GPG2 Doesn't detect card key / yubikey neo

gpio · 2015-09-08 12:11:05

As shown here, ykneomgr can access the yubikey but gpg2 doesn't detect it.

┌[z@qrta]─[23058295-0494-4020-a9fd-bdc88a23dfcd]
└[$]> ykneomgr -m -d
Trying reader 0: Alcor Micro AU9540 00 00
SCardConnect 2148532236
Trying reader 1: Yubico Yubikey NEO OTP+CCID 01 00
--> 13: 00 a4 04 00 08 a0 00 00 05 27 20 01 01 
<-- 12: 03 04 01 01 85 07 82 00 00 00 90 00 
versionMajor 3
versionMinor 4
versionBuild 1
pgmSeq 1
touchLevel 34055
mode 82
crTimeout 0
autoEjectTime 0
--> 4: 00 01 10 00 
<-- 6: 00 37 9e 77 90 00 
serialno 3645047
82
┌[z@qrta]─[23058295-0494-4020-a9fd-bdc88a23dfcd]
└[$]> ./gpg.sh --debug-level guru --edit-key BCF7D141
gpg: WARNING: unsafe permissions on homedir '/run/media/gpio/23058295-0494-4020-a9fd-bdc88a23dfcd'
gpg (GnuPG) 2.1.7; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing cardio ipc clock lookup extprog
 [... snip ...]
gpg> addcardkey 
gpg: DBG: chan_4 -> SCD SERIALNO openpgp
gpg: DBG: chan_4 <- ERR 100663408 Card not present <SCD>
gpg: selecting openpgp failed: Card not present
gpg: key operation not possible: Card not present

gpg.sh is a short script to run gpg2 off my usb key:

DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
gpg2 --homedir="$DIR" "$@"

PCSCD is running:

┌[z@qrta]─[23058295-0494-4020-a9fd-bdc88a23dfcd]
└[$]> systemctl status pcscd
● pcscd.service - PC/SC Smart Card Daemon
   Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled)
   Active: active (running) since Tue 2015-09-08 12:39:30 BST; 30min ago
 Main PID: 2136 (pcscd)
   CGroup: /system.slice/pcscd.service
           └─2136 /usr/bin/pcscd --foreground --auto-exit

Sep 08 12:40:52 qrta pcscd[2136]: 00000008 readerfactory.c:1043:RFInitializeReader() Open Port 0x200001 .../019)
Sep 08 12:40:52 qrta pcscd[2136]: 00000002 readerfactory.c:335:RFAddReader() Yubico Yubikey NEO OTP+CCID...iled.
Sep 08 12:55:36 qrta pcscd[2136]: 99999999 ccid_usb.c:747:WriteUSB() write failed (1/19): -4 LIBUSB_ERRO...EVICE
Sep 08 12:55:47 qrta pcscd[2136]: 11253033 ifdhandler.c:130:CreateChannelByNameOrChannel() failed
Sep 08 12:55:47 qrta pcscd[2136]: 00000007 readerfactory.c:1043:RFInitializeReader() Open Port 0x200000 .../020)
Sep 08 12:55:47 qrta pcscd[2136]: 00000002 readerfactory.c:335:RFAddReader() Yubico Yubikey NEO OTP+CCID...iled.
Sep 08 13:01:34 qrta pcscd[2136]: 99999999 ccid_usb.c:747:WriteUSB() write failed (1/20): -4 LIBUSB_ERRO...EVICE
Sep 08 13:06:07 qrta pcscd[2136]: 99999999 ifdhandler.c:130:CreateChannelByNameOrChannel() failed
Sep 08 13:06:07 qrta pcscd[2136]: 00000007 readerfactory.c:1043:RFInitializeReader() Open Port 0x200000 .../021)
Sep 08 13:06:07 qrta pcscd[2136]: 00000003 readerfactory.c:335:RFAddReader() Yubico Yubikey NEO OTP+CCID...iled.
Hint: Some lines were ellipsized, use -l to show in full.

Last edited by gpio (2015-09-08 12:11:23)

gpio · 2015-09-08 13:22:01

Okay, I got GPG2 to detect it. I'm not entirely sure which solution I tried made it work but I found this article http://forum.yubico.com/viewtopic.php?f=26&t=1878 and added the appropriate line to scdaemon.conf

I then started gpg-agent from my usb drive with `gpg-agent --homedir="$(pwd)"`

[z@qrta]─[2ed36dd9-75df-4fc4-aaee-e4cf5e8c8de6]
└[$]> ./gpg.sh --card-edit
gpg: WARNING: unsafe permissions on homedir '/run/media/gpio/2ed36dd9-75df-4fc4-aaee-e4cf5e8c8de6'

Application ID ...: D2760001240102000006036450470000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03645047
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 0 3 2
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

however, trying to do anything with the thing just gives a Card error

gpg> addcardkey 
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select the type of key to generate:
   (1) Signature key
   (2) Encryption key
   (3) Authentication key
Your selection? 1
gpg: error clearing forced signature PIN flag: Card error

The card errors appear to count toward failed admin passwords, since I'm now locked out of the device. I have a spare fortunately. Attempting to reset the yubikey gives "Card removed":

┌[z@qrta]─[2ed36dd9-75df-4fc4-aaee-e4cf5e8c8de6]
└[$]> gpg-connect-agent --hex --homedir="$(pwd)"
> scd apdu 00 e6 00 00
ERR 100663406 Card removed <SCD>
> scd apdu 00 e6 00 00
ERR 100663406 Card removed <SCD>

Last edited by gpio (2015-09-08 13:22:38)

Arch Linux

#1 2015-09-08 12:11:05

GPG2 Doesn't detect card key / yubikey neo

#2 2015-09-08 13:22:01

Re: GPG2 Doesn't detect card key / yubikey neo

Board footer