MacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)

mouse008's Avatar

mouse008

07 Sep, 2016 02:13 AM

My hardware token (YubiKey NEO) has several applets, including PIV and OpenPGP. Needless to say, I need and use both of them.

On Mac OS X, tokend connects to the token immediately upon its insertion, which is necessary to present the token as a (PIV) keychain in the Keychain Access, and make its keys/certificates otherwise available to the Mac OS X applications.

However, when I try to use gpg, or any component of GPGTools that needs access to this token (to its OpenPGP applet), this tool detects that the token is already being used - and refuses to connect to it, with the following messages in the /tmp/scdaemon.log:

2016-09-06 21:09:24 scdaemon[67807] PC/SC OPEN failed: sharing violation (0x8010000b)
2016-09-06 21:09:24 scdaemon[67807] PC/SC OPEN failed: sharing violation (0x8010000b)
2016-09-06 21:09:33 scdaemon[67807] PC/SC OPEN failed: sharing violation (0x8010000b)

Expected
I would expect and like sharing - especially since they share the “token” but not the “applet”: PIV applications cannot use OpenPGP interface, and vs. versa (I think).

I know about the design ideology (security concerns), but this kills usability, particularly with Apple Mail, where I need to process both PGP-protected and S/MIME-protected emails (obviously from different crowds, but that is not relevant).

Same applies to Thunderbird, except there is no tokend involved - just inability of GPG suite to share the token with PIV suite. I’d like it remedied.

Additional info
There is a workaround - but it is ugly: insert the token, start Apple Mail, process all the S/MIME emails. Quit Mail, kill OpenSC.tokend. Run “gpg2 —card-status” (assuming it connects and provides expected result). Start Mail, process PGP/MIME emails. Quit Mail, remove the token, re-insert it - now PIV and S/MIME are functioning again.

Ugly as a mule. Can you please either remove this restriction, or better yet - add a configuration parameter that would allow token sharing?

Mac OS X        10.11.6             (15G1004)
Libmacgpg       0.7         769 
GPGMail         2.6.1       1151
GPG Keychain    1.3.1       1233
GPGServices     1.11        907 
MacGPG2         2.0.30      875 
GPGPreferences  2.0         887 
Pinentry        0.9.7       2

Showing page 2 out of 2. View the first page

  1. Steve closed this discussion on 18 Jul, 2017 11:11 AM.

  2. mouse008 re-opened this discussion on 18 Jul, 2017 09:30 PM

  3. 30 Posted by mouse008 on 18 Jul, 2017 09:30 PM

    mouse008's Avatar

    @steve, would you be able to provide the patch for scdaemon (I assume that's the only component that had to be changed)? One of my colleagues may want to use it with the gpg setup on Linux (they use Yubikeys for PIV-based SSH and VPN, but sign email using OpenPGP).

    Thanks!

    P.S> And of course, please feel free to close this discussion again, as your solution works.

  4. Support Staff 31 Posted by Steve on 18 Jul, 2017 09:31 PM

    Steve's Avatar

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Already uploaded files

  • 2016-09-07_02-13_DebugInfo.gpg 64.5 KB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac