OS X 10.12.5 + yubikey problems
Recently picked up a Yubikey 4c and have been having a hell of a time debugging why gpgsuite can't use my yubikey.
I've gone through several debugging steps and have listed them below.
When you run gpg --card-edit
gpg --card-status
gpg: selecting openpgp failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device
So, I tried all the usual tricks of killing the scdaemon, restarting all the gpg components, with no success. What is really annoying is the same version of gpg works in archlinux.
Here is some debugging information provided by scdaemon
2017-07-07 16:56:57 scdaemon[7083] DBG: chan_5 <- RESTART
2017-07-07 16:56:57 scdaemon[7083] DBG: chan_5 -> OK
2017-07-07 17:05:30 scdaemon[7083] DBG: chan_5 <- GETINFO version
2017-07-07 17:05:30 scdaemon[7083] DBG: chan_5 -> D 2.1.21
2017-07-07 17:05:30 scdaemon[7083] DBG: chan_5 -> OK
2017-07-07 17:05:30 scdaemon[7083] DBG: chan_5 <- SERIALNO openpgp
2017-07-07 17:05:30 scdaemon[7083] DBG: enter: apdu_open_reader: portstr=(null)
2017-07-07 17:05:30 scdaemon[7083] detected reader 'Yubico Yubikey 4 OTP+U2F+CCID'
2017-07-07 17:05:30 scdaemon[7083] reader slot 0: not connected
2017-07-07 17:05:30 scdaemon[7083] DBG: leave: apdu_open_reader => slot=0 [pc/sc]
2017-07-07 17:05:30 scdaemon[7083] DBG: enter: apdu_connect: slot=0
2017-07-07 17:05:30 scdaemon[7083] pcsc_control failed: not transacted (0x80100016)
2017-07-07 17:05:30 scdaemon[7083] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65547
2017-07-07 17:05:30 scdaemon[7083] reader slot 0: active protocol: T1
2017-07-07 17:05:30 scdaemon[7083] slot 0: ATR=3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4
2017-07-07 17:05:30 scdaemon[7083] DBG: leave: apdu_connect => sw=0x0
2017-07-07 17:05:30 scdaemon[7083] DBG: send apdu: c=00 i=A4 p1=00 p2=0C lc=2 le=-1 em=0
2017-07-07 17:05:30 scdaemon[7083] DBG: PCSC_data: 00 A4 00 0C 02 3F 00
2017-07-07 17:05:33 scdaemon[7083] pcsc_transmit failed: not transacted (0x80100016)
2017-07-07 17:05:33 scdaemon[7083] apdu_send_simple(0) failed: general error
2017-07-07 17:05:33 scdaemon[7083] DBG: send apdu: c=00 i=A4 p1=04 p2=00 lc=6 le=-1 em=0
2017-07-07 17:05:33 scdaemon[7083] DBG: PCSC_data: 00 A4 04 00 06 D2 76 00 01 24 01
2017-07-07 17:05:36 scdaemon[7083] pcsc_transmit failed: not transacted (0x80100016)
2017-07-07 17:05:36 scdaemon[7083] apdu_send_simple(0) failed: general error
2017-07-07 17:05:36 scdaemon[7083] can't select application 'openpgp': Not supported
2017-07-07 17:05:36 scdaemon[7083] DBG: enter: apdu_close_reader: slot=0
2017-07-07 17:05:36 scdaemon[7083] DBG: enter: apdu_disconnect: slot=0
2017-07-07 17:05:36 scdaemon[7083] DBG: leave: apdu_disconnect => sw=0x0
2017-07-07 17:05:36 scdaemon[7083] DBG: leave: apdu_close_reader => 0x0 (close_reader)
2017-07-07 17:05:36 scdaemon[7083] DBG: chan_5 -> ERR 100696144 Operation not supported by device <SCD>
2017-07-07 17:05:36 scdaemon[7083] DBG: chan_5 <- RESTART
and more information from gpg-agent.log
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 -> OK Pleased to meet you
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 <- RESET
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 -> OK
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 <- OPTION ttyname=/dev/ttys000
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 -> OK
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 <- OPTION ttytype=xterm-256color
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 -> OK
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 <- OPTION lc-ctype=en_US.UTF-8
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 -> OK
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 <- OPTION lc-messages=en_US.UTF-8
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 -> OK
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 <- GETINFO version
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 -> D 2.1.21
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 -> OK
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 <- OPTION allow-pinentry-notify
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 -> OK
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 <- OPTION agent-awareness=2.1.0
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 -> OK
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 <- SCD GETINFO version
2017-07-07 17:05:30 gpg-agent[7082] new connection to SCdaemon established (reusing)
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_9 -> GETINFO version
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_9 <- D 2.1.21
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_9 <- OK
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 -> D 2.1.21
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 -> OK
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_8 <- SCD SERIALNO openpgp
2017-07-07 17:05:30 gpg-agent[7082] DBG: chan_9 -> SERIALNO openpgp
2017-07-07 17:05:36 gpg-agent[7082] DBG: chan_9 <- ERR 100696144 Operation not supported by device <SCD>
2017-07-07 17:05:36 gpg-agent[7082] DBG: chan_8 -> ERR 100696144 Operation not supported by device <SCD>
2017-07-07 17:05:36 gpg-agent[7082] DBG: chan_8 <- [eof]
2017-07-07 17:05:36 gpg-agent[7082] DBG: chan_9 -> RESTART
Here is my scdaemon.conf that I've already tried some troubleshooting settings
pcsc-driver /System/Library/Frameworks/PCSC.framework/PCSC
card-timeout 1
disable-ccid
log-file /Users/admin/.gnupg/scdaemon.log.txt
verbose
debug-level guru
gpg version
gpg --version
gpg (GnuPG) 2.1.21
libgcrypt 1.7.8
os version
uname -a
Darwin admins-Mac.local 16.6.0 Darwin Kernel Version 16.6.0: Fri Apr 14 16:21:16 PDT 2017; root:xnu-3789.60.24~6/RELEASE_X86_64 x86_64
pcsctest seems to be able to communicate
pcsctest
MUSCLE PC/SC Lite Test Program
Testing SCardEstablishContext : Command successful.
Testing SCardGetStatusChange
Please insert a working reader : Command successful.
Testing SCardListReaders : Command successful.
Reader 01: Yubico Yubikey 4 OTP+U2F+CCID
Enter the reader number : 1
Waiting for card insertion
: Command successful.
Testing SCardConnect : Command successful.
Testing SCardStatus : Command successful.
Current Reader Name : Yubico Yubikey 4 OTP+U2F+CCID
Current Reader State : 0x54
Current Reader Protocol : 0x1
Current Reader ATR Size : 18 (0x12)
Current Reader ATR Value : 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4
Testing SCardDisconnect : Command successful.
Testing SCardReleaseContext : Command successful.
Testing SCardEstablishContext : Command successful.
Testing SCardGetStatusChange
Please insert a working reader : Command successful.
Testing SCardListReaders : Command successful.
Reader 01: Yubico Yubikey 4 OTP+U2F+CCID
Using the latest nightly build GPG Suite 2017.1 (1935n)
Anyone got any ideas or have yubikey 4 + gpgsuite working on os x 10.12.5?
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Luke Le on 01 Aug, 2017 02:57 PM
Hi,
it's quite strange that scdaemon is saying:
2017-07-07 17:05:36 scdaemon[7083] can't select application 'openpgp': Not supported
which to me would say, that the Yubikey doesn't support OpenPGP, which it does.
We've added a very experimental option to scdaemon which allows it to establish a shared connection to the token. That could help you.
In order to try that add the following line to ~/.gnupg/scdaemon.conf:
Please let us know if that helps.
Support Staff 2 Posted by Steve on 22 Oct, 2017 04:30 PM
Closing, since no further user feedback was received. Should your problem persist, feel free to re-open this discussion any time.
All the best, steve
Steve closed this discussion on 22 Oct, 2017 04:30 PM.