GPGMail: Fails to sign after switch from S/MIME

mouse008's Avatar

mouse008

26 Jul, 2017 03:49 AM

Using a Yubikey 4 hardware token with PIV and OpenPGP applets provisioned. macOS Sierra 10.12.6.

Start Apple Mail. Reply to an S/MIME email with a signed S/MIME email. Reply to an OpenPGP email with a signed OpenPGP email. In a Terminal run “yubico-piv-tool -a status” to select PIV applet on the token again. Send a signed S/MIME email. So far so good.

Now in a Terminal run “gpg —card-status” to get OpenPGP applet selected, and try to reply to an OpenPGP email with a signed OpenPGP. Fails with the error
gpg: signing failed: Card error (this line repeated twice)

(

Expected
Another successful OpenPGP signature

Additional info
Submitted a report to gpgtools.tenderapp.com and attached a screenshot of the exact error popup.

macOS           10.12.6     16G29
GPG Suite       2017.1      1934n   (87683d7)
GPGMail         2.7         1226n   (fcb75aa)
GPG Keychain    1.3.3       1358n   (7104203)
GPGServices     1.11        953n    (3f09119)
MacGPG2         2.1.21      20n     (d6cb803)
GPGPreferences  2.0.2       968n    (6552234)
Libmacgpg       0.8         810n    (0b449bf)
pinentry        0.9.7       21n     (6aeb033)
  1. 1 Posted by mouse008 on 26 Jul, 2017 03:51 AM

    mouse008's Avatar

    Screenshot attached.

    Update Same problem with the latest Nightly 1938n.

    To do S/MIME after OpenPGP - must manually select PIV applet (for Yubikey it is done by running yubico-piv-tool -a status).
    To do OpenPGP after S/MIME have to remove and re-insert the token. The "old" way of running gpg --card-status does not help any more. Also, "soft" keys from the keyring don't work either (until the token is re-inserted (?)).

    Also, lots of stuff like this in the scdaemon.log:

    . . . . .
    2017-07-25 23:57:15 scdaemon[19841] pcsc_transmit failed: reset card (0x80100068)
    2017-07-25 23:57:15 scdaemon[19841] apdu_send_simple(0) failed: general error
    2017-07-25 23:57:15 scdaemon[19841] pcsc_transmit failed: reset card (0x80100068)
    2017-07-25 23:57:15 scdaemon[19841] apdu_send_simple(0) failed: general error
    2017-07-25 23:57:15 scdaemon[19841] pcsc_transmit failed: reset card (0x80100068)
    2017-07-25 23:57:15 scdaemon[19841] apdu_send_simple(0) failed: general error
    2017-07-25 23:57:19 scdaemon[19841] DBG: Removal of a card: 0
    2017-07-25 23:57:26 scdaemon[20155] detected reader 'Yubico Yubikey 4 OTP+U2F+CCID'
    2017-07-25 23:57:26 scdaemon[20155] pcsc_control failed: not transacted (0x80100016)
    2017-07-25 23:57:26 scdaemon[20155] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65547
    2017-07-25 23:57:26 scdaemon[20155] sending signal 31 to client 19769
    2017-07-25 23:57:45 scdaemon[20155] signatures created so far: 6
    2017-07-25 23:57:45 scdaemon[20155] DBG: asking for PIN '||Please unlock the card%0A%0ANumber: 0006 04139602%0AHolder: myself%0ACounter: 6'
    2017-07-25 23:58:15 scdaemon[20155] signatures created so far: 7
    2017-07-25 23:58:15 scdaemon[20155] DBG: asking for PIN '||Please unlock the card%0A%0ANumber: 0006 04139602%0AHolder: myself%0ACounter: 7'
    2017-07-25 23:58:20 scdaemon[20155] DBG: asking for PIN '||Please unlock the card%0A%0ANumber: 0006 04139602%0AHolder: myself'
    2017-07-25 23:59:57 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-25 23:59:57 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-25 23:59:57 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-25 23:59:57 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-25 23:59:57 scdaemon[20155] signatures created so far: 0
    2017-07-25 23:59:57 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-25 23:59:57 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-25 23:59:57 scdaemon[20155] error retrieving CHV status from card
    2017-07-25 23:59:57 scdaemon[20155] app_sign failed: Card error
    2017-07-26 00:00:07 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-26 00:00:07 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-26 00:00:07 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-26 00:00:07 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-26 00:00:07 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-26 00:00:07 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-26 00:00:07 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-26 00:00:07 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-26 00:00:10 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-26 00:00:10 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-26 00:00:10 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-26 00:00:10 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-26 00:00:10 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    2017-07-26 00:00:10 scdaemon[20155] apdu_send_simple(0) failed: general error
    2017-07-26 00:00:10 scdaemon[20155] pcsc_transmit failed: reset card (0x80100068)
    . . . . .
    

    Will try the same with Yubikey NEO (older and a little different OpenPGP applet than in Yubikey 4 that's being used here) and report.

    Update Reporting: Yubikey NEO exhibited the same behavior. So it may be 10.12.6 vs 10.12.5, rather than Yubikey NEO vs Yubikey 4.

    Regardless, GPGTools remains usable, with a bit inconvenient workaround. Thank you!

  2. 2 Posted by mouse008 on 15 Aug, 2017 04:49 PM

    mouse008's Avatar

    1950n improved on this.

  3. Support Staff 3 Posted by Steve on 16 Aug, 2017 11:55 AM

    Steve's Avatar

    @mouse008 Thanks a lot for giving the latest nightly another shot. How did the situation improve?

    Could you give us a brief write-up of what the remaining problems are?

  4. 4 Posted by alexmalinovich on 20 Aug, 2017 02:01 AM

    alexmalinovich's Avatar

    @mouse008 I was having the same problem until I found this:

    https://gpgtools.lighthouseapp.com/projects/66001/tickets/690-add-s...

    If you're using the latest nightly, you just need to add shared-access to ~/.gnupg/scdaemon.conf and it should work fine.

    Now if only I could figure out a way to get gpgsm to read the PIV certificate I'd be all set.

  5. 5 Posted by mouse008 on 20 Aug, 2017 02:42 AM

    mouse008's Avatar

    If you're using the latest nightly, you just need to add shared-access to ~/.gnupg/scdaemon.conf and it should work fine.

    Alex, thank you - but if you read my posts here you'd see that the shared-access parameter was added upon my request, and that ticket was mine, sort of. :-)
    So I'm well aware of this option (and wish GnuPG developers upstream weren't so pig-headed, and incorporated this patch to scademon).

    I know that it "should" work fine, and it works, mostly - but with some quirks. I'm in the process of documenting the remaining problems and my current workarounds. In short, sometimes I have to re-insert the token, sometimes it is sufficient to just re-run gpg --card-status or yubico-piv-tool -a status to switch the token to the right applet and allow Apple Mail to smoothly/seamlessly use S/MIME or OpenPGP correspondingly during the same session (no re-launch of Apple Mail needed to process S/MIME and OpenPGP emails).

    Now if only I could figure out a way to get gpgsm to read the PIV certificate I'd be all set.

    The problem is that gpgsm somehow switches the token to OpenPGP applet. Unless this is mitigated, there's no way (that I know of) to read PIV certificates from an OpenPGP applet. Perhaps a patch to gpgsm can address this.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Already uploaded files

  • 2017-07-26_03-49_DebugInfo.gpg 35.5 KB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac