Yubico Forum
https://forum.yubico.com/

[Resolved] Trouble with GPG --card-status
https://forum.yubico.com/viewtopic.php?f=35&t=2237		 Page 1 of 1
Author:  tommd [ Wed Feb 24, 2016 11:22 pm ]
Post subject:  [Resolved] Trouble with GPG --card-status
I'm can't seem to get gpg2/scdaemon to recognize my yubikey 4. I've seen similar issues online but have not been successful myself.

I'm on Darwin:

Code:
$ uname -a
Darwin HalfAndHalf 15.3.0 Darwin Kernel Version 15.3.0: Thu Dec 10 18:40:58 PST 2015; root:xnu-3248.30.4~1/RELEASE_X86_64 x86_64


On the surface, gpg2 does not work (installed via `brew`, but the dmg from gpgtools behaves the same).

Code:
$ gpg2 --card-status
gpg: OpenPGP card not available: Not supported


This yields the common "can't select application `openpgp': Not supported" error message from scdaemon:

Code:
$ tail -n 5 scdaemon.log
2016-02-24 14:08:00 scdaemon[526] pcsc_control failed: invalid parameter (0x80100004)
2016-02-24 14:08:00 scdaemon[526] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65538
2016-02-24 14:08:00 scdaemon[526] can't select application `openpgp': Not supported
2016-02-24 14:08:00 scdaemon[526] updating slot 0 status: 0x0000->0x0007 (0->1)
2016-02-24 14:08:01 scdaemon[526] scdaemon (GnuPG) 2.0.29 stopped


My configuration is pretty typical, though I've certainly tried various things:

Code:
$ tail gpg.conf
use-agent
$ cat gpg-agent.conf
enable-ssh-support


The most common suggestion online is to set the reader-port, which I have done:

Code:
$ cat scdaemon.conf
reader-port "Yubico Yubikey 4 OTP+CCID"
log-file /Users/tommd/.gnupg/scdaemon.log


opensc sees the card fine:

Code:
$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Yubico Yubikey 4 OTP+CCID
$ opensc-tool -lv
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Yubico Yubikey 4 OTP+CCID
     3b:f8:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:34:d4 PIV-II card


pcsc test also reports positive looking things:

Code:
Testing SCardEstablishContext    : Command successful.
Testing SCardGetStatusChange
Please insert a working reader   : Command successful.
Testing SCardListReaders         : Command successful.
Reader 01: Yubico Yubikey 4 OTP+CCID
Enter the reader number          : 01
Waiting for card insertion
                                 : Command successful.
Testing SCardConnect             : Command successful.
Testing SCardStatus              : Command successful.
Current Reader Name              : Yubico Yubikey 4 OTP+CCID
Current Reader State             : 0x54
Current Reader Protocol          : 0x1
Current Reader ATR Size          : 18 (0x12)
Current Reader ATR Value         : 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4
Testing SCardDisconnect          : Command successful.
Testing SCardReleaseContext      : Command successful.


gpg1, which I'd prefer not to use, has different behavior:

Code:
% gpg --card-status
gpg: detected reader `Yubico Yubikey 4 OTP+CCID'
Please insert the card and hit return or enter 'c' to cancel:
... repeat the above on 'return'...


I'll update this thread when I get around to trying on my Ubuntu system, but regardless of success there I'm going to need this working on the Mac.
Author:  tommd [ Thu Feb 25, 2016 7:34 am ]
Post subject:  Re: [Question] Trouble with GPG --card-status
ChrisHalos already had the answer here on the forum, the purpose of keeping a forum of old answers right? So thanks to yubikey and Chris.

The Ubuntu system did not work immediately but after running:

Code:
gpg-connect-agent --hex
> scd apdu 00 44 00 00


Things work all right. I say all right because

1. I still need to test the key on the Mac.

2. I can't figure out how to require the yubikey button to be pressed prior to performing a gpg signature/encryption. Any pointers?

After confirming 1 I'll mark this question answered and open a new topic on question 2.

EDIT:

As for issue 2, touch can be enabled as detailed on the getting started OpenPGP page (https://developers.yubico.com/PGP/Card_edit.html). Humorously, the shell script they refer to is A. not hosted on a yubikey account (though the user is part of the yubico organization as identified by github) and B. lacking any documentation such as what 'aut' means in the arguments.
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/