tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/58454-after-updating-to-gpgtools-20171-yubikey-no-longer-functions-properly-both-in-mail-gpg2-card-editGPGTools: Discussion 2018-03-13T11:14:14Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-09-25T17:54:16Z2017-09-25T19:28:31Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p><strong>Which of our tools is giving you problems?</strong></p>
<p>gpg2</p>
<p><strong>Attach a screenshot of the version info for all installed components (how to: <a href="https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info-of-the-installed-tools">https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...</a>):</strong></p>
<p>Attached</p>
<p><strong>Describe your problem. Add as much detail as possible.</strong></p>
<p>After installing GPGTools 2017.1 I am not longer able to access my private key using my Yubikey 4 Nano. I am not prompted for my PIN to unlock the Yubikey and Mail displays a message saying "Secret key to decrypt the message is missing"</p>
<p>Attempts to use gpg2 on the command line to edit/inspect the Yubikey also failed:<br>
gpg2 --card-edit</p>
<p>gpg: selecting openpgp failed: Operation not supported by device<br>
gpg: OpenPGP card not available: Operation not supported by device</p>
<p><strong>What did you expect instead</strong></p>
<p>I expect to be prompted for my PIN to unlock the Yubikey.</p>
<p>I also expect to be able to issue gpg2 --card-edit to inspect/edit the GPG key on my Yubikey.</p>
<p><strong>Describe steps leading to the problem.</strong></p>
<p>Described above</p>
<p><strong>Are you using any other Mail.app plugins?</strong></p>
<p>No</p>
<p>EDIT: I also tried following the steps listed @ <a href="https://gpgtools.tenderapp.com/discussions/problems/58454-after-updating-to-gpgtools-20171-yubikey-no-longer-functions-properly-both-in-mail-gpg2-card-edit/autosuggest#">https://gpgtools.tenderapp.com/discussions/problems/58454-after-upd...</a></p>
<p>but when I got to the end and tried to run the final command it failed with:<br>
gpg --card-status<br>
gpg: selecting openpgp failed: Operation not supported by device<br>
gpg: OpenPGP card not available: Operation not supported by device</p>
<p>EDIT2: might be related to <a href="https://gpgtools.tenderapp.com/discussions/problems/50900-unable-to-sign-other-peoples-public-keys-in-the-gpg-keychain-app-when-using-a-yubikey">https://gpgtools.tenderapp.com/discussions/problems/50900-unable-to...</a></p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-09-26T13:39:03Z2017-09-26T13:39:05Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>I'm experiencing the same issue - FWIW, it seems to work for a while after rebooting my machine, but the issue recurs a few hours later. Not sure what the trigger is.</p></div>silverskullpsutag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-09-26T18:30:11Z2017-09-26T18:30:13Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Same situation ere under osx 10.10.5 after the Update to 2007.1 (coming from GPGTools 2016.08_v2)</p>
<p>It seems the Communication scdaemon with the key/card (yubikey 4) is not possible with the new gpgtools</p>
<p>crosscheck the key/card: when i plug in the yubikey4 in my debian linux box and check it with gpg --card-status all is well and readable.</p>
<p>even the serial number is not readable under the 2007.1</p>
<p>macname:~ username$ gpg-connect-agent --hex</p>
<blockquote>
<p>scd serialno ERR 100696144 Operation not supported by device</p>
</blockquote></div>MartinBatag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-09-26T22:17:07Z2017-09-26T22:17:19Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Hi all,</p>
<p>we are very sorry you are experiencing issues with our latest release of GPG Suite.<br>
It turns out this issue is GnuPG > 2.0 related.</p>
<p>You should be able to solve it by adding the following option to your scdaemon configuration file (~/.gnupg/scdaemon.conf)<br>
If it doesn't exist, you will have to create it.</p>
<p>The line to add reads:<br>
<code>disable-ccid</code></p>
<p>After that you have to restart gpg-agent by running <code>gpgconf --kill gpg-agent</code></p>
<p>Please let us know if these steps help. Unfortunately we still have to get Yubi keys in order to be able to better test smart card/USB token support in the future..</p>
<p>Hope that helps.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-09-26T22:30:29Z2017-09-26T22:30:29Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Hi Luke,<br>
Thanks for the suggestion. Unfortunately, I had tried this before as previous threads about this same error message led me to think that would solve things. I just tried it again along with the "gpgconf --kill gpg-agent" after updating to 2017.1 and still have the same behavior:</p>
<p>hostname:~ username$ gpgconf --kill gpg-agent<br>
hostname:~ username$ gpg --card-status<br>
gpg: selecting openpgp failed: Operation not supported by device<br>
gpg: OpenPGP card not available: Operation not supported by device<br>
hostname:~ username$ gpg --card-edit</p>
<p>gpg: selecting openpgp failed: Operation not supported by device<br>
gpg: OpenPGP card not available: Operation not supported by device</p>
<p>gpg/card></p>
<p>And here you can see the file was in place before gpg-agent was re-started:<br>
hostname:~ username$ cat ~/.gnupg/scdaemon.conf<br>
disable-ccid<br>
hostname:~ username$ ls -l !$<br>
ls -l ~/.gnupg/scdaemon.conf<br>
-rw------- 1 username staff 13 Sep 26 15:23 /Users/username/.gnupg/scdaemon.conf hostname:~ username$ ps axuw |grep gpg-ag<br>
username 58701 0.0 0.0 2432772 652 s014 S+ 3:28PM 0:00.00 grep gpg-ag<br>
username 58692 0.0 0.0 2453644 780 ?? Ss 3:25PM 0:00.01 gpg-agent --homedir /Users/username/.gnupg --use-standard-socket --daemon<br>
username 58618 0.0 0.0 2444632 968 ?? S 3:24PM 0:00.01 /bin/bash /usr/local/MacGPG2/libexec/shutdown-gpg-agent</p>
<p>The above shows the file was</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-09-26T22:36:07Z2017-09-26T22:36:07Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>As stupid as it sounds, did anyone of you try to restart their mac?<br>
The way that smart card support is implemented currently in GnuPG doesn't play well with macOS at all, since macOS uses its own service for smart cards, but GnuPG doesn't leverage that.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-09-26T22:45:42Z2017-09-26T22:45:42Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Not stupid at all, but yeah I've definitely rebooted (just tried again to be sure). FWIW - after downgrading to 2016.10_v2 and removing the ~/.gnupg/scdaemon.conf file & running killall gpg-agent everything is back to normal without a reboot.</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-09-26T22:53:34Z2017-09-26T22:53:34Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Yes, a downgrade to either 2016.10_v2 or 2017.01b3 solves the issue, since it downgrade GnuPG to 2.0.X as well.<br>
What you can do is install GPG Suite 2017.1 on top now, but when installing choose "Customize" and deselect MacGPG2.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-09-27T00:38:03Z2017-09-27T00:38:03Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Yup, just letting you know it doesn't require a reboot to take effect.</p>
<p>As for the "customize" option during install, I'll probably just stick with 2016.10_v2 until the issue is solved and released to the stable branch since I'm not having any issues with that version. Also, I advise a sizable user base on things like this and can't be asking them all to do "customized" installs. Let me know if there is any way I can help you sort this bug out. You mention needing to get yubikeys to be able to test smartcards ... they're pretty readily available ($40 on amazon with prime delivery options @ <a href="https://smile.amazon.com/Yubico-Y-158-YubiKey-4/dp/B018Y1Q71M">https://smile.amazon.com/Yubico-Y-158-YubiKey-4/dp/B018Y1Q71M</a>)</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-09-28T01:04:02Z2017-09-28T01:04:02Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>I find that killing this process <code>/bin/bash /usr/local/MacGPG2/libexec/shutdown-gpg-agent</code> makes the Yubikey work with the latest GPGTools. I can confirm this process existed on the previous beta version of GPGTools as well. I'm not sure what it is for though.</p></div>bogdrakonovtag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-09-28T01:07:23Z2017-09-28T01:07:51Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Hi,</p>
<p>it's a bash script which basically sleeps the whole time and intercepts a kill (which is triggered by macOS logout) in order to kill gpg-agent, so the internal passphrase cache is emptied on logout.<br>
If that helps, it basically means that in order to use your yubikey you have to kill gpg-agent before using it.</p>
<p>You'll find the source code here:<br>
<a href="https://raw.githubusercontent.com/GPGTools/MacGPG2/dev/Payload/libexec/shutdown-gpg-agent">https://raw.githubusercontent.com/GPGTools/MacGPG2/dev/Payload/libe...</a></p>
<p>Since gpg-agent is started by GnuPG itself if it's not yet running, this might be a bug in GnuPG 2.2</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-09-28T13:39:01Z2017-09-28T13:39:12Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>@bogdrakonov: can you provide details on your OS & which yubikey you have? I definitely killed that process on mine (and rebooted which also obviously killed it) and my Yubikey 4 nano remained unusable with the new GPG version</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-09-30T23:44:20Z2017-09-30T23:52:26Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Quick Update: thanks to martinba we were now able to do some testing with YubiKey4 and GnuPG 2.2<br>
The good news is, I was able to setup a test key without problems, could use it to sign data and decrypt data. I have not configured any 2FA services yet or done anything else (not sure if that matters)<br>
The card was immediately recognized, plugged it in and out a few times, and didn‘t have any issues using it.<br>
The bad news is, that this doesn’t really make it easier to figure out the problems you all are seeing. The only thing I could figure out so far is, that it looks like gpg doesn‘t seem to „see“ that the YubiKey is plugged in at all. I‘m getting the same error message if it‘s not plugged in.</p>
<p>Could someone of you enable debug logging of scdaemon and send us the log file after running some basic tests:</p>
<ol>
<li>Plug in<br></li>
<li>Plug out<br></li>
<li>Plug back in<br></li>
<li>Run <code>gpg --card-status</code><br></li>
<li>Run <code>gpg --card-edit</code></li>
</ol>
<p>To enable debug logging, add the following lines to your scdaemon.conf file:</p>
<pre>
<code>debug-level guru
log-file /tmp/scdaemon.log</code>
</pre>
<p>and kill scdaemon afterwards to have it load the new config. (HUP might suffice)</p>
<p>Also there seems to be such a thing as "CCID enabled" for the YubiKey 4. Has anyone verified what the current status in regards to CCID of their YubiKey is?</p>
<p>Before attaching the logfile, please make sure that no sensitive data is included.</p>
<p>I have performed my tests on macOS 10.11.6</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-01T22:53:34Z2017-10-01T22:53:34Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>I don't see anything logged on plugin or plugout. Attached are what is output for card-status & card-edit with and without disable-ccid being set.</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T12:48:07Z2017-10-02T12:48:08Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>I've tried with debugging level guru enabled to no successful end<br>
following configuration is active<br></p>
<pre>
<code>hostname:.gnupg username$ cat gpg-agent.conf
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
default-cache-ttl 600
max-cache-ttl 7200
scdaemon-program /usr/local/MacGPG2/libexec/scdaemon<br><br>
<br>hostname:.gnupg username$ cat scdaemon.conf
#disable-ccid
card-timeout 15
debug-level guru
log-file /tmp/scdaemon.log</code>
</pre>
but weather i commented out disable-ccid or not was not helping to get gpg --card-status to work
<p>But after using google with the message (from OSX System Log)</p>
<pre>
<code>02.10.17 14:32:59,632 com.apple.SecurityServer[82]: Token reader Yubico Yubikey 4 OTP+U2F+CCID inserted into system
02.10.17 14:32:59,632 com.apple.SecurityServer[82]: reader Yubico Yubikey 4 OTP+U2F+CCID: state changed 0 -> 34
02.10.17 14:32:59,639 com.apple.SecurityServer[82]: token in reader Yubico Yubikey 4 OTP+U2F+CCID cannot be used (error 229)
02.10.17 14:33:31,394 com.apple.SecurityServer[82]: reader Yubico Yubikey 4 OTP+U2F+CCID: state changed 32 -> 162
02.10.17 14:33:31,394 com.apple.SecurityServer[82]: token in reader Yubico Yubikey 4 OTP+U2F+CCID cannot be used (error 229)</code>
</pre>
<p>which lead me to a vague (slightly off topic) hint in the yubico forum at <a href="https://forum.yubico.com/viewtopic.php?f=26&t=1574">https://forum.yubico.com/viewtopic.php?f=26&t=1574</a><br>
, that i should download the application "YubiKey NEO Manager" at <a href="https://www.yubico.com/support/knowledge-base/categories/articles/yubikey-neo-manager/">https://www.yubico.com/support/knowledge-base/categories/articles/y...</a> which i've done and <strong>disabled</strong> and <strong>reenabled</strong> the <strong>CCID</strong>* with that application (see screenshot).</p>
<p>it magically works to get access to my yubikey openpgp card applet and my secret keys.</p>
<p>It even works after e reboot :-)<br>
the error stated above in the system log on osx persists - after some reading at <a href="https://ludovicrousseau.blogspot.co.at/2014/11/os-x-yosemite-and-smart-cards-status.html">https://ludovicrousseau.blogspot.co.at/2014/11/os-x-yosemite-and-sm...</a> it seems that smart card support on osx 10.10 is not very 'premium' :-o</p></div>MartinBatag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T13:46:18Z2017-10-02T13:46:18Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Hi,</p>
<p>that is what I was referring to with my comments in regards to CCID and YubiKeys. I believe that since mine was a completely fresh YubiKey the CCID setting was still enabled.<br>
It would be great if someone else of you could try Martinba‘s steps to see if it works for them as well.</p>
<p>Thanks!</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T14:56:09Z2017-10-03T10:15:52Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Hi, I just tried MartinBa's steps: downloaded NEO manager, disabled then re-enabled CCID but it didn't solve the issue with my keys not being found by Mail.</p>
<p>I tried re-starting mail, removing and reinserting the key and a restart was part of the process too...</p></div>teoclaidtag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T15:37:48Z2017-10-02T15:37:48Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Hi Teoclaid,</p>
<p>did you run <code>gpg --card-status</code> at least once after the upgrade? That is necessary for GnuPG to re-create the card stubs after the upgrade.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T15:50:41Z2017-10-03T10:15:52Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Uh-oh... Following your message I ran gpg --card-status and I can see my key is there.</p>
<p>But now Mail wants me to enter the PIN to unlock the card, but it is not accepting my key PIN and I only have one attempt left!</p></div>teoclaidtag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T15:57:53Z2017-10-02T15:58:18Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>I eventually got things working. Here's what I did:</p>
<p>1) Installed Yubikey NEO Manager<br>
2) Rebooted as the installer insisted<br>
3) Installed GPGTools 2017.1<br>
4) Ran Yubikey NEO Manager & followed the steps to disable CCID (requires a removal & reinsertion of the card) & then re-enable CCID (requires a removal & reinsertion of the card) **Note that I checked and at no time did I find the ~/.gnupg/scdaemon.conf file existed<br>
4) Ran gpg --card-status & confirmed my card details were shown<br>
5) Attempted to open encrypted messages in Mail.app, but they would just hang on "getting message" in the activity monitor (window -> activity)<br>
6) Quit/force-quit Mail.app<br>
7) Ran gpgconf --kill gpg-agent<br>
8) I was now prompted in Yubikey NEO Manager to remove/reinsert my card. When I did, I was first prompted to identify my Keyboard like OSX thought the card was an input device. I cancelled that & proceeded<br>
9) I went into Mail.app and upon trying to open an encrypted message I was finally prompted to unlock my Yubikey with the PIN<br>
10) Success</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T16:03:41Z2017-10-06T08:20:22Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Didn't work for me. I had already installed GPGTools 2017.1 (the problem?) but have now run gpgconf --kill gpg-agent. NEO Manager is still happily recognising my key though and Mail still just wants the pin to unlock the card.</p></div>teoclaidtag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T16:28:38Z2017-10-03T10:15:53Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Can anyone advise me what to do re my PIN? If I fail the third attempt will I simply have to re-import my GPG key onto the Yubikey or will I lose everything on it?</p>
<p>I know I am typing the correct PIN for my yubikey (on the second attempt I clicked 'show typing'), and I even tried re-setting the PIN in the PIV Manager to the same thing which confirmed I had the right one.</p>
<p>It is my yubikey PIN it wants me to enter to unlock the card, isn't it? Not my GPG passphrase?...</p></div>teoclaidtag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T16:40:39Z2017-10-02T16:40:39Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Do you have a PUK set?</p>
<p>From <a href="https://developers.yubico.com/yubikey-piv-manager/PIN_and_Management_Key.html">https://developers.yubico.com/yubikey-piv-manager/PIN_and_Managemen...</a></p>
<blockquote>
<p>PUK</p>
<p>The PUK can be used to reset the PIN if it is ever lost or becomes blocked after the maximum number of incorrect attempts. Setting a PUK is optional. If you use your PIN as the Management Key, the PUK is disabled for technical reasons, explained in a later section. The requirements and restrictions of the PUK are the same as for the PIN (see above). If PIN complexity is enforced, the same rules are applied to the PUK. If the PUK ever becomes blocked, either by deliberately choosing to block it or by giving the wrong PUK value 3 times, it can only be unblocked by performing a complete reset (explained below).</p>
<p>Resetting a device</p>
<p>If an incorrect PIN is given 3 times consecutively, the PIN will become disabled. If you’ve set a PUK, then you can use that PUK to reset the PIN to a new value, and it will become enabled and usable again. If an incorrect PUK is given 3 times consecutively, it will become blocked as well. When both the PIN and the PUK are blocked, the device can be reset. This returns the PIV functionality of the YubiKey to a factory setting, setting the default PIN, PUK and Management Key values, as well as removing any stored keys and certificates. Once reset, the device is ready to be re-initialized.</p>
</blockquote></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T18:45:32Z2017-10-03T10:15:53Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Thanks gpg_dude. I have now set a separate Management PIN, but it still says 'PUK is blocked' in the PIN management window. (Prior to this I was using the PIN as a mangement key so never set up a PUK) Any ideas?</p></div>teoclaidtag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T19:01:42Z2017-10-02T19:01:42Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Sorry Teoclaid - I've never come across that issue before. You might want to try the Yubikey forums and see if anyone there can help.</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T19:04:58Z2017-10-02T19:04:58Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Also - my gpg+yubikey has been acting strangely post-update. Specifically, when I try to login and my .bash_profile tries to run "ssh-add -l" it would hang. I would then try and open an encrypted message and Mail.app would also hang trying to "download" the message - even for a message that was already downloaded. I tried running "gpgconf --kill gpg-agent" but the issue persisted. Removing & reinserting the Yubikey after that seems to do the trick. I'm going to try and remove the ~/.gnupg/scdaemon.conf file which only contained one directive I added as part of this debugging:<br>
card-timeout 15</p>
<p>and see if it goes back to behaving "normally" (i.e. like it did under GPG 2016.10_v2)</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T19:17:50Z2017-10-03T10:15:53Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Thanks for your help anyway gpg_dude. I'll keep an eye on this thread too in case anyone finally cracks it!</p></div>teoclaidtag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T19:28:41Z2017-10-02T19:28:41Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>No worries Teoclaid, let us know if you figure it out</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-02T19:37:00Z2017-10-02T19:37:00Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Also, the hanging issue described by me in #24 is still occurring. I'm going to try a reboot to see if that fixes it.</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-03T09:58:38Z2017-10-03T10:21:21Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Hi everyone,<br>
No bites at all on the Yubico forum. There was a suggestion above to downgrade back to the 2016 version of GPGTools in the meantime - how do I do that?</p>
<p>(Frustratingly the link in this thread which apparently worked(!) just takes me to the main FAQ: <a href="https://gpgtools.tenderapp.com/discussions/beta/2486-gpg-tools-ask-for-password-with-newest-beta-but-password-does-not-work">https://gpgtools.tenderapp.com/discussions/beta/2486-gpg-tools-ask-...</a> And the official advice on how to downgrade to GnuPG 2.0 doesn't work <a href="https://gpgtools.tenderapp.com/kb/faq/gpg-suite-20171-gnupg-20-gnupg-22-migration-help">https://gpgtools.tenderapp.com/kb/faq/gpg-suite-20171-gnupg-20-gnup...</a>)</p>
<p>Btw, when I exceeded my 3 tries of the PIN in Mail it wiped my key from the Yubikey. About to reinstall the key and see if that solves everything...</p></div>teoclaidtag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-03T14:41:10Z2017-10-03T14:41:10Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>So it may be that those steps above did actually work - today I realised I was entering my secure PIN, not the Admin PIN when mail prompted me (hangs head sheepishly).</p>
<p>I tried reinstalling my keys onto the yubikey but ran into more problems (<a href="https://forum.yubico.com/viewtopic.php?f=35&t=2740">https://forum.yubico.com/viewtopic.php?f=35&t=2740</a>)... :(</p></div>teoclaidtag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-03T15:04:48Z2017-10-03T15:04:48Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>So on my issue a reboot did not appear to fix the strange behavior where after a period of time Mail hangs when trying to decrypt a message and "ssh-add -l" hangs when issued as well. I have to remove and reinsert the card to get things back on track. If there is other data I can collect to help troubleshoot what is happening here let me know. Otherwise, I am contemplating downgrading back to 2016.10_v2 to get back to smoother operation.</p>
<p>Teoclaid: as for your issue, downgrading to a previous version of GPGTools just requires you to run the previous installer. I've also made backups of my ~/.gnupg directory prior to each upgrade and have been restoring that as part of the downgrade process too, though I'm not sure that's strictly necessary. I've been doing so because I recall reading somewhere the GPG upgrade modifies the keys somehow.</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-03T15:21:58Z2017-10-03T15:21:59Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>I'm back up and running! I think what I thought was a backup of my full keys must just have been a stub(?). I realised I had a copy of my GPG keys on my iPhone so imported that copy to my GPG Keychain.</p>
<p>After that I followed the instructions in <a href="https://developers.yubico.com/PGP/Importing_keys.html">https://developers.yubico.com/PGP/Importing_keys.html</a> (having first reset the applet), and now my Yubikey is happy with decrypting in mail and anywhere else. phew!</p></div>teoclaidtag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-03T15:41:34Z2017-10-03T15:41:35Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>@teoclaid: concratulations - its always good to have a second (offline) place to have the secret key available. Maybe your backup of the secret key was made/overwritten after you moved the secret keys to the yubikey - therefore only the stubs were in it. please check filedate of the "backup" and try to remember when you originally put your secret keys to the yubikey with keytocard :-)</p>
<p>i've also learned that my original setup before updateing (osx 10.10.5 yosemite) under gpgtools 2016.2 (GnuPG/MacGPG2 Version 2.0.30) accessed the yubikey with the (gnupg-buildin) ccid driver and the new gpgtools 2017.1 is using the pc/sc interface driver (which was the source of my problem as it doesn't work correctly until i installed the yubikey neo manager application). I am not sure if ccid (fallback) works correctly with 2017.1</p></div>MartinBatag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-09T17:01:19Z2017-10-09T17:01:19Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>@Luke - after a week of banging my head against the wall and constantly removing and reinserting my yubikey multiple times per hour (along with killing gpg-agent which I already did with previously releases) I've had to downgrade back to 2016_10.v2. Let me know if I should start a new thread about the usability issues since technically the problem(s) that spawned this thread were resolved.</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-10-10T14:08:34Z2017-10-10T14:08:35Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>@gpg_dude - did you try resetting the applet and reinstalling your keys onto the Yubikey? That completely solved the problem for me...</p></div>teoclaidtag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-12-06T11:57:42Z2017-12-06T11:57:43Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>So I was also getting "bad pin" when using my Yubikey (2017.1 on High Sierra). It turns out that the "problem", was that I was using one passphrase for the regular pin and a different passphrase for admin, reset and unblock. Apparently the regular pin is not used for signing mails and such anymore, but the admin pin is. So I've solved my problem by just having the same passphrase for all the pins on my Yubikey. It would however be nice if anyone knows how to use the regular pin and not the admin pin for signing.</p></div>jbrtag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-12-06T17:35:09Z2017-12-06T17:35:09Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>@jbr I'm not on High Sierra, but that doesn't sound right. Are you sure you didn't get the admin & regular PIN's transposed?</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162017-12-07T08:24:01Z2017-12-07T08:28:59Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>@gpg_dude, yes I initialised the key multiple times, with different pin combinations to track the problem down. I just inserted an older Yubikey, which was initialised with gpg 2.0 and not 2.2, and there the pins are functioning correctly.</p></div>jbrtag:gpgtools.tenderapp.com,2011-11-04:Comment/435537162018-03-13T11:14:13Z2018-03-13T11:14:13Zafter updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)<div><p>Since this is an old discussion we are closing it. Re-open is an option but let's file new discussions for any remaining issues to have a clean start and focus on one problem per discussion.</p>
<p>Best,<br>
steve</p></div>Steve