Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:22 pm

All times are UTC + 1 hour

Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Wed Feb 24, 2016 11:22 pm 

Joined: Wed Feb 24, 2016 11:05 pm
Posts: 2
I'm can't seem to get gpg2/scdaemon to recognize my yubikey 4. I've seen similar issues online but have not been successful myself.

I'm on Darwin:

$ uname -a
Darwin HalfAndHalf 15.3.0 Darwin Kernel Version 15.3.0: Thu Dec 10 18:40:58 PST 2015; root:xnu-3248.30.4~1/RELEASE_X86_64 x86_64

On the surface, gpg2 does not work (installed via `brew`, but the dmg from gpgtools behaves the same).

$ gpg2 --card-status
gpg: OpenPGP card not available: Not supported

This yields the common "can't select application `openpgp': Not supported" error message from scdaemon:

$ tail -n 5 scdaemon.log
2016-02-24 14:08:00 scdaemon[526] pcsc_control failed: invalid parameter (0x80100004)
2016-02-24 14:08:00 scdaemon[526] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65538
2016-02-24 14:08:00 scdaemon[526] can't select application `openpgp': Not supported
2016-02-24 14:08:00 scdaemon[526] updating slot 0 status: 0x0000->0x0007 (0->1)
2016-02-24 14:08:01 scdaemon[526] scdaemon (GnuPG) 2.0.29 stopped

My configuration is pretty typical, though I've certainly tried various things:

$ tail gpg.conf
$ cat gpg-agent.conf

The most common suggestion online is to set the reader-port, which I have done:

$ cat scdaemon.conf
reader-port "Yubico Yubikey 4 OTP+CCID"
log-file /Users/tommd/.gnupg/scdaemon.log

opensc sees the card fine:

$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Yubico Yubikey 4 OTP+CCID
$ opensc-tool -lv
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Yubico Yubikey 4 OTP+CCID
     3b:f8:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:34:d4 PIV-II card

pcsc test also reports positive looking things:

Testing SCardEstablishContext    : Command successful.
Testing SCardGetStatusChange
Please insert a working reader   : Command successful.
Testing SCardListReaders         : Command successful.
Reader 01: Yubico Yubikey 4 OTP+CCID
Enter the reader number          : 01
Waiting for card insertion
                                 : Command successful.
Testing SCardConnect             : Command successful.
Testing SCardStatus              : Command successful.
Current Reader Name              : Yubico Yubikey 4 OTP+CCID
Current Reader State             : 0x54
Current Reader Protocol          : 0x1
Current Reader ATR Size          : 18 (0x12)
Current Reader ATR Value         : 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4
Testing SCardDisconnect          : Command successful.
Testing SCardReleaseContext      : Command successful.

gpg1, which I'd prefer not to use, has different behavior:

% gpg --card-status
gpg: detected reader `Yubico Yubikey 4 OTP+CCID'
Please insert the card and hit return or enter 'c' to cancel:
... repeat the above on 'return'...

I'll update this thread when I get around to trying on my Ubuntu system, but regardless of success there I'm going to need this working on the Mac.

Last edited by tommd on Sat Feb 27, 2016 12:55 am, edited 1 time in total.

Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Feb 25, 2016 7:34 am 

Joined: Wed Feb 24, 2016 11:05 pm
Posts: 2
ChrisHalos already had the answer here on the forum, the purpose of keeping a forum of old answers right? So thanks to yubikey and Chris.

The Ubuntu system did not work immediately but after running:

gpg-connect-agent --hex
> scd apdu 00 44 00 00

Things work all right. I say all right because

1. I still need to test the key on the Mac.

2. I can't figure out how to require the yubikey button to be pressed prior to performing a gpg signature/encryption. Any pointers?

After confirming 1 I'll mark this question answered and open a new topic on question 2.


As for issue 2, touch can be enabled as detailed on the getting started OpenPGP page (https://developers.yubico.com/PGP/Card_edit.html). Humorously, the shell script they refer to is A. not hosted on a yubikey account (though the user is part of the yubico organization as identified by github) and B. lacking any documentation such as what 'aut' means in the arguments.

Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group