p11-kit module breaks gnupg

OpenSC 0.26.0-2 prevents GnuPG from using my Nitrokey 3C, claiming it can't find any card. Removing /usr/share/p11-kit/modules/opensc.module and restarting pcscd.service resolves the issue.

> gpg --edit-card

gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

gpg/card>

It also seems to mess with GDM, see gdm#7 (closed).

added scopebug label

added priority3-normal severity4-low statusunconfirmed labels

assigned to @freswa, @toolybird, and @gromit

added statusconfirmed label and removed statusunconfirmed label

assigned to @ffy00 and unassigned @toolybird and @gromit

cc @daandemeyer

added scoperegression label and removed scopebug label

marked this issue as related to gdm#7 (closed)

mentioned in issue gdm#7 (closed)

mentioned in commit 7cb5055a

f43a05c5 effectively reverted with 7cb5055a.

closed

added resolutioncompleted label

@heftig @toolybird

From what I can see this happens because scdaemon by default insists on exclusive access to the hardware token. From looking around, adding the following to ~/.gnupg/scdaemon.conf should fix the issue:

disable-ccid
pcsc-shared

I would still like to see the module in the opensc package. If my suggested fix works, can this workaround be posted via the news mailing list so we can land this change after all?

reopened

@genesso @heftig Could you test and report if the workaround fixes the issue for you with opensc -2?

I will definitely test this.

But it would be better if work around didn't require every user to make a change. Is there a way to have a system wide setting instead?

Nope -the workaround doesn't work for me.

@genesso Sorry, you also have to restart scdaemon by running gpgconf --kill scdaemon. I just tested with my own yubikey and this fixes the issue for me.

But it would be better if work around didn't require every user to make a change. Is there a way to have a system wide setting instead?

There is /etc/gnupg/scdaemon.conf, but I don't think this workaround can be applied generally unless the gnupg package gets a dependency on p11-kit and opensc and pcsc-lite as otherwise pcsc can't be used. Only users that are already using pcsc-lite should use this workaround.

It is not working for me. Here's what I did - maybe I am doing something wrong. Plug in yubkey 5

Machine has no console user. Remote login as root

1. install opensc-0.26.0-2

2. ssh in as user (not on console) - edit the ~/.gnupg/scdaemon.conf as above with 2 lines

3. then as user run: gpgconf --kill scdaemon

   ps -eaf |grep scdaemon says not running.

4. as root restart gdm. same problem - no login possible on gui screen.

Did I miss a step?

As user I did: ps -eaf |grep sc

which only shows this (ignoring irrelevant stuff)

/usr/bin/pcscd --foreground --auto-exit

@daandemeyer I think @genesso is hitting this issue: gdm#7 (closed)

Is that related to scdaemon as well?

Oh right - I thought that was the issue !

@genesso Apologies, I didn't realize this was about gdm, I thought you were also seeing issues with gnupg.

@heftig You added https://gitlab.gnome.org/GNOME/gdm/-/commit/7caae964d1634d179c6936ddeb46af8172c4e348 to gdm years ago. Where is pam_pkcs11 supposed to come from? It isn't even packaged in Arch in the first place?

No problem at all - my fault for not realizing this was not gdm#7 (closed) (thank you @freswa). Where's my coffee.

Where is pam_pkcs11 supposed to come from?

Good question. Here's a related forum thread: https://bbs.archlinux.org/viewtopic.php?id=289454

@heftig, what's the best way forward here? gdm upstream seems to suggest a workaround by disabling the gdm smartcard config. Is that feasible?

Ok, @heftig has deftly sorted out gdm. We're now back to whether the gnupg workaround can be applied globally.. or if a news posting is acceptable?

As I mentioned, applying the gnupg workaround globally means adding a dependency on pcsc-lite to gnupg. If that's acceptable we could apply the workaround globally. But since this only happens if p11-kit and opensc are installed with pcscd enabled and running, I think it will be rare enough that a NEWS item will suffice.

It would also mean that pcscd.service would have to be enabled and running for scdaemon to work so it would have to be enabled somehow automatically.

removed resolutioncompleted label

Unfortunately, pcsc-shared causes GnuPG to ask for the key's PIN for every single signature instead of just the first, which is quite painful. So that's not an option for me. I uninstalled opensc instead.

In addition, any interaction with the Nitrokey via pkcs11 while GnuPG has it unlocked confuses GnuPG and any attempt to sign fails with "Bad PIN" until either scdaemon is killed or the key is replugged.

And FTR, a blank scdaemon.conf (so the internal CCID driver is used) has the same issue as disable-ccid without pcsc-shared. GnuPG cannot see the card at all.