) 2.3.1
libgcrypt 1.9.3

scdaemon.conf

cat ~/.gnupg/scdaemon.conf
reader-port Yubico Yubi
debug-all
debug-level guru
log-file /tmp/scd.log
debug-ccid-driver
verbose
verbose
verbose

card status:

➜  ~ gpg --card-status
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

scd log :

➜  ~ cat /tmp/scd.log
2021-06-04 11:43:36 scdaemon[652] listening on socket '/Users/user/.gnupg/S.scdaemon'
2021-06-04 11:43:36 scdaemon[652] handler for fd -1 started
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 <- GETINFO socket_name
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> D /Users/user/.gnupg/S.scdaemon
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> OK
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 <- OPTION event-signal=31
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> OK
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 <- GETINFO version
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> D 2.3.1
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> OK
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 <- SERIALNO
2021-06-04 11:43:36 scdaemon[652] DBG: apdu_open_reader: BAI=140301
2021-06-04 11:43:36 scdaemon[652] DBG: apdu_open_reader: new device=140301
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver: using CCID reader 0 (ID=1050:0405:X:0)
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver: idVendor: 1050  idProduct: 0405  bcdDevice: 0524
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver: ChipCard Interface Descriptor:
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bLength                54
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bDescriptorType        33
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bcdCCID              1.00
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   nMaxSlotIndex           0
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bVoltageSupport         7  ?
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwProtocols             2  T=1
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwDefaultClock       4000
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwMaxiumumClock      4000
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bNumClockSupported      0
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwDataRate         307200 bps
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwMaxDataRate      307200 bps
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bNumDataRatesSupp.      0
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwMaxIFSD            3062
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwSyncProtocols  00000000
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwMechanical     00000000
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwFeatures       000400FE
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     Auto configuration based on ATR (assumes auto voltage)
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     Auto activation on insert
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     Auto voltage selection
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     Auto clock change
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     Auto baud rate change
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     Auto parameter negotiation made by CCID
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     WARNING: conflicting negotiation features
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:     Short and extended APDU level exchange
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   dwMaxCCIDMsgLen      3072
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bClassGetResponse    echo
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bClassEnvelope       echo
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   wlcdLayout           none
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bPINSupport             0
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver:   bMaxCCIDBusySlots       1
2021-06-04 11:43:36 scdaemon[652] DBG: ccid-driver: usb_claim_interface failed: -3
2021-06-04 11:43:36 scdaemon[652] ccid open error: skip
2021-06-04 11:43:36 scdaemon[652] check permission of USB device at Bus 020 Device 003
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> ERR 100696144 Operation not supported by device <SCD>
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 <- RESTART
2021-06-04 11:43:36 scdaemon[652] DBG: chan_7 -> OK

scdaemon conf with Yubico YubiKey OTP CCID instead of Yubico Yubi

cat ~/.gnupg/scdaemon.conf
reader-port Yubico YubiKey OTP CCID
debug-all
debug-level guru
log-file /tmp/scd.log
debug-ccid-driver
verbose
verbose
verbose

scd log :

➜  ~ cat /tmp/scd.log
2021-06-04 11:50:41 scdaemon[898] listening on socket '/Users/user/.gnupg/S.scdaemon'
2021-06-04 11:50:41 scdaemon[898] handler for fd -1 started
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 <- GETINFO socket_name
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> D /Users/user/.gnupg/S.scdaemon
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> OK
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 <- OPTION event-signal=31
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> OK
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 <- GETINFO version
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> D 2.3.1
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> OK
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 <- SERIALNO
2021-06-04 11:50:41 scdaemon[898] DBG: apdu_open_reader: BAI=140301
2021-06-04 11:50:41 scdaemon[898] DBG: apdu_open_reader: new device=140301
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver: using CCID reader 0 (ID=1050:0405:X:0)
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver: idVendor: 1050  idProduct: 0405  bcdDevice: 0524
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver: ChipCard Interface Descriptor:
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bLength                54
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bDescriptorType        33
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bcdCCID              1.00
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   nMaxSlotIndex           0
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bVoltageSupport         7  ?
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwProtocols             2  T=1
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwDefaultClock       4000
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwMaxiumumClock      4000
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bNumClockSupported      0
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwDataRate         307200 bps
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwMaxDataRate      307200 bps
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bNumDataRatesSupp.      0
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwMaxIFSD            3062
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwSyncProtocols  00000000
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwMechanical     00000000
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwFeatures       000400FE
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     Auto configuration based on ATR (assumes auto voltage)
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     Auto activation on insert
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     Auto voltage selection
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     Auto clock change
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     Auto baud rate change
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     Auto parameter negotiation made by CCID
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     WARNING: conflicting negotiation features
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:     Short and extended APDU level exchange
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   dwMaxCCIDMsgLen      3072
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bClassGetResponse    echo
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bClassEnvelope       echo
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   wlcdLayout           none
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bPINSupport             0
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver:   bMaxCCIDBusySlots       1
2021-06-04 11:50:41 scdaemon[898] DBG: ccid-driver: usb_claim_interface failed: -3
2021-06-04 11:50:41 scdaemon[898] ccid open error: skip
2021-06-04 11:50:41 scdaemon[898] check permission of USB device at Bus 020 Device 003
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> ERR 100696144 Operation not supported by device <SCD>
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 <- RESTART
2021-06-04 11:50:41 scdaemon[898] DBG: chan_7 -> OK

I need to see how we can pass the check permission notice up to gpg. This is a too common problem and thus serves some special treatment.

Sorry, I was wrong.

Specifying:

reader-port Yubico YubiKey OTP CCID

is the one for PC/SC.

When using CCID driver, it's something like:

1050:0405:X:0

In your log, it says:

usb_claim_interface failed: -3

... which means the error of LIBUSB_ERROR_ACCESS.
Access denied (insufficient permissions)

So, I think that with 2.2, you didn't use CCID driver, but use PC/SC.

In 2.3, the logic to identify Yubikey has been changed (to support PIV application).

It seems that https://dev.gnupg.org/source/gnupg/browse/master/scd/app.c$520
doesn't work well for your device.

• gniibe added a commit: rGc3a9ee0b6588: scd: Fix serial number detection for Yubikey 5..Jun 8 2021, 3:38 AM

The device with serial number 10000003, it is represented as three bytes: 00989683

The code assumed that serial number is represented by four bytes.

Fixed in rGc3a9ee0b6588: scd: Fix serial number detection for Yubikey 5..

FWIW: Actually the old code assumed that the s/n is at least 4 bytes. IIRC, I once checked the source of the Yubico tools to get this info.

For the Data Object of serial number, what I read is this code: https://github.com/Yubico/yubikey-manager

And I concluded that the serial number can be three bytes.

Specifically:
https://github.com/Yubico/yubikey-manager/blob/0f9ae1af1f9b496b4de2dfc14edf0799d2631a6c/yubikit/management.py#L213
https://github.com/Yubico/yubikey-manager/blob/3b89995d4f252ce6be78ce2e479ebc4c431fe12b/yubikit/core/__init__.py#L182

• gniibe renamed this task from Yubikey 5 doesn't work after updating to GnuPG 2.3.1 on macOS Big Sur 11.2.3 to Serial number detection of Yubikey 5 (Yubikey 5 doesn't work after updating to GnuPG 2.3.1).Jun 9 2021, 2:18 AM

• werner added a commit: rGc2f02797cdef: scd: Fix serial number detection for Yubikey 5..Jun 10 2021, 12:46 PM

• werner mentioned this in T5482: Release GnuPG 2.2.28.Jun 10 2021, 5:42 PM

• werner mentioned this in T5405: Release GnuPG 2.3.2.Aug 24 2021, 7:55 PM

• werner closed this task as Resolved.Aug 24 2021, 7:58 PM