GPGMail: Fails to sign after switch from S/MIME

mouse008's Avatar

mouse008

26 Jul, 2017 03:49 AM

Using a Yubikey 4 hardware token with PIV and OpenPGP applets provisioned. macOS Sierra 10.12.6.

Start Apple Mail. Reply to an S/MIME email with a signed S/MIME email. Reply to an OpenPGP email with a signed OpenPGP email. In a Terminal run “yubico-piv-tool -a status” to select PIV applet on the token again. Send a signed S/MIME email. So far so good.

Now in a Terminal run “gpg —card-status” to get OpenPGP applet selected, and try to reply to an OpenPGP email with a signed OpenPGP. Fails with the error
gpg: signing failed: Card error (this line repeated twice)

(

Expected
Another successful OpenPGP signature

Additional info
Submitted a report to gpgtools.tenderapp.com and attached a screenshot of the exact error popup.

macOS           10.12.6     16G29
GPG Suite       2017.1      1934n   (87683d7)
GPGMail         2.7         1226n   (fcb75aa)
GPG Keychain    1.3.3       1358n   (7104203)
GPGServices     1.11        953n    (3f09119)
MacGPG2         2.1.21      20n     (d6cb803)
GPGPreferences  2.0.2       968n    (6552234)
Libmacgpg       0.8         810n    (0b449bf)
pinentry        0.9.7       21n     (6aeb033)
  1. 1 Posted by mouse008 on 26 Jul, 2017 03:51 AM

    mouse008's Avatar

    Screenshot attached.

    Update Same problem with the latest Nightly 1938n.

    To do S/MIME after OpenPGP - must manually select PIV applet (for Yubikey it is done by running yubico-piv-tool -a status).
    To do OpenPGP after S/MIME have to remove and re-insert the token. The "old" way of running gpg --card-status does not help any more. Also, "soft" keys from the keyring don't work either (until the token is re-inserted (?)).

    Also, lots of stuff like this in the scdaemon.log:

    . . . . .
    2017-07-25 23:57:15 scdaemon[19841] pcsc_transmit failed: reset card (0x80100068)
    2017-07-25 23:57:15 scdaemon[19841] apdu_send_simple(0) failed: general error
    2017-07-25 23:57:15 scdaemon[19841] pcsc_transmit failed: reset card (0x80100068)
    2017-07-25 23:57:15 scdaemon[19841] apdu_send_simple(0) failed: general error
    2017-07-25 23:57:15 scdaemon[19841] pcsc_transmit failed: reset card (0x80100068)
    2017-07-25 23:57:15 scdaemon[19841] apdu_send_simple(0) failed: general error
    2017-07-25 23:57:19 scdaemon[19841] DBG: Removal of a card: 0
    2017-07-25 23:57:26 scdaemon[20155] detected reader 'Yubico Yubikey 4 OTP+U2F+CCID'
    2017-07-25 23:57:26 scdaemon[20155] pcsc_control failed: not transacted (0x80100016)
    2017-07-25 23:57:26 scdaemon[20155] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65547
    2017-07-25 23:57:26 scdaemon[20155] sending signal 31 to client 19769
    2017-07-25 23:57:45 scdaemon[20155] signatures created so far: 6
    2017-07-25 23:57:45 scdaemon[20155] DBG: asking for PIN '||Please unlock the card%0A%0ANumber: 0006 04139602%0AHolder: myself%0ACounter: 6'
    2017-07-25 23:58:15 scdaemon[20155] signatures created so far: 7
    2017-07-25 23:58:15 scdaemon[20155] DBG: asking for PIN '||Please unlock the card%0A%0ANumber: 0006 04139602%0AHolder: myself%0ACounter: 7'
    2017-07-25 23:58:20 scdaemon[20155] DBG: asking for PIN '||Please unlock the card%0A%0ANumber: 0006 04139602%0AHolder: myself'
    2017-07-25 23:59:57 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-25 23:59:57 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-25 23:59:57 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-25 23:59:57 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-25 23:59:57 scdaemon[20155] signatures created so far: 0
    2017-07-25 23:59:57 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-25 23:59:57 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-25 23:59:57 scdaemon[20155] error retrieving CHV status from card
    2017-07-25 23:59:57 scdaemon[20155] app_sign failed: Card error
    2017-07-26 00:00:07 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-26 00:00:07 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-26 00:00:07 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-26 00:00:07 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-26 00:00:07 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-26 00:00:07 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-26 00:00:07 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-26 00:00:07 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-26 00:00:10 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-26 00:00:10 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-26 00:00:10 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-26 00:00:10 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-26 00:00:10 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-26 00:00:10 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-26 00:00:10 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    . . . . .
    

    Will try the same with Yubikey NEO (older and a little different OpenPGP applet than in Yubikey 4 that's being used here) and report.

    Update Reporting: Yubikey NEO exhibited the same behavior. So it may be 10.12.6 vs 10.12.5, rather than Yubikey NEO vs Yubikey 4.

    Regardless, GPGTools remains usable, with a bit inconvenient workaround. Thank you!

  2. 2 Posted by mouse008 on 15 Aug, 2017 04:49 PM

    mouse008's Avatar

    1950n improved on this.

  3. Support Staff 3 Posted by Steve on 16 Aug, 2017 11:55 AM

    Steve's Avatar

    @mouse008 Thanks a lot for giving the latest nightly another shot. How did the situation improve?

    Could you give us a brief write-up of what the remaining problems are?

  4. 4 Posted by alexmalinovich on 20 Aug, 2017 02:01 AM

    alexmalinovich's Avatar

    @mouse008 I was having the same problem until I found this:

    https://gpgtools.lighthouseapp.com/projects/66001/tickets/690-add-s...

    If you're using the latest nightly, you just need to add shared-access to ~/.gnupg/scdaemon.conf and it should work fine.

    Now if only I could figure out a way to get gpgsm to read the PIV certificate I'd be all set.

  5. 5 Posted by mouse008 on 20 Aug, 2017 02:42 AM

    mouse008's Avatar

    If you're using the latest nightly, you just need to add shared-access to ~/.gnupg/scdaemon.conf and it should work fine.

    Alex, thank you - but if you read my posts here you'd see that the shared-access parameter was added upon my request, and that ticket was mine, sort of. :-)
    So I'm well aware of this option (and wish GnuPG developers upstream weren't so pig-headed, and incorporated this patch to scademon).

    I know that it "should" work fine, and it works, mostly - but with some quirks. I'm in the process of documenting the remaining problems and my current workarounds. In short, sometimes I have to re-insert the token, sometimes it is sufficient to just re-run gpg --card-status or yubico-piv-tool -a status to switch the token to the right applet and allow Apple Mail to smoothly/seamlessly use S/MIME or OpenPGP correspondingly during the same session (no re-launch of Apple Mail needed to process S/MIME and OpenPGP emails).

    Now if only I could figure out a way to get gpgsm to read the PIV certificate I'd be all set.

    The problem is that gpgsm somehow switches the token to OpenPGP applet. Unless this is mitigated, there's no way (that I know of) to read PIV certificates from an OpenPGP applet. Perhaps a patch to gpgsm can address this.

  6. 6 Posted by mouse008 on 02 Feb, 2018 02:26 AM

    mouse008's Avatar

    The app I think stresses the ability to seamlessly switch between PIV and OpenPGP applets of the same hardware token is Apple Mail. I'm signing some email with S/MIME (using PIV applet), and some with OpenPGP (using OpenPGP applet).

    This mostly works, but the switching isn't truly smooth. Sometimes you just change the mode from S/MIME to OpenPGP, and that's it - it flows fine. At other times, usually when you do the switching several times, rather than taking care of all the S/MIME email first and all the OpenPGP email after that.

    Remaining quirks:
    * When switching (2nd time) from one mode to another and trying to sign, the operation fails with gpg error: - Sometimes (switching from S/MIME to OpenPGP) doing gpg --card-status (which makes OpenPGP applet active) is enough. - At other times I need to re-insert the token. Frankly, no big deal. * Similar when switching from OpenPGP to S/MIME: - If signing operation fails, sometimes yubico-piv-tool -a status (which makes PIV applet active) resolves the problem. - If it doesn't - re-inserting the token invariably resolves it.

    Note that OpenSC team is now working on making these two applets co-exist better and function pretty much "in parallel".

    As I said before, overall I think GPGTools has solved this problem. Thank you!

    P.S. And this is with GPGTools 2017.3 and MacOS High Sierra 10.13.3 (and 10.12.6).

  7. Support Staff 7 Posted by Luke Le on 22 Mar, 2018 06:28 PM

    Luke Le's Avatar

    Hi mouse008,

    sorry for chiming in so late. Unfortunately better support for smart card applets is currently out of scope for our project. At the same time, either these issues don't exist on other platforms or smart cards are not used as extensively there. These kind of issues don't really come up often on the gnupg mailing lists.

  8. Steve closed this discussion on 08 Jul, 2018 12:17 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac