Debian Bug report logs - #854595
scdaemon: Yubikey smartcards (maybe others) are not recognized after update from 2.1.17-4 to 2.1.18-4

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Camille MONCELIER <cmoncelier@sii.fr>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: scdaemon: Yubikey smartcards (maybe others) are not recognized after update from 2.1.17-4 to 2.1.18-4

Date: Wed, 8 Feb 2017 15:30:34 +0100

[Message part 1 (text/plain, inline)]

Package: scdaemon
Version: 2.1.17-4
Severity: normal

Dear Maintainer,

After updating gnupg2 to 2.1.18-4, I'm unable to use my gpg keys stored on a
Yubikey.

I can easily reproduce the problem like this:

$ sudo dpkg -i /var/cache/apt/archives/*_2.1.18-4_*
[.... snip ....]
Setting up gnupg2 (2.1.18-4) ...
$ sudo pkill gpg-agent
$ gpg2 --card-edit
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

$ sudo dpkg -i /var/cache/apt/archives/*_2.1.17-4_*.deb
[.... snip ....]
Setting up gnupg2 (2.1.17-4) ...
$ sudo pkill gpg-agent
[pix:~] % gpg2 --card-edit
Reader ...........: Yubico Yubikey NEO U2F CCID 00 00
Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: XXXXXXXX

Here is the logfile from scdaemon:
2017-02-08 15:17:23 scdaemon[11566] SIGTERM received - still 0 running
threads
2017-02-08 15:17:23 scdaemon[11566] scdaemon (GnuPG) 2.1.18 stopped
2017-02-08 15:17:24 scdaemon[11764] listening on socket
'/run/user/1000/gnupg/S.scdaemon'
2017-02-08 15:17:24 scdaemon[11764] handler for fd -1 started
2017-02-08 15:17:24 scdaemon[11764] DBG: chan_5 -> OK GNU Privacy Guard's
Smartcard server ready
2017-02-08 15:17:24 scdaemon[11764] DBG: chan_5 <- GETINFO socket_name
2017-02-08 15:17:24 scdaemon[11764] DBG: chan_5 -> D
/run/user/1000/gnupg/S.scdaemon
2017-02-08 15:17:24 scdaemon[11764] DBG: chan_5 -> OK
2017-02-08 15:17:24 scdaemon[11764] DBG: chan_5 <- OPTION event-signal=12
2017-02-08 15:17:24 scdaemon[11764] DBG: chan_5 -> OK
2017-02-08 15:17:24 scdaemon[11764] DBG: chan_5 <- GETINFO version
2017-02-08 15:17:24 scdaemon[11764] DBG: chan_5 -> D 2.1.18
2017-02-08 15:17:24 scdaemon[11764] DBG: chan_5 -> OK
2017-02-08 15:17:24 scdaemon[11764] DBG: chan_5 <- SERIALNO openpgp
2017-02-08 15:17:24 scdaemon[11764] DBG: apdu_open_reader: BAI=10901
2017-02-08 15:17:24 scdaemon[11764] DBG: apdu_open_reader: new device=10901
2017-02-08 15:17:24 scdaemon[11764] ccid open error: skip
2017-02-08 15:17:24 scdaemon[11764] DBG: chan_5 -> ERR 100696144 No such
device
<SCD>
2017-02-08 15:17:25 scdaemon[11764] DBG: chan_5 <- RESTART
2017-02-08 15:17:25 scdaemon[11764] DBG: chan_5 -> OK

Have a nice day !
C.M.



-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages scdaemon depends on:
ii  gnupg-agent    2.1.17-4
ii  libassuan0     2.4.3-2
ii  libc6          2.24-9
ii  libgcrypt20    1.7.6-1
ii  libgpg-error0  1.26-2
ii  libksba8       1.3.5-2
ii  libnpth0       1.3-1
ii  libusb-1.0-0   2:1.0.21-1

scdaemon recommends no packages.

scdaemon suggests no packages.

-- no debconf information

-- 
<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
    <title></title>
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <style>
td,div,a {
  font-family: Calibri,Candara,Segoe,'Segoe UI',sans-serif; font-size:
12px;
  color: #000;
}
a, a:hover, a:visited, .imp {
  color: #035ba0;
}
</style>
    <div>
      <br>
      <br>
      <br>
      <br>
      <br>
      <br>
    </div>
    <table style="vertical-align: top; " border="0" width="425"
      cellpadding="0" cellspacing="0">
      <tbody>
        <tr>
          <td>
            <table>
              <tbody>
                <tr>
                  <td><img alt="Face"
src="file:///home/pix/Work/2016/00%20-%20Administratif/2016-02-12%20-%20Signature%20eMail/face.png"
                      dfsrc="doc:Briefcase/unnamed.png" height="48"
                      width="48"></td>
                  <td>
                    <div class="imp" style="font-size: 150%;">Camille
                      MONCELIER</div>
                    <div class="imp" style="font-size: 120%;">Expert SSI
                      <br>
                      Sécurité du Numérique</div>
                  </td>
                </tr>
              </tbody>
            </table>
          </td>
          <td>
            <table>
              <tbody>
                <tr>
                  <td>Tel:</td>
                  <td><a style="color: #035ba0"

href="tel:+33-2-99-12-11-23">+33&nbsp;2&nbsp;99&nbsp;12&nbsp;11&nbsp;23</a></td>
                </tr>
                <tr>
                  <td>Mobile:</td>
                  <td><a style="color: #035ba0"

href="tel:+33-6-33-37-88-82">+33&nbsp;6&nbsp;33&nbsp;37&nbsp;88&nbsp;82</a></td>
                </tr>
                <tr>
                  <td>@:</td>
                  <td><a style="color: #035ba0"

href="mailto:cmoncelier@sii.fr">cmoncelier@sii.fr</a></td>
                </tr>
                <tr>
                  <td>Twitter:</td>
                  <td><a style="color: #035ba0"
                      href="https://twitter.com/pix">@pix</a></td>
                </tr>
              </tbody>
            </table>
          </td>
        </tr>
        <tr>
          <td style="padding: 10px 0 10px;" colspan="2">GPG Fingerprint
            : <a style="color: #035ba0"
              href="https://keybase.io/pixdamix">50FB A39B D491 3B76
              18A1 E0FD 8F47 DEDB 094A E1EA</a></td>
        </tr>
        <tr>
          <td colspan="2"><img alt="SII"
src="file:///home/pix/Work/2016/00%20-%20Administratif/2016-02-12%20-%20Signature%20eMail/SII-Signature-mail-rennes.jpg"
              dfsrc="doc:Briefcase/SII-Signature-mail-rennes.jpg"
              height="81" width="425"></td>
        </tr>
      </tbody>
    </table>
  </body>
</html>

[signature.asc (application/pgp-signature, attachment)]

Message #10 received at 854595@bugs.debian.org (full text, mbox, reply):

From: NIIBE Yutaka <gniibe@fsij.org>

To: cmoncelier@sii.fr, 854595@bugs.debian.org

Subject: Re: [pkg-gnupg-maint] Bug#854595: scdaemon: Yubikey smartcards (maybe others) are not recognized after update from 2.1.17-4 to 2.1.18-4

Date: Thu, 09 Feb 2017 15:58:30 +0900

Hello,

Thank you for your reporting.

Camille MONCELIER <cmoncelier@sii.fr> wrote:
> After updating gnupg2 to 2.1.18-4, I'm unable to use my gpg keys stored on a
> Yubikey.
>
> I can easily reproduce the problem like this:

If you don't need PC/SC service, and when it can be your option, please
try using the internal CCID driver of GnuPG by configuring udev rules.

> 2017-02-08 15:17:24 scdaemon[11764] DBG: chan_5 <- SERIALNO openpgp
> 2017-02-08 15:17:24 scdaemon[11764] DBG: apdu_open_reader: BAI=10901
> 2017-02-08 15:17:24 scdaemon[11764] DBG: apdu_open_reader: new device=10901
> 2017-02-08 15:17:24 scdaemon[11764] ccid open error: skip
> 2017-02-08 15:17:24 scdaemon[11764] DBG: chan_5 -> ERR 100696144 No such
> device
> <SCD>

This error is from the internal CCID driver of GnuPG.  It fails to
find a device because you don't have a configuration.

As I explained in:

    https://bugs.debian.org/854616

Until we fixed configuration (by adding an entry for Yubikey),
please have a udev rules like:

---------------- /etc/udev/rules.d/yubikey-neo-u2f-ccid.rules
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0115", MODE="664", GROUP="plugdev"
----------------

And please add yourself as a group member of "plugdev".

In my case, I have this line in /etc/group:

    plugdev:x:46:gniibe

The idProduct value is my guess.  Please confirm by lsusb command.

In my case:

    $ lsusb
    Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
    Bus 001 Device 009: ID 234b:0000  
    Bus 001 Device 008: ID 234b:0000  
    Bus 001 Device 007: ID 05e3:0608 Genesys Logic, Inc. Hub
    Bus 001 Device 003: ID 0489:e056 Foxconn / Hon Hai 
    Bus 001 Device 002: ID 1bcf:2c67 Sunplus Innovation Technology Inc. 
    Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

234b:0000 (idVendor = 234b, idProduct=0000) is my Gnuk Tokens.

And please reply back to us again, so that we can add a correct
entry for the configuration.
-- 

Message #15 received at 854595-submitter@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: 854595-submitter@bugs.debian.org

Subject: Bug#854595 marked as pending

Date: Mon, 13 Feb 2017 15:01:01 +0000

tag 854595 pending
thanks

Hello,

Bug #854595 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=pkg-gnupg/gnupg2.git;a=commitdiff;h=4c91bae

---
commit 4c91bae777022f7ffd2ac4fa69837d59653eeb8f
Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Mon Feb 13 09:41:56 2017 -0500

    prepare new debian release

diff --git a/debian/changelog b/debian/changelog
index edd953b..bca7302 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+gnupg2 (2.1.18-5) unstable; urgency=medium
+
+  [ Daniel Kahn Gillmor ]
+  * Xsession.d/90gpg-agent: use simpler and more direct gpgconf
+    invocations for socket names.
+
+  [ NIIBE Yutaka ]
+  * scdaemon.udev: Add Yubikey and Nitrokey (Closes: #648331, 734889).
+  * scdaemon fix for PC/SC (Closes: #852702, #854005, #854595, #854616).
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 13 Feb 2017 09:15:07 -0500
+
 gnupg2 (2.1.18-4) unstable; urgency=medium
 
   [ Daniel Kahn Gillmor ]

Message #20 received at 854595-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: 854595-close@bugs.debian.org

Subject: Bug#854595: fixed in gnupg2 2.1.18-5

Date: Mon, 13 Feb 2017 15:18:52 +0000

Source: gnupg2
Source-Version: 2.1.18-5

We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 854595@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated gnupg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 13 Feb 2017 09:15:07 -0500
Source: gnupg2
Binary: gnupg-agent scdaemon gpgsm gnupg gnupg2 gpgv gpgv2 dirmngr gpgv-udeb gpgv-static gpgv-win32 gnupg-l10n
Architecture: source
Version: 2.1.18-5
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Description:
 dirmngr    - GNU privacy guard - network certificate management service
 gnupg      - GNU privacy guard - a free PGP replacement
 gnupg-agent - GNU privacy guard - cryptographic agent
 gnupg-l10n - GNU privacy guard - localization files
 gnupg2     - GNU privacy guard - a free PGP replacement (dummy transitional pa
 gpgsm      - GNU privacy guard - S/MIME version
 gpgv       - GNU privacy guard - signature verification tool
 gpgv-static - minimal signature verification tool (static build)
 gpgv-udeb  - minimal signature verification tool (udeb)
 gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
 gpgv2      - GNU privacy guard - signature verification tool (dummy transition
 scdaemon   - GNU privacy guard - smart card support
Closes: 648331 734889 852702 854005 854595 854616
Changes:
 gnupg2 (2.1.18-5) unstable; urgency=medium
 .
   [ Daniel Kahn Gillmor ]
   * Xsession.d/90gpg-agent: use simpler and more direct gpgconf
     invocations for socket names.
 .
   [ NIIBE Yutaka ]
   * scdaemon.udev: Add Yubikey and Nitrokey (Closes: #648331, 734889).
   * scdaemon fix for PC/SC (Closes: #852702, #854005, #854595, #854616).
Checksums-Sha1:
 7107ae53a9a7b92c96abd2189b34a0d9cd1fba99 3148 gnupg2_2.1.18-5.dsc
 b31b7f97466e99c49c4eb9320b6df12d32d87e78 67321 gnupg2_2.1.18-5.debian.tar.bz2
 a1c521fc8bf43272c59490065eef86cecf06821d 9975 gnupg2_2.1.18-5_source.buildinfo
Checksums-Sha256:
 8eb4d1d8bb97ac770e8f50e558046981fd6f1fea169ae5e74ac959a6d033a35d 3148 gnupg2_2.1.18-5.dsc
 e6dbc03c9a163baff078a47b0f7c023d8b830f80bf6ae486e6a580fbdb71d9c2 67321 gnupg2_2.1.18-5.debian.tar.bz2
 e24155aeaccd93a834ace33df252d57538679afff471235bb770af4140365ec8 9975 gnupg2_2.1.18-5_source.buildinfo
Files:
 cffe62364ca47384f8347317a5d1a673 3148 utils optional gnupg2_2.1.18-5.dsc
 950b349fb8ed2ee14a00155da3ae2650 67321 utils optional gnupg2_2.1.18-5.debian.tar.bz2
 f39a698baf6d532deab22cb867f3a4b3 9975 utils optional gnupg2_2.1.18-5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJKBAEBCgA0FiEEOCdgUepHf6PklTkyFJitxsGSMjcFAlihyfYWHGRrZ0BmaWZ0
aGhvcnNlbWFuLm5ldAAKCRAUmK3GwZIyN9UvD/0aFI/Jphk4kTyJC/bx5G7vcgpu
pPCrtlb5/FDvko1XJUMohcS8dFuMf7PPHpQZH31kjqawbQMSzVYhXy9wZL6r+hrg
xz68kJ1CgCTFO/HB+h1dTLASt4OuVGfKGpkuueXenR3kCY7Ghx8H6YOlhYRMtVT6
yWhdpGKHIvR82sCLN61iqMut3NTh47MB1QUmWd1zQPNoGPWLBK2dt7hNvqQWvFZ4
XXsGkjk6LQrZegX4JIrAEjsqIjXQlKJhOWnCA4+86EIVbjnUaYjZKX7q2dHOG21Y
DxT6rn4qx9PCMTR5krJPht4R1hbc6C0aZT4y3I6Cp53FS3uZGD84YxGYND9v5WSb
auu5FGwE0xN+RAbHOVTxh0lIuySJJTkIdX78kqsnuaSaNkXCfgiNo3xacs9uY+9d
TYKg17ouRsbnETkVqpDngTaaaY9pK6ajk/u3uyA3znEWp870ww/7gvrMjCl1gkfP
hinmFseLTKOvHQFlDAZb6HTj/V7SXqSr25hMpSoWNXC8ylypfh90fnDD+YNpFXMm
VND3eZTNtW/EEQTxiWVbDrWXFoIrFTioRHLlbH4rC3dkJ0RjxeMiKcKPzrap/5ht
6vu/nqkBgltt/8UPIctb+6Qe5czMFDJj8T+B/m3+sarCzjd4njHcn0Og4H4flvqY
M07IRiEkzX00kH824A==
=fpGR
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.