GPGMail: Fails to sign after switch from S/MIME
Using a Yubikey 4 hardware token with PIV and OpenPGP applets provisioned. macOS Sierra 10.12.6.
Start Apple Mail. Reply to an S/MIME email with a signed S/MIME email. Reply to an OpenPGP email with a signed OpenPGP email. In a Terminal run “yubico-piv-tool -a status” to select PIV applet on the token again. Send a signed S/MIME email. So far so good.
Now in a Terminal run “gpg —card-status” to get OpenPGP applet selected, and try to reply to an OpenPGP email with a signed OpenPGP. Fails with the error
gpg: signing failed: Card error (this line repeated twice)
(
Expected
Another successful OpenPGP signature
Additional info
Submitted a report to gpgtools.tenderapp.com and attached a screenshot of the exact error popup.
macOS 10.12.6 16G29
GPG Suite 2017.1 1934n (87683d7)
GPGMail 2.7 1226n (fcb75aa)
GPG Keychain 1.3.3 1358n (7104203)
GPGServices 1.11 953n (3f09119)
MacGPG2 2.1.21 20n (d6cb803)
GPGPreferences 2.0.2 968n (6552234)
Libmacgpg 0.8 810n (0b449bf)
pinentry 0.9.7 21n (6aeb033)
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by mouse008 on 26 Jul, 2017 03:51 AM
Screenshot attached.
Update Same problem with the latest Nightly 1938n.
To do S/MIME after OpenPGP - must manually select PIV applet (for Yubikey it is done by running
yubico-piv-tool -a status
).To do OpenPGP after S/MIME have to remove and re-insert the token. The "old" way of running
gpg --card-status
does not help any more. Also, "soft" keys from the keyring don't work either (until the token is re-inserted (?)).Also, lots of stuff like this in the
scdaemon.log
:Will try the same with Yubikey NEO (older and a little different OpenPGP applet than in Yubikey 4 that's being used here) and report.
Update Reporting: Yubikey NEO exhibited the same behavior. So it may be 10.12.6 vs 10.12.5, rather than Yubikey NEO vs Yubikey 4.
Regardless, GPGTools remains usable, with a bit inconvenient workaround. Thank you!
2 Posted by mouse008 on 15 Aug, 2017 04:49 PM
1950n improved on this.
Support Staff 3 Posted by Steve on 16 Aug, 2017 11:55 AM
@mouse008 Thanks a lot for giving the latest nightly another shot. How did the situation improve?
Could you give us a brief write-up of what the remaining problems are?
4 Posted by alexmalinovich on 20 Aug, 2017 02:01 AM
@mouse008 I was having the same problem until I found this:
https://gpgtools.lighthouseapp.com/projects/66001/tickets/690-add-s...
If you're using the latest nightly, you just need to add
shared-access
to~/.gnupg/scdaemon.conf
and it should work fine.Now if only I could figure out a way to get gpgsm to read the PIV certificate I'd be all set.
5 Posted by mouse008 on 20 Aug, 2017 02:42 AM
Alex, thank you - but if you read my posts here you'd see that the
shared-access
parameter was added upon my request, and that ticket was mine, sort of. :-)So I'm well aware of this option (and wish GnuPG developers upstream weren't so pig-headed, and incorporated this patch to
scademon
).I know that it "should" work fine, and it works, mostly - but with some quirks. I'm in the process of documenting the remaining problems and my current workarounds. In short, sometimes I have to re-insert the token, sometimes it is sufficient to just re-run
gpg --card-status
oryubico-piv-tool -a status
to switch the token to the right applet and allow Apple Mail to smoothly/seamlessly use S/MIME or OpenPGP correspondingly during the same session (no re-launch of Apple Mail needed to process S/MIME and OpenPGP emails).The problem is that
gpgsm
somehow switches the token to OpenPGP applet. Unless this is mitigated, there's no way (that I know of) to read PIV certificates from an OpenPGP applet. Perhaps a patch togpgsm
can address this.6 Posted by mouse008 on 02 Feb, 2018 02:26 AM
The app I think stresses the ability to seamlessly switch between PIV and OpenPGP applets of the same hardware token is Apple Mail. I'm signing some email with S/MIME (using PIV applet), and some with OpenPGP (using OpenPGP applet).
This mostly works, but the switching isn't truly smooth. Sometimes you just change the mode from S/MIME to OpenPGP, and that's it - it flows fine. At other times, usually when you do the switching several times, rather than taking care of all the S/MIME email first and all the OpenPGP email after that.
Remaining quirks:
* When switching (2nd time) from one mode to another and trying to sign, the operation fails with gpg error: - Sometimes (switching from S/MIME to OpenPGP) doing
gpg --card-status
(which makes OpenPGP applet active) is enough. - At other times I need to re-insert the token. Frankly, no big deal. * Similar when switching from OpenPGP to S/MIME: - If signing operation fails, sometimesyubico-piv-tool -a status
(which makes PIV applet active) resolves the problem. - If it doesn't - re-inserting the token invariably resolves it.Note that OpenSC team is now working on making these two applets co-exist better and function pretty much "in parallel".
As I said before, overall I think GPGTools has solved this problem. Thank you!
P.S. And this is with GPGTools 2017.3 and MacOS High Sierra 10.13.3 (and 10.12.6).
Support Staff 7 Posted by Luke Le on 22 Mar, 2018 06:28 PM
Hi mouse008,
sorry for chiming in so late. Unfortunately better support for smart card applets is currently out of scope for our project. At the same time, either these issues don't exist on other platforms or smart cards are not used as extensively there. These kind of issues don't really come up often on the gnupg mailing lists.
Steve closed this discussion on 08 Jul, 2018 12:17 PM.