You are not logged in.
My card readers won't work completely on Arch anymore. They can read my identity card but the Verify PIN (of eid-viewer) doesn't work and immediately give me a PIN incorrect error when pressing the Verify PIN button. And on any of the websites, the connection times out as soon as I choose the certificate from my ID card. So I'm also never asked for my card's PIN code.
This issue happens on every recent Arch (and Manjaro) version. On a very old Manjaro version and Kubuntu it works.
I did everything from the wiki https://wiki.archlinux.org/title/Electr … tification of the Belgian section.
The one I'm using mostly is:
Bus 003 Device 008: ID 1a44:0001 VASCO Data Security International Digipass 905 SmartCard ReaderI tested with Firefox and Vivaldi browsers.
I'm using Wayland.
Last edited by EarthMind (2023-10-05 16:30:24)
Offline
When did this start, exactly? 'recent' isn't a very good description.
Offline
I can't pinpoint the start of the issue unfortunately. With that I meant "an up-to-date" arch, because as mentioned, on my (very) outdated Manjaro on my desktop computer it did work last I tried.
Offline
Did you see and implement
For Firefox, add the Firefox plugin to your browser. In recent versions, you will need to manually add the eID module to the Firefox security devices configuration.
Is there any dmesg response when trying to use the device (in particular error messages, but also anything else)?
Also
systemctl status pcscd.serviceold Manjaro version and Kubuntu it works
it did work last I tried
When exactly was "last I tried"? Can we rule out a HW/system failure?
Online
Did you see and implement
For Firefox, add the Firefox plugin to your browser. In recent versions, you will need to manually add the eID module to the Firefox security devices configuration.
Is there any dmesg response when trying to use the device (in particular error messages, but also anything else)?
Also
systemctl status pcscd.serviceold Manjaro version and Kubuntu it works
it did work last I tried
When exactly was "last I tried"? Can we rule out a HW/system failure?
systemctl status pcscd.service:
sep 30 18:02:27 pluto pcscd[1757]: 16075369 prothandler.c:86:PHSetProtocol() Protocol T=0 requested but unsupported by the cardThe Firefox part is no issue, because I can select the certificate properly. The issue is also not just limited to firefox.
dmesg doesn't show any issue and it's also not a hardware issue, taking into account it works on other systems and it can still read the eid on Arch. The dmesg log is:
2023-09-30T22:40:05,099750+02:00 usb 3-1: new full-speed USB device number 21 using xhci_hcd
2023-09-30T22:40:05,270015+02:00 usb 3-1: New USB device found, idVendor=1a44, idProduct=0001, bcdDevice= 1.02
2023-09-30T22:40:05,270025+02:00 usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
2023-09-30T22:40:05,270028+02:00 usb 3-1: Product: DP905v2.1
2023-09-30T22:40:05,270031+02:00 usb 3-1: Manufacturer: OneSpanThe "last I tried" was somewhere beginning this month.
Last edited by EarthMind (2023-09-30 20:47:44)
Offline
https://gitlab.archlinux.org/archlinux/ … mmits/main saw a major release update this summer - are you still using the 1.9xx version on the older, working systems?
You could attempt a downgrade ![]()
Online
That sounds like a good idea, but I assume it would be quite the challenge on Arch. I've never attempted such a thing for packages that are not in cache
Offline
You can get it from the https://wiki.archlinux.org/title/Arch_Linux_Archive and "pacman -U" it
Unfortunately it's not quite a leaf-package, so this may break things (though at least wpa_supplicant predates the version change, so unlikely to get issues in that direction)
=> Make sure to have a local copy of the current package (in the cache) unless you're ready to manually copy it onto the system (though frankly, I don't expect the downgrade to break stuff, just be mindful of the lib32 version if you've multilib enabled)
Online
Wow, that was much easier than how I thought I had to do it. Unfortunately it didn't work and the same issue occurs.
I downgraded to 1.9.9 and then 1.9.6 and restarted pcsclite.service. I even downgraded the pcsc-tools and eid-mw packages and restarted laptop; same result.
Offline
This is not gonna help much but I can confirm that my belgian eid still works on my uptodate (just did an update right now to be sure) arch install.
I can use eid-viewer to test my pin and I can connect to official sites using firefox with the « eID Belgique » plugin.
% pacman -Qi eid-mw pcsclite opensc ccid | grep Version
Version : 5.1.10-1
Version : 2.0.0-1
Version : 0.23.0-1
Version : 1.5.2-1and the firefox plugin is version 1.0.32.
My card reader appears in lsusb as
Bus 001 Device 003: ID 0bda:0169 Realtek Semiconductor Corp. Mass Storage Device(it is a sitecom product bought at media markt many years ago).
I tested this on kde plasma under wayland and with hyprland (rebooting between tests).
I usually use the lts kernel but I also tested with hyprland with the regular arch kernel.
It does not look like a hardware problem on your side since your hardware works with other older os.
It also does not look like a general software bug since it works for me (
yeah I know, not a very usefull argument).
Could it be some kind of configuration problem ? I don't see what though because I didn't configure anything regarding that software, I installed it three years ago and it just works out of the box.
Sorry for not being of much help.
Offline
Does that thing use pinentry?
@EarthMind can you
echo GETPIN | pinentryAlso, sanity check
loginctl session-status
echo $DBUS_SESSION_BUS_ADDRESS@daysfled,
ps faxwhen being asked for a pin might be even more help than you're already providing here.
Online
@seth,
The last lines from ps fax (executed when eid-viewer was asking for my pin) are
6638 tty2 Sl+ 0:00 /usr/bin/eid-viewer
6681 tty2 SLl+ 0:00 \_ /usr/bin/pinentry-gtk-2
6657 ? Ssl 0:00 /usr/bin/pcscd --foreground --auto-exit(the full output is available at https://0x0.st/HWzt.txt)
Offline
Does that thing use pinentry?
"yes it does"
@EarthMind, try to invoke that manually.
Online
echo GETPIN | pinentry
OK Pleased to meet you
S ERROR curses.isatty 83918950
ERR 83918950 Inappropriate ioctl for device <Pinentry>
loginctl session-status
2 - ik (1000)
Since: Sun 2023-10-01 10:49:58 CEST; 2h 45min ago
Leader: 1054 (sddm-helper)
Seat: seat0; vc1
TTY: tty1
Service: sddm; type wayland; class user
Desktop: KDE
State: active
Idle: no
Unit: session-2.scope
├─1054 /usr/lib/sddm/sddm-helper --socket /tmp/sddm-auth-222b4118-a9f2-4d46-a34e-8793593cd0b6 --i>
├─1105 /usr/bin/kwalletd5 --pam-login 12 14
└─1110 /usr/bin/startplasma-wayland
okt 01 10:49:58 pluto systemd[1]: Started Session 2 of User ik.
okt 01 10:49:58 pluto sddm-helper[1110]: Jumping to VT 1
okt 01 10:49:58 pluto sddm-helper[1110]: VT mode didn't need to be fixed
echo $DBUS_SESSION_BUS_ADDRESS
unix:path=/run/user/1000/busps fax
19246 ? Sl 0:00 | \_ /usr/bin/eid-viewer
19261 ? SL 0:00 | \_ /usr/bin/pinentry-curses
1767 ? Ssl 0:00 /usr/bin/pcscd --foreground --auto-exitThis is not gonna help much but I can confirm that my belgian eid still works on my uptodate (just did an update right now to be sure) arch install.
I can use eid-viewer to test my pin and I can connect to official sites using firefox with the « eID Belgique » plugin.Sorry for not being of much help.
Thank you for that info. That was actually very helpful because your setup is, besides your different wayland compositor, exactly the same as mine. So it should also work for me then.
Last edited by EarthMind (2023-10-02 13:44:19)
Offline
The ps fax output from both of us made me realize that the wrong pinentry-program is used. When opening eid-viewer from Konsole, it's asking for PIN via pinenetry-curses/tty. How can I force the use of the qt or gtk version?
Offline
Online
The ps fax output from both of us made me realize that the wrong pinentry-program is used. When opening eid-viewer from Konsole, it's asking for PIN via pinenetry-curses/tty. How can I force the use of the qt or gtk version?
In Kde Plasma, I launch eid-viewer using the menu or krunner. In hyprland, I launch it via wofi -drun. In both cases, eid-viewer is not launched by a terminal. Maybe that's why, in my case a gui version of pinentry is used. (I'm sure I didn't change default config.)
Offline
EarthMind wrote:The ps fax output from both of us made me realize that the wrong pinentry-program is used. When opening eid-viewer from Konsole, it's asking for PIN via pinenetry-curses/tty. How can I force the use of the qt or gtk version?
In Kde Plasma, I launch eid-viewer using the menu or krunner. In hyprland, I launch it via wofi -drun. In both cases, eid-viewer is not launched by a terminal. Maybe that's why, in my case a gui version of pinentry is used. (I'm sure I didn't change default config.)
I also do that, but in my case it's using pinentry-ncurses version by default. And I'm afraid to change it because I don't want gpg in the terminal to also switch to the QT version
Even having said that, I tried changing it the same way seth's wiki reference explains, and it still fails to change to the Qt version
Last edited by EarthMind (2023-10-02 16:55:17)
Offline
Remember to reload the agent after making changes to the configuration.
Did you?
Edit: it calls the wrong™ pinentry even on manual invocation?
Last edited by seth (2023-10-02 18:27:13)
Online
I reloaded it yes. It ends up working for my yubikey PIN but the eid-viewer app still fails to ask for the PIN code via GUI.
And sorry for being a noob, but with pinentry it's not clear how to manually invocate it.
Offline
it's not clear how to manually invocate it
@EarthMind can you
echo GETPIN | pinentry
What does your ~/.gnupg/gpg-agent.conf currently look like?
Does eid-viewer still call pinentry-curses?
Online
Oh I see, I already did that. Result:
echo GETPIN | pinentry
OK Pleased to meet you
S ERROR curses.isatty 83918950
ERR 83918950 Inappropriate ioctl for device <Pinentry>echo GETPIN | pinentry-qt
OK Pleased to meet you
Caps Lock is locked: false
ERR 83886179 Operation cancelled <Pinentry>First one didn't work, but second one made the PIN GUI appear.
I don't have a custom config. I had this before:
pinentry-program /usr/bin/pinentry-qt
allow-loopback-pinentryDoes eid-viewer still call pinentry-curses?
Yes
Offline
How do you expect penentry to default to pinentry-qt when you don't configure that in your ~/.gnupg/gpg-agent.conf ??
That being said and looking at /usr/bin/pinentry, here's brute-force: ~/.config/pinentry/preexec
#!/bin/sh
exec /usr/bin/pinentry-qt "$@"Online
How do you expect penentry to default to pinentry-qt when you don't configure that in your ~/.gnupg/gpg-agent.conf ??
That being said and looking at /usr/bin/pinentry, here's brute-force: ~/.config/pinentry/preexec
#!/bin/sh exec /usr/bin/pinentry-qt "$@"
As you can read, it was part of my config before, but it didn't work.
But with your additional suggestion, it started working finally. Ideally, I wanted pinentry-curses to be used for command like PIN requests and Qt for GUI ones, but that seems to complexify things. Thanks for the help!
Offline
You could test
[ -t 0 -a -t 1 ] && exec /usr/bin/pinentry-curses "$@" # run the curses pinentry if stdin and stout are open
exec /usr/bin/pinentry-qt "$@"but whether that works hinges a lot on how eid-viewer invokes pinentry (and/or you eid-viewer)
Online