Page MenuHome GnuPG

GnuPG 2.2.28 not working with Yubikey NEO
Closed, ResolvedPublic

Description

Hi, .28 version are not working anymore with Yubikey 4 NEO, this happen in .24 and in .25 we got a few problems (T5167) with was corrected on .26

I have uploaded the log from scdaemon from 2.2.27 and 2.2.28 as was instructed on T5167 issue.

log-file /somewhere/scd.log
verbose
debug ipc,reader,app
debug-ccid-driver

The the only command I have used while running each version was gpg2 --card-status


Details

Version
2.2.28

Revisions and Commits

Event Timeline

gniibe added a subscriber: gniibe.

Thank you for your report.

Sorry, I overlooked the need to backport one of my changes.

Fixed in rG01a413d5235f: scd: Error code map fix for older Yubikey..
New code for Yubikey 4 or later causes wrong interaction for Yubikey NEO in 2.2.28.

I think that Yubikey NEO is older than Yubikey 4.

gniibe renamed this task from GnuPG 2.2.28 not working with Yubikey 4 NEO to GnuPG 2.2.28 not working with Yubikey NEO.Jun 14 2021, 3:42 AM
werner changed the task status from Open to Testing.Jun 14 2021, 11:38 AM
werner added projects: gnupg (gpg22), yubikey.
werner added a subscriber: werner.

Fix will eventually go into 2.2.29. If there is enough public demand we will do a new Windows installer earlier.

Thank you @werner I will apply the patch and recompile the .28 version for myself.

I was just about to open a similar bug report, but I think this might be related. I’m also having trouble getting my Yubikey NEO to work with the latest update, however my log output looks different (see below) and this is on Windows (10 Pro, 21H1, build 19043.1055).

Problem appeared with version:
gpg (GnuPG) 2.2.28
libgcrypt 1.8.8
Gpg4win 3.1.16

Last known good configuration:
gpg (GnuPG) 2.2.27
libgcrypt 1.8.7
Gpg4win 3.1.15

Please let me know if you need more information, or if I should file this as a separate bug.

2021-06-14 18:27:25 scdaemon[6100] Es wird auf Socket `C:\Users\kiang\AppData\Roaming\gnupg\S.scdaemon' gehört
2021-06-14 18:27:25 scdaemon[6100] Handhabungsroutine f�r fd -1 gestartet
2021-06-14 18:27:25 scdaemon[6100] DBG: chan_0x000002a0 -> OK GNU Privacy Guard's Smartcard server ready
2021-06-14 18:27:25 scdaemon[6100] DBG: chan_0x000002a0 <- GETINFO socket_name
2021-06-14 18:27:25 scdaemon[6100] DBG: chan_0x000002a0 -> D C:\Users\kiang\AppData\Roaming\gnupg\S.scdaemon
2021-06-14 18:27:25 scdaemon[6100] DBG: chan_0x000002a0 -> OK
2021-06-14 18:27:25 scdaemon[6100] DBG: chan_0x000002a0 <- OPTION event-signal=0x00000294
2021-06-14 18:27:25 scdaemon[6100] DBG: chan_0x000002a0 -> OK
2021-06-14 18:27:25 scdaemon[6100] DBG: chan_0x000002a0 <- GETINFO version
2021-06-14 18:27:25 scdaemon[6100] DBG: chan_0x000002a0 -> D 2.2.28
2021-06-14 18:27:25 scdaemon[6100] DBG: chan_0x000002a0 -> OK
2021-06-14 18:27:25 scdaemon[6100] DBG: chan_0x000002a0 <- SERIALNO
2021-06-14 18:27:25 scdaemon[6100] DBG: open_pcsc_reader(portstr=Yubico Yubikey NEO OTP+U2F+CCID 0)
2021-06-14 18:27:25 scdaemon[6100] detected reader 'Yubico Yubikey NEO OTP+U2F+CCID 0'
2021-06-14 18:27:25 scdaemon[6100] reader slot 0: not connected
2021-06-14 18:27:25 scdaemon[6100] DBG: open_pcsc_reader => slot=0
2021-06-14 18:27:25 scdaemon[6100] DBG: enter: apdu_connect: slot=0
2021-06-14 18:27:25 scdaemon[6100] reader slot 0: active protocol: T1
2021-06-14 18:27:25 scdaemon[6100] slot 0: ATR=3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
2021-06-14 18:27:25 scdaemon[6100] DBG: pcsc_get_status_change:  changed present excl inuse
2021-06-14 18:27:25 scdaemon[6100] DBG: leave: apdu_connect => sw=0x0
2021-06-14 18:27:25 scdaemon[6100] DBG: send apdu: c=00 i=A4 p1=00 p2=0C lc=2 le=-1 em=0
2021-06-14 18:27:25 scdaemon[6100] DBG:   PCSC_data: 00 A4 00 0C 02 3F 00
2021-06-14 18:27:25 scdaemon[6100] DBG:  response: sw=6A86  datalen=0
2021-06-14 18:27:25 scdaemon[6100] DBG: send apdu: c=00 i=A4 p1=04 p2=00 lc=8 le=-1 em=0
2021-06-14 18:27:25 scdaemon[6100] DBG:   PCSC_data: 00 A4 04 00 08 A0 00 00 05 27 47 11 17
2021-06-14 18:27:25 scdaemon[6100] DBG:  response: sw=9000  datalen=30
2021-06-14 18:27:25 scdaemon[6100] DBG:     dump:  44 46 55 20 65 6E 61 62 6C 65 64 20 2D 20 46 57 20 76 65 72 73 69 6F 6E 20 33 2E 34 2E 33
2021-06-14 18:27:25 scdaemon[6100] DBG:   PCSC_data: 00 1D 00 00 00
2021-06-14 18:27:25 scdaemon[6100] DBG:  response: sw=6D00  datalen=0
2021-06-14 18:27:25 scdaemon[6100] DBG:       dump:  6D 00
2021-06-14 18:27:25 scdaemon[6100] DBG: send apdu: c=00 i=A4 p1=04 p2=00 lc=6 le=-1 em=0
2021-06-14 18:27:25 scdaemon[6100] DBG:   PCSC_data: 00 A4 04 00 06 D2 76 00 01 24 01
2021-06-14 18:27:25 scdaemon[6100] DBG:  response: sw=6D00  datalen=0
2021-06-14 18:27:25 scdaemon[6100] DBG: send apdu: c=00 i=A4 p1=04 p2=0C lc=7 le=-1 em=0
2021-06-14 18:27:25 scdaemon[6100] DBG:   PCSC_data: 00 A4 04 0C 07 D2 76 00 00 03 01 02
2021-06-14 18:27:25 scdaemon[6100] DBG:  response: sw=6D00  datalen=0
2021-06-14 18:27:25 scdaemon[6100] DBG: send apdu: c=00 i=A4 p1=04 p2=00 lc=12 le=256 em=0
2021-06-14 18:27:25 scdaemon[6100] DBG:   PCSC_data: 00 A4 04 00 0C A0 00 00 00 63 50 4B 43 53 2D 31 35 00
2021-06-14 18:27:25 scdaemon[6100] DBG:  response: sw=6700  datalen=0
2021-06-14 18:27:25 scdaemon[6100] DBG: send apdu: c=00 i=A4 p1=08 p2=0C lc=2 le=-1 em=0
2021-06-14 18:27:25 scdaemon[6100] DBG:   PCSC_data: 00 A4 08 0C 02 2F 00
2021-06-14 18:27:25 scdaemon[6100] DBG:  response: sw=6D00  datalen=0
2021-06-14 18:27:25 scdaemon[6100] DBG: send apdu: c=00 i=A4 p1=01 p2=0C lc=2 le=-1 em=0
2021-06-14 18:27:25 scdaemon[6100] DBG:   PCSC_data: 00 A4 01 0C 02 50 15
2021-06-14 18:27:25 scdaemon[6100] DBG:  response: sw=6D00  datalen=0
2021-06-14 18:27:25 scdaemon[6100] DBG: send apdu: c=00 i=A4 p1=04 p2=0C lc=9 le=-1 em=0
2021-06-14 18:27:25 scdaemon[6100] DBG:   PCSC_data: 00 A4 04 0C 09 D2 76 00 00 25 45 50 02 00
2021-06-14 18:27:25 scdaemon[6100] DBG:  response: sw=6D00  datalen=0
2021-06-14 18:27:25 scdaemon[6100] DBG: send apdu: c=00 i=A4 p1=04 p2=0C lc=6 le=-1 em=0
2021-06-14 18:27:25 scdaemon[6100] DBG:   PCSC_data: 00 A4 04 0C 06 D2 76 00 00 66 01
2021-06-14 18:27:25 scdaemon[6100] DBG:  response: sw=6D00  datalen=0
2021-06-14 18:27:25 scdaemon[6100] DBG: send apdu: c=00 i=A4 p1=04 p2=0C lc=11 le=-1 em=0
2021-06-14 18:27:25 scdaemon[6100] DBG:   PCSC_data: 00 A4 04 0C 0B E8 2B 06 01 04 01 81 C3 1F 02 01
2021-06-14 18:27:25 scdaemon[6100] DBG:  response: sw=6D00  datalen=0
2021-06-14 18:27:25 scdaemon[6100] no supported card application found: Kartenfehler
2021-06-14 18:27:25 scdaemon[6100] DBG: enter: apdu_close_reader: slot=0
2021-06-14 18:27:25 scdaemon[6100] DBG: enter: apdu_disconnect: slot=0
2021-06-14 18:27:25 scdaemon[6100] DBG: leave: apdu_disconnect => sw=0x0
2021-06-14 18:27:25 scdaemon[6100] DBG: leave: apdu_close_reader => 0x0 (close_reader)
2021-06-14 18:27:25 scdaemon[6100] DBG: chan_0x000002a0 -> ERR 100696144 No such device <SCD>
2021-06-14 18:27:25 scdaemon[6100] DBG: chan_0x000002a0 <- RESTART
2021-06-14 18:27:25 scdaemon[6100] DBG: chan_0x000002a0 -> OK

@kianga
Thanks for your log.

The problem I identified is:

2021-06-14 18:27:25 scdaemon[6100] DBG:   PCSC_data: 00 1D 00 00 00

This is a command to card from computer to get config of Yubikey 4 (or later).
When Yubikey NEO receives this command, it will get screwed up.

The patch is to detect an error at:

2021-06-14 18:27:25 scdaemon[6100] DBG:   PCSC_data: 00 A4 00 0C 02 3F 00
2021-06-14 18:27:25 scdaemon[6100] DBG:  response: sw=6A86  datalen=0

Yubikey NEO returns 6A86 here, while Yubikey 4 (or later) returns 6D00.

gniibe triaged this task as High priority.Jun 15 2021, 1:41 AM

I set the priority 'High' as Yubikey NEO is the last one with source code available, IIUC.

Just for everbody else who might be waiting for a new release. Workaround is to simply use the previous version: https://www.gpg4win.de/change-history-de.html (3.1.15)

You mean Gpg4win. The solution for Gpg4win 3.1.x is to install the latest GnUPG LTS installer for Windows on top of the latest Gpg4win version. See
https://lists.gnupg.org/pipermail/gnupg-announce/2021q3/000464.html
Noet that there will very soon be a 2.2.32 to fix a problem with Let's encrypt protected keyservers (T5639).