Yubico Forum
https://forum.yubico.com/

[SOLVED] - Yubikey4 openpgp gnupg gpg Card Error
https://forum.yubico.com/viewtopic.php?f=35&t=2231		 Page 1 of 1
Author:  travis9 [ Mon Feb 22, 2016 10:41 pm ]
Post subject:  [SOLVED] - Yubikey4 openpgp gnupg gpg Card Error
SOLVED:
GPG requires exclusive access to the reader, and was somehow locking itself from accessing the card?
I had to add "card-timeout 1" to my scdaemon.conf file
  • File edited (I had to create the file):
    Code:
    %APPDATA%\gnupg\scdaemon.conf
  • Lines Added to File:
    Code:
    log-file scdaemon.log.txt
    card-timeout 1

UPDATE:
I'm not sure why but every once in a while GnuPG is still convinced that it can't get exclusive access to the card...
However it seems that just opening and closing that Yubico Authenticator fixes the problem. (I have the "kill scdaemon on show" option checked in settings)
It's strange, because it fixes the problem even if I don't have the kill scdaemon option checked.
It's like whatever the Yubico Authenticator does when it exits releases the card properly or something.
Also worth noting, manually killing gpg-agent or scdaemon does NOT fix the problem.
The only thing that does (on the rare occasion it pops up again) is opening and closing the Yubico Authenticator


ORIGINAL QUESTION:

I am getting the following error when trying to use the gpg to access the openpgp applet on my new Yubikey 4:

Code:
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error


The strange thing is the version returned by sending the apdu 00 f1 00 00 command (via opensc since gnupg isn't working) returns version 4.2.7 which is the firmware version of my yubikey.
According to this page the latest version is 1.0.11

I tried the delete all entries from device manager trick with no effect

Any ideas why gpg isn't working?

running windows 7 64bit [Version 6.1.7601]
gpg (GnuPG) 2.0.29 (Gpg4win 2.3.0)
yubikey firmware version 4.2.7

below is the full output of my gpg/opensc commands:

Code:
C:\Program Files (x86)\GNU\GnuPG>gpg2 --version
    gpg (GnuPG) 2.0.29 (Gpg4win 2.3.0)
    libgcrypt 1.6.4
    Copyright (C) 2015 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Home: C:/Users/tmg/AppData/Roaming/gnupg
    Supported algorithms:
    Pubkey: RSA, RSA, RSA, ELG, DSA
    Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
            CAMELLIA128, CAMELLIA192, CAMELLIA256
    Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
    Compression: Uncompressed, ZIP, ZLIB, BZIP2

C:\Program Files (x86)\GNU\GnuPG>gpg2 --card-status
    gpg: selecting openpgp failed: Card error
    gpg: OpenPGP card not available: Card error

C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -l
    # Detected readers (pcsc)
    Nr.  Card  Features  Name
    0    Yes             Yubico Yubikey 4 OTP+U2F+CCID 0

C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -vv -c openpgp -s 00f10000
        2016-02-22 15:48:44.199 [opensc-tool] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
        2016-02-22 15:48:44.199 [opensc-tool] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
    Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 0
        2016-02-22 15:48:44.215 [opensc-tool] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
        2016-02-22 15:48:44.215 [opensc-tool] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
    Connecting to card in reader Yubico Yubikey 4 OTP+U2F+CCID 0...
        2016-02-22 15:48:44.215 [opensc-tool] card.c:148:sc_connect_card: called
        2016-02-22 15:48:44.215 [opensc-tool] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
    Using card driver OpenPGP card.
    Sending: 00 F1 00 00
    Received (SW1=0x90, SW2=0x00):
    04 02 07 ...
        2016-02-22 15:48:44.231 [opensc-tool] ctx.c:799:sc_release_context: called

C:\Program Files\OpenSC Project\OpenSC\tools>
Author:  ChrisHalos [ Tue Feb 23, 2016 1:15 am ]
Post subject:  Re: [QUESTION] - Yubikey4 openpgp gnupg gpg Card Error
Have you tried running Command Prompt as Administrator?

Is your Admin PIN/PIN locked out from previous attempts?

Have you tried terminating the GnuPG processes in Task Manager and trying again?

I'm running the same as you (GnuPG 2.0.29, Gpg4win 2.3.0, libgcrypt 1.6.4 - Windows 10 currently) and haven't come across "card error" before.
Author:  travis9 [ Tue Feb 23, 2016 1:28 pm ]
Post subject:  Re: [QUESTION] - Yubikey4 openpgp gnupg gpg Card Error
Have you tried running Command Prompt as Administrator?

Yes I was running in an elevated prompt

Have you tried terminating the GnuPG processes in Task Manager and trying again?

Yes many times.

Is your Admin PIN/PIN locked out from previous attempts?

I don't think so? Since I never got as far as to actually be able to SET the admin pin.
But hold on let me try to reset it and see if that helps (I'll have to use opensc to send the adpu commands)

hmm well this is interesting after I sent the apdu 00 e6 00 00 command (which returned 90 00 as expected)
I can no longer send commands via opensc:

Code:
C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -c openpgp -s 00e60000
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 0
Sending: 00 E6 00 00
Received (SW1=0x90, SW2=0x00)

C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -c openpgp -s 00440000
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 0
Failed to connect to card: Card command failed


It's not even returning the version anymore from the adpu 00 f1 00 00 command ....

Code:
C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -c openpgp -s 00f10000
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 0
Failed to connect to card: Card command failed


Even more disturbing is that now the Yubikey NEO Manager doesn't show that there is a OpenPGP Applet on the device... (it used to show up)
I have attached a screenshot of the NEO Manager window.

Does this mean I just nuked the OpenPGP Applet? If so where do I go from here?

Attachments:
File comment: NEO Manager shows doesn't show that there is a OpenPGP Applet on the device... (it used to show up)
NeoManager.png
NeoManager.png [ 14.75 KiB | Viewed 8971 times ]
Author:  ChrisHalos [ Wed Feb 24, 2016 2:12 am ]
Post subject:  Re: [QUESTION] - Yubikey4 openpgp gnupg gpg Card Error
What build of Windows is this?

Can you try:

gpg-connect-agent --hex
> scd apdu 00 44 00 00

It looks like you got through the terminate card step, but it hasn't been reactivated. Here is what my NEO Manager looks like before I reactivate the OpenPGP applet:

Image

Regarding the "applet version", that is correct, the OpenPGP applet version will report as the firmware version. The YubiKey 4 is a monolithic firmware (applets are built into the firmware).
Author:  travis9 [ Mon Feb 29, 2016 2:55 pm ]
Post subject:  Re: [QUESTION] - Yubikey4 openpgp gnupg gpg Card Error
Sorry for the slow reply.

This is Windows 7 (I have the "classic theme" on)

Image

So I tried scd apdu 00 44 00 00 and it didn't work, BUT I tried once more this morning before I posted this and it worked??

Code:
C:\>gpg-connect-agent --hex
> scd apdu 00 44 00 00
D[0000]  90 00                                              ..
OK


Image

But now I'm back to the original problem:

Code:
> scd apdu 00 f1 00 00
ERR 100663404 Card error <SCD>
> scd serialno
ERR 100663404 Card error <SCD>

C:\>gpg --card-status
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error

C:\>gpg --version
gpg (GnuPG) 2.0.29 (Gpg4win 2.3.0)
libgcrypt 1.6.4
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Users/tmg/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2


Also with opensc's openpgp-tool:

Code:
C:\Program Files\OpenSC Project\OpenSC\tools>openpgp-tool
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 0
error: not an OpenPGP card

C:\Program Files\OpenSC Project\OpenSC\tools>openpgp-tool -vv
2016-02-29 08:54:29.946 [openpgp-tool] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-02-29 08:54:29.946 [openpgp-tool] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 0
2016-02-29 08:54:29.946 [openpgp-tool] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-02-29 08:54:29.946 [openpgp-tool] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
Connecting to card in reader Yubico Yubikey 4 OTP+U2F+CCID 0...
2016-02-29 08:54:29.946 [openpgp-tool] card.c:148:sc_connect_card: called
2016-02-29 08:54:29.946 [openpgp-tool] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-02-29 08:54:29.946 [openpgp-tool] card-entersafe.c:106:entersafe_match_card: called
2016-02-29 08:54:29.946 [openpgp-tool] card-rutoken.c:103:rutoken_match_card: called
2016-02-29 08:54:29.946 SELECT AID: 6A82
2016-02-29 08:54:29.946 [openpgp-tool] muscle.c:271:msc_select_applet: returning with: -1200 (Card command failed)
2016-02-29 08:54:29.946 [openpgp-tool] card-piv.c:2834:piv_match_card: called
2016-02-29 08:54:29.946 [openpgp-tool] card-piv.c:720:piv_find_aid: called
2016-02-29 08:54:29.946 [openpgp-tool] card-piv.c:683:piv_select_aid: called
2016-02-29 08:54:29.946 [openpgp-tool] card-piv.c:701:piv_select_aid: returning with: 0 (Success)
2016-02-29 08:54:29.946 [openpgp-tool] card-piv.c:2852:piv_init: called
2016-02-29 08:54:29.946 [openpgp-tool] card-piv.c:720:piv_find_aid: called
2016-02-29 08:54:29.946 [openpgp-tool] card-piv.c:683:piv_select_aid: called
2016-02-29 08:54:29.946 [openpgp-tool] card-piv.c:701:piv_select_aid: returning with: 0 (Success)
2016-02-29 08:54:29.961 [openpgp-tool] card-piv.c:2609:piv_process_history: called
2016-02-29 08:54:29.961 [openpgp-tool] card-piv.c:945:piv_get_cached_data: called
2016-02-29 08:54:29.961 [openpgp-tool] card-piv.c:879:piv_get_data: called
2016-02-29 08:54:29.961 [openpgp-tool] card-piv.c:447:piv_general_io: called
2016-02-29 08:54:29.961 [openpgp-tool] card-piv.c:945:piv_get_cached_data: called
2016-02-29 08:54:29.961 [openpgp-tool] card-piv.c:879:piv_get_data: called
2016-02-29 08:54:29.961 [openpgp-tool] card-piv.c:447:piv_general_io: called
2016-02-29 08:54:29.961 [openpgp-tool] card-piv.c:447:piv_general_io: called
Using card driver PIV-II  for multiple cards.
error: not an OpenPGP card
2016-02-29 08:54:29.961 [openpgp-tool] card-piv.c:2806:piv_finish: called
2016-02-29 08:54:29.961 [openpgp-tool] ctx.c:799:sc_release_context: called

C:\Program Files\OpenSC Project\OpenSC\tools>


Any more ideas to get this to work?



Thanks for helping me with this.
Author:  travis9 [ Tue Mar 01, 2016 3:42 am ]
Post subject:  Re: [QUESTION] - Yubikey4 openpgp gnupg gpg Card Error
Ah, another clue: I added the "log-file" directive to my scdaemon.conf and the log shows:

Code:
2016-02-29 21:37:59 scdaemon[11500] detected reader `Yubico Yubikey 4 OTP+U2F+CCID 0'
2016-02-29 21:37:59 scdaemon[11500] pcsc_connect failed: sharing violation (0x8010000b)
2016-02-29 21:37:59 scdaemon[11500] updating slot 0 status: 0x0000->0x0007 (0->1)
2016-02-29 21:37:59 scdaemon[11500] triggering event e0 (000000E0) for client -1


So maybe it's GPG's need for exclusive access to the card...?

Now I just need to find out what is accessing the card...
Author:  travis9 [ Tue Mar 01, 2016 4:08 am ]
Post subject:  Re: [QUESTION] - Yubikey4 openpgp gnupg gpg Card Error
Ah HA!

Turns out it gpg itself locking the card (wtf?)

I needed to add "card-timeout 1" to my scdaemon.conf file (located at %APPDATA%\gnupg\scdaemon.conf)

And now success!!!!

Code:
C:\>gpg -v --card-status
gpg: no running gpg-agent - starting one
gpg: waiting 5 seconds for the agent to come up
Application ID ...: DXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: XXXXXXXX
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

C:\>
Author:  ChrisHalos [ Tue Mar 01, 2016 8:46 pm ]
Post subject:  Re: [SOLVED] - Yubikey4 openpgp gnupg gpg Card Error
Glad you got this straightened out! Thanks for keeping us updated.
Author:  travis9 [ Tue Mar 01, 2016 8:57 pm ]
Post subject:  Re: [SOLVED] - Yubikey4 openpgp gnupg gpg Card Error
No problem, thanks for your help!

I added a small UPDATE to the original post.
Author:  codemonkee [ Mon Jun 12, 2017 9:00 pm ]
Post subject:  Re: [SOLVED] - Yubikey4 openpgp gnupg gpg Card Error
Sorry to dig up an old thread, but I ran into the same error message via command prompt but worked through GUI, which stumped me for a moment - So thought it could be useful.

My particular case ended up being conflicting version of GPG and an older 1.4.x being supplied by Git for Windows.
I have redefined my user PATH environment variable with gpg4win being higher in the variable, but Git's instance was still taking priority and I ended up having to alter both user and system PATH for it to default (which I found odd on it's own).

Code:
C:\>which -a gpg
/usr/bin/gpg
/c/Program Files (x86)/GnuPG/bin/gpg
/usr/bin/gpg
/c/Program Files (x86)/GnuPG/bin/gpg
C:\>"C:\Program Files\Git\usr\bin\gpg.exe" --version
gpg (GnuPG) 1.4.21
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

C:\>"C:\Program Files (x86)\GnuPG\bin\gpg.exe" --version
gpg (GnuPG) 2.1.20
libgcrypt 1.7.6
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: %APPDATA%/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/