Page MenuHome GnuPG
Create Task
Maniphest T7379

Kleopatra: Learning certificates of Signature v2.0 card fails if a Yubikey is plugged in as well
Open, NormalPublic
Actions

Description

This is an additional issue that we noticed while looking at T7378: Kleopatra: loading X.509 certificate from Signature card hangs.

  • Plug in a Yubikey and a Signature v2.0 card that Kleopatra (and gpgsm) has never seen before.
  • Open Kleopatra's smartcard view

On the tab of the Signature v2.0 card (NKS ...) you should see the progress overlay:


If it doesn't go away (which is T7378: Kleopatra: loading X.509 certificate from Signature card hangs) then kill scdaemon.

In the background Kleopatra will run gpgsm --learn-card -v as can be seen in the logs

2024-11-06_SC-loading-issue.dblog191 KBDownload

Unfortunately, gpgsm just learns (or tries to learn) the keys of the OpenPGP app of the Yubikey. As a result the certificates of the Signature Card v2.0 will stay unknown:

After removing the signature card and inserting it again, everything worked as expected and the certificates where loaded.

Related Objects

Event Timeline

ikloecker created this task.Wed, Nov 6, 4:34 PM
ikloecker added a comment.Wed, Nov 6, 4:37 PM

I haven't added any project tags because I'm not sure for which projects this is relevant. Since GnuPG 2.2 doesn't support multiple smartcards it's likely not relevant for VSD 3.3.

I suspect that gpgsm learns the certificates for the card app that was last made active in scdaemon. I'll try to fix this by switching to the right card app before running gpgsm --learn-card.

ikloecker claimed this task.Wed, Nov 6, 4:37 PM
werner added a subscriber: werner.Wed, Nov 6, 9:23 PM

The whole learn-card thing is more a hack than a solid way to make cards known. We should do such things in the background when a new card has been seen.

gniibe added a subscriber: gniibe.Thu, Nov 7, 8:46 AM

@ikloecker Using scdaemon with multiple cards, it is a connection which holds the card.

SCD SWITCHCARD serialno can specify and change to the card with serialno for *THAT* connection.

I don't think there is a way to specify a card among multiple cards for gpgsm.

ikloecker added a comment.Thu, Nov 7, 8:48 AM

I assume by "do such things in the background" you mean that GnuPG should do this automatically in the background.

gniibe added a comment.Thu, Nov 7, 9:06 AM

SCD SERIALNO serialno can move the first card in the list in scdaemon.

ebo added a subscriber: ebo.Thu, Nov 7, 11:05 AM
werner added a comment.Thu, Nov 7, 11:16 AM
In T7379#193696, @ikloecker wrote:

I assume by "do such things in the background" you mean that GnuPG should do this automatically in the background.

Right. But we can't do this now. I would postpone it for gnupg26

werner triaged this task as Normal priority.Mon, Nov 11, 8:46 AM
werner added a project: gnupg26.
ebo mentioned this in T6846: Kleopatra: learn TCOS cards automatically.Tue, Nov 12, 4:40 PM