[Bug 1641746] Re: gpg2: gpg2 --card-status: gpg: selecting openpgp failed: Card error

Dimitri John Ledkov launchpad at surgut.co.uk
Tue Nov 15 00:52:19 UTC 2016 

Yubikey 4 is a multi-function device.
It can generate static passwords, yubi-oauth, event totp.
Further more it has multiple applets:
- openpgp card
- PKCS#11 mode (e.g. to have elliptic curve private key for SSL)
- ulimited time & event based tokens (for use with yubioauth desktop app)
- fido U2F

And maybe others.

I have found that Yubikey applets do lock the device up, thus care needs
to be taken when multiple applets access the device. Specifically, pcscd
is probably preventing from scdaemon to use the card. Similarly, after
using yubioauth desktop app to generate OTP tokens i must close
yubioauth app & remove & reinsert the yubikey to get OpenPGP
functionality going again.

I'm not sure if it's a bug in software side stacks, or just the simple
fact of life that yubikey is multi-function device that needs access
mitigation assistance.

I use neo on 16.04. I have not yet upgraded to yubikey 4 yet, but I know
that some people on my team have.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.
https://bugs.launchpad.net/bugs/1641746

Title:
  gpg2: gpg2 --card-status: gpg: selecting openpgp failed: Card error

Status in gnupg2 package in Ubuntu:
  New

Bug description:
  gpg2 does not work with OpenPGP card:

  $ gpg2 --card-status 
  gpg: selecting openpgp failed: Card error
  gpg: OpenPGP card not available: Card error

  I also enabled scdaemon debug output and have the following there:

  2016-11-14 22:43:49 scdaemon[4817] listening on socket '/home/antonm/.gnupg/S.scdaemon'
  2016-11-14 22:43:49 scdaemon[4817] handler for fd -1 started
  2016-11-14 22:43:49 scdaemon[4817] DBG: enter: apdu_open_reader: portstr=(null)
  2016-11-14 22:43:49 scdaemon[4817] detected reader 'Yubico Yubikey 4 U2F+CCID 00 00'
  2016-11-14 22:43:49 scdaemon[4817] detected reader 'Gemalto GemPC Express 01 00'
  2016-11-14 22:43:49 scdaemon[4817] reader slot 0: not connected
  2016-11-14 22:43:49 scdaemon[4817] DBG: leave: apdu_open_reader => slot=0 [pc/sc]
  2016-11-14 22:43:49 scdaemon[4817] DBG: chan_5 -> OK GNU Privacy Guard's Smartcard server ready
  2016-11-14 22:43:49 scdaemon[4817] DBG: chan_5 <- GETINFO socket_name
  2016-11-14 22:43:49 scdaemon[4817] DBG: chan_5 -> D /home/antonm/.gnupg/S.scdaemon
  2016-11-14 22:43:49 scdaemon[4817] DBG: chan_5 -> OK
  2016-11-14 22:43:49 scdaemon[4817] DBG: chan_5 <- OPTION event-signal=12
  2016-11-14 22:43:49 scdaemon[4817] DBG: chan_5 -> OK
  2016-11-14 22:43:49 scdaemon[4817] DBG: chan_5 <- GETINFO version
  2016-11-14 22:43:49 scdaemon[4817] DBG: chan_5 -> D 2.1.11
  2016-11-14 22:43:49 scdaemon[4817] DBG: chan_5 -> OK
  2016-11-14 22:43:49 scdaemon[4817] DBG: chan_5 <- SERIALNO openpgp
  2016-11-14 22:43:49 scdaemon[4817] DBG: enter: apdu_connect: slot=0
  2016-11-14 22:43:49 scdaemon[4817] pcsc_connect failed: sharing violation (0x8010000b)
  2016-11-14 22:43:49 scdaemon[4817] reader slot 0: not connected
  2016-11-14 22:43:49 scdaemon[4817] DBG: leave: apdu_connect => sw=0x10006
  2016-11-14 22:43:49 scdaemon[4817] DBG: chan_5 -> ERR 100663404 Card error <SCD>
  2016-11-14 22:43:49 scdaemon[4817] DBG: chan_5 <- RESTART
  2016-11-14 22:43:49 scdaemon[4817] DBG: chan_5 -> OK
  2016-11-14 22:43:49 scdaemon[4817] DBG: enter: apdu_get_status: slot=0 hang=0
  2016-11-14 22:43:49 scdaemon[4817] DBG: leave: apdu_get_status => sw=0x0 status=6 changecnt=1
  2016-11-14 22:43:49 scdaemon[4817] updating reader 0 (0) status: 0x0000->0x0006 (0->1)
  2016-11-14 22:43:49 scdaemon[4817] sending signal 12 to client 2143
  2016-11-14 22:43:50 scdaemon[4817] DBG: enter: apdu_get_status: slot=0 hang=0

  that might be the reason. The card in questions is Yubikey 4 with
  OpenPGP applet loaded, but I also tried regular OpenPGP v2 card with
  the same result.

  I also have pcscd running as I use Estonian eID card a couple of other
  smart cards too.

  systemctl status pcscd.service has the following in log:

  Nov 14 22:12:36 loki systemd[1]: Started PC/SC Smart Card Daemon.
  Nov 14 22:12:36 loki pcscd[2045]: 00000000 ifdhandler.c:144:CreateChannelByNameOrChannel() failed
  Nov 14 22:12:36 loki pcscd[2045]: 00000029 readerfactory.c:1043:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0406:libudev:0:/dev/bus/usb/002/003)
  Nov 14 22:12:36 loki pcscd[2045]: 00000006 readerfactory.c:335:RFAddReader() Yubico Yubikey 4 U2F+CCID init failed

  But pcsc_scan works and is able to recognize OpenPGP card on Yubikey:

  $ pcsc_scan 
  PC/SC device scanner
  V 1.4.25 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau at free.fr>
  Compiled with PC/SC lite version: 1.8.14
  Using reader plug'n play mechanism
  Scanning present readers...
  0: Yubico Yubikey 4 U2F+CCID 00 00
  1: Gemalto GemPC Express 01 00

  Mon Nov 14 22:54:46 2016
  Reader 0: Yubico Yubikey 4 U2F+CCID 00 00
    Card state: Card inserted, Shared Mode, 
    ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4

  ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4
  + TS = 3B --> Direct Convention
  + T0 = F8, Y(1): 1111, K: 8 (historical bytes)
    TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
      43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
    TB(1) = 00 --> VPP is not electrically connected
    TC(1) = 00 --> Extra guard time: 0
    TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
  -----
    TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
  -----
    TA(3) = FE --> IFSC: 254
    TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
  + Historical bytes: 59 75 62 69 6B 65 79 34
    Category indicator byte: 59 (proprietary format)
  + TCK = D4 (correct checksum)

  Possibly identified card (using /home/antonm/.cache/smartcard_list.txt):
  3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4
  	Yubico Yubikey 4 OTP+CCID

  and the only process using /dev/bus/usb/002/003 according to lsof is
  pcscd itself.

  Tried a couple of restarts of pcscd, gpg-agent and scdaemon with no
  success. Also tried "disable-ccid" for scdaemon.conf with not much
  luck either.

  At this point I am stuck with debugging in further. If anything comes
  to the mind will update the bug.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: gnupg2 2.1.11-6ubuntu2
  ProcVersionSignature: Ubuntu 4.4.0-47.68-generic 4.4.24
  Uname: Linux 4.4.0-47-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.1
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Mon Nov 14 22:47:15 2016
  InstallationDate: Installed on 2016-05-16 (182 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
  SourcePackage: gnupg2
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/1641746/+subscriptions

More information about the foundations-bugs mailing list