after updating to GPGtools 2017.1 Yubikey no longer functions properly (both in Mail & gpg2 --card-edit)

gpg_dude's Avatar

gpg_dude

25 Sep, 2017 05:54 PM

Which of our tools is giving you problems?

gpg2

Attach a screenshot of the version info for all installed components (how to: https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...):

Attached

Describe your problem. Add as much detail as possible.

After installing GPGTools 2017.1 I am not longer able to access my private key using my Yubikey 4 Nano. I am not prompted for my PIN to unlock the Yubikey and Mail displays a message saying "Secret key to decrypt the message is missing"

Attempts to use gpg2 on the command line to edit/inspect the Yubikey also failed:
gpg2 --card-edit

gpg: selecting openpgp failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

What did you expect instead

I expect to be prompted for my PIN to unlock the Yubikey.

I also expect to be able to issue gpg2 --card-edit to inspect/edit the GPG key on my Yubikey.

Describe steps leading to the problem.

Described above

Are you using any other Mail.app plugins?

No

EDIT: I also tried following the steps listed @ https://gpgtools.tenderapp.com/discussions/problems/58454-after-upd...

but when I got to the end and tried to run the final command it failed with:
gpg --card-status
gpg: selecting openpgp failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

EDIT2: might be related to https://gpgtools.tenderapp.com/discussions/problems/50900-unable-to...

  1. 1 Posted by silverskullpsu on 26 Sep, 2017 01:39 PM

    silverskullpsu's Avatar

    I'm experiencing the same issue - FWIW, it seems to work for a while after rebooting my machine, but the issue recurs a few hours later. Not sure what the trigger is.

  2. 2 Posted by MartinBa on 26 Sep, 2017 06:30 PM

    MartinBa's Avatar

    Same situation ere under osx 10.10.5 after the Update to 2007.1 (coming from GPGTools 2016.08_v2)

    It seems the Communication scdaemon with the key/card (yubikey 4) is not possible with the new gpgtools

    crosscheck the key/card: when i plug in the yubikey4 in my debian linux box and check it with gpg --card-status all is well and readable.

    even the serial number is not readable under the 2007.1

    macname:~ username$ gpg-connect-agent --hex

    scd serialno ERR 100696144 Operation not supported by device

  3. Support Staff 3 Posted by Luke Le on 26 Sep, 2017 10:17 PM

    Luke Le's Avatar

    Hi all,

    we are very sorry you are experiencing issues with our latest release of GPG Suite.
    It turns out this issue is GnuPG > 2.0 related.

    You should be able to solve it by adding the following option to your scdaemon configuration file (~/.gnupg/scdaemon.conf)
    If it doesn't exist, you will have to create it.

    The line to add reads:
    disable-ccid

    After that you have to restart gpg-agent by running gpgconf --kill gpg-agent

    Please let us know if these steps help. Unfortunately we still have to get Yubi keys in order to be able to better test smart card/USB token support in the future..

    Hope that helps.

  4. 4 Posted by gpg_dude on 26 Sep, 2017 10:30 PM

    gpg_dude's Avatar

    Hi Luke,
    Thanks for the suggestion. Unfortunately, I had tried this before as previous threads about this same error message led me to think that would solve things. I just tried it again along with the "gpgconf --kill gpg-agent" after updating to 2017.1 and still have the same behavior:

    hostname:~ username$ gpgconf --kill gpg-agent
    hostname:~ username$ gpg --card-status
    gpg: selecting openpgp failed: Operation not supported by device
    gpg: OpenPGP card not available: Operation not supported by device
    hostname:~ username$ gpg --card-edit

    gpg: selecting openpgp failed: Operation not supported by device
    gpg: OpenPGP card not available: Operation not supported by device

    gpg/card>

    And here you can see the file was in place before gpg-agent was re-started:
    hostname:~ username$ cat ~/.gnupg/scdaemon.conf
    disable-ccid
    hostname:~ username$ ls -l !$
    ls -l ~/.gnupg/scdaemon.conf
    -rw------- 1 username staff 13 Sep 26 15:23 /Users/username/.gnupg/scdaemon.conf hostname:~ username$ ps axuw |grep gpg-ag
    username 58701 0.0 0.0 2432772 652 s014 S+ 3:28PM 0:00.00 grep gpg-ag
    username 58692 0.0 0.0 2453644 780 ?? Ss 3:25PM 0:00.01 gpg-agent --homedir /Users/username/.gnupg --use-standard-socket --daemon
    username 58618 0.0 0.0 2444632 968 ?? S 3:24PM 0:00.01 /bin/bash /usr/local/MacGPG2/libexec/shutdown-gpg-agent

    The above shows the file was

  5. Support Staff 5 Posted by Luke Le on 26 Sep, 2017 10:36 PM

    Luke Le's Avatar

    As stupid as it sounds, did anyone of you try to restart their mac?
    The way that smart card support is implemented currently in GnuPG doesn't play well with macOS at all, since macOS uses its own service for smart cards, but GnuPG doesn't leverage that.

  6. 6 Posted by gpg_dude on 26 Sep, 2017 10:45 PM

    gpg_dude's Avatar

    Not stupid at all, but yeah I've definitely rebooted (just tried again to be sure). FWIW - after downgrading to 2016.10_v2 and removing the ~/.gnupg/scdaemon.conf file & running killall gpg-agent everything is back to normal without a reboot.

  7. Support Staff 7 Posted by Luke Le on 26 Sep, 2017 10:53 PM

    Luke Le's Avatar

    Yes, a downgrade to either 2016.10_v2 or 2017.01b3 solves the issue, since it downgrade GnuPG to 2.0.X as well.
    What you can do is install GPG Suite 2017.1 on top now, but when installing choose "Customize" and deselect MacGPG2.

  8. 8 Posted by gpg_dude on 27 Sep, 2017 12:38 AM

    gpg_dude's Avatar

    Yup, just letting you know it doesn't require a reboot to take effect.

    As for the "customize" option during install, I'll probably just stick with 2016.10_v2 until the issue is solved and released to the stable branch since I'm not having any issues with that version. Also, I advise a sizable user base on things like this and can't be asking them all to do "customized" installs. Let me know if there is any way I can help you sort this bug out. You mention needing to get yubikeys to be able to test smartcards ... they're pretty readily available ($40 on amazon with prime delivery options @ https://smile.amazon.com/Yubico-Y-158-YubiKey-4/dp/B018Y1Q71M)

  9. 9 Posted by bogdrakonov on 28 Sep, 2017 01:04 AM

    bogdrakonov's Avatar

    I find that killing this process /bin/bash /usr/local/MacGPG2/libexec/shutdown-gpg-agent makes the Yubikey work with the latest GPGTools. I can confirm this process existed on the previous beta version of GPGTools as well. I'm not sure what it is for though.

  10. Support Staff 10 Posted by Luke Le on 28 Sep, 2017 01:07 AM

    Luke Le's Avatar

    Hi,

    it's a bash script which basically sleeps the whole time and intercepts a kill (which is triggered by macOS logout) in order to kill gpg-agent, so the internal passphrase cache is emptied on logout.
    If that helps, it basically means that in order to use your yubikey you have to kill gpg-agent before using it.

    You'll find the source code here:
    https://raw.githubusercontent.com/GPGTools/MacGPG2/dev/Payload/libe...

    Since gpg-agent is started by GnuPG itself if it's not yet running, this might be a bug in GnuPG 2.2

  11. 11 Posted by gpg_dude on 28 Sep, 2017 01:39 PM

    gpg_dude's Avatar

    @bogdrakonov: can you provide details on your OS & which yubikey you have? I definitely killed that process on mine (and rebooted which also obviously killed it) and my Yubikey 4 nano remained unusable with the new GPG version

  12. Support Staff 12 Posted by Luke Le on 30 Sep, 2017 11:44 PM

    Luke Le's Avatar

    Quick Update: thanks to martinba we were now able to do some testing with YubiKey4 and GnuPG 2.2
    The good news is, I was able to setup a test key without problems, could use it to sign data and decrypt data. I have not configured any 2FA services yet or done anything else (not sure if that matters)
    The card was immediately recognized, plugged it in and out a few times, and didn‘t have any issues using it.
    The bad news is, that this doesn’t really make it easier to figure out the problems you all are seeing. The only thing I could figure out so far is, that it looks like gpg doesn‘t seem to „see“ that the YubiKey is plugged in at all. I‘m getting the same error message if it‘s not plugged in.

    Could someone of you enable debug logging of scdaemon and send us the log file after running some basic tests:

    1. Plug in
    2. Plug out
    3. Plug back in
    4. Run gpg --card-status
    5. Run gpg --card-edit

    To enable debug logging, add the following lines to your scdaemon.conf file:

    debug-level guru
    log-file /tmp/scdaemon.log
    

    and kill scdaemon afterwards to have it load the new config. (HUP might suffice)

    Also there seems to be such a thing as "CCID enabled" for the YubiKey 4. Has anyone verified what the current status in regards to CCID of their YubiKey is?

    Before attaching the logfile, please make sure that no sensitive data is included.

    I have performed my tests on macOS 10.11.6

  13. 13 Posted by gpg_dude on 01 Oct, 2017 10:53 PM

    gpg_dude's Avatar

    I don't see anything logged on plugin or plugout. Attached are what is output for card-status & card-edit with and without disable-ccid being set.

  14. 14 Posted by MartinBa on 02 Oct, 2017 12:48 PM

    MartinBa's Avatar

    I've tried with debugging level guru enabled to no successful end
    following configuration is active

    hostname:.gnupg username$ cat gpg-agent.conf
    pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
    default-cache-ttl 600
    max-cache-ttl 7200
    scdaemon-program /usr/local/MacGPG2/libexec/scdaemon


    hostname:.gnupg username$ cat scdaemon.conf #disable-ccid card-timeout 15 debug-level guru log-file /tmp/scdaemon.log
    but weather i commented out disable-ccid or not was not helping to get gpg --card-status to work

    But after using google with the message (from OSX System Log)

    02.10.17 14:32:59,632 com.apple.SecurityServer[82]: Token reader Yubico Yubikey 4 OTP+U2F+CCID inserted into system
    02.10.17 14:32:59,632 com.apple.SecurityServer[82]: reader Yubico Yubikey 4 OTP+U2F+CCID: state changed 0 -> 34
    02.10.17 14:32:59,639 com.apple.SecurityServer[82]: token in reader Yubico Yubikey 4 OTP+U2F+CCID cannot be used (error 229)
    02.10.17 14:33:31,394 com.apple.SecurityServer[82]: reader Yubico Yubikey 4 OTP+U2F+CCID: state changed 32 -> 162
    02.10.17 14:33:31,394 com.apple.SecurityServer[82]: token in reader Yubico Yubikey 4 OTP+U2F+CCID cannot be used (error 229)
    

    which lead me to a vague (slightly off topic) hint in the yubico forum at https://forum.yubico.com/viewtopic.php?f=26&t=1574
    , that i should download the application "YubiKey NEO Manager" at https://www.yubico.com/support/knowledge-base/categories/articles/y... which i've done and disabled and reenabled the CCID* with that application (see screenshot).

    it magically works to get access to my yubikey openpgp card applet and my secret keys.

    It even works after e reboot :-)
    the error stated above in the system log on osx persists - after some reading at https://ludovicrousseau.blogspot.co.at/2014/11/os-x-yosemite-and-sm... it seems that smart card support on osx 10.10 is not very 'premium' :-o

  15. Support Staff 15 Posted by Luke Le on 02 Oct, 2017 01:46 PM

    Luke Le's Avatar

    Hi,

    that is what I was referring to with my comments in regards to CCID and YubiKeys. I believe that since mine was a completely fresh YubiKey the CCID setting was still enabled.
    It would be great if someone else of you could try Martinba‘s steps to see if it works for them as well.

    Thanks!

  16. 16 Posted by teoclaid on 02 Oct, 2017 02:56 PM

    teoclaid's Avatar

    Hi, I just tried MartinBa's steps: downloaded NEO manager, disabled then re-enabled CCID but it didn't solve the issue with my keys not being found by Mail.

    I tried re-starting mail, removing and reinserting the key and a restart was part of the process too...

  17. Support Staff 17 Posted by Luke Le on 02 Oct, 2017 03:37 PM

    Luke Le's Avatar

    Hi Teoclaid,

    did you run gpg --card-status at least once after the upgrade? That is necessary for GnuPG to re-create the card stubs after the upgrade.

  18. 18 Posted by teoclaid on 02 Oct, 2017 03:50 PM

    teoclaid's Avatar

    Uh-oh... Following your message I ran gpg --card-status and I can see my key is there.

    But now Mail wants me to enter the PIN to unlock the card, but it is not accepting my key PIN and I only have one attempt left!

  19. 19 Posted by gpg_dude on 02 Oct, 2017 03:57 PM

    gpg_dude's Avatar

    I eventually got things working. Here's what I did:

    1) Installed Yubikey NEO Manager
    2) Rebooted as the installer insisted
    3) Installed GPGTools 2017.1
    4) Ran Yubikey NEO Manager & followed the steps to disable CCID (requires a removal & reinsertion of the card) & then re-enable CCID (requires a removal & reinsertion of the card) **Note that I checked and at no time did I find the ~/.gnupg/scdaemon.conf file existed
    4) Ran gpg --card-status & confirmed my card details were shown
    5) Attempted to open encrypted messages in Mail.app, but they would just hang on "getting message" in the activity monitor (window -> activity)
    6) Quit/force-quit Mail.app
    7) Ran gpgconf --kill gpg-agent
    8) I was now prompted in Yubikey NEO Manager to remove/reinsert my card. When I did, I was first prompted to identify my Keyboard like OSX thought the card was an input device. I cancelled that & proceeded
    9) I went into Mail.app and upon trying to open an encrypted message I was finally prompted to unlock my Yubikey with the PIN
    10) Success

  20. 20 Posted by teoclaid on 02 Oct, 2017 04:03 PM

    teoclaid's Avatar

    Didn't work for me. I had already installed GPGTools 2017.1 (the problem?) but have now run gpgconf --kill gpg-agent. NEO Manager is still happily recognising my key though and Mail still just wants the pin to unlock the card.

  21. 21 Posted by teoclaid on 02 Oct, 2017 04:28 PM

    teoclaid's Avatar

    Can anyone advise me what to do re my PIN? If I fail the third attempt will I simply have to re-import my GPG key onto the Yubikey or will I lose everything on it?

    I know I am typing the correct PIN for my yubikey (on the second attempt I clicked 'show typing'), and I even tried re-setting the PIN in the PIV Manager to the same thing which confirmed I had the right one.

    It is my yubikey PIN it wants me to enter to unlock the card, isn't it? Not my GPG passphrase?...

  22. 22 Posted by gpg_dude on 02 Oct, 2017 04:40 PM

    gpg_dude's Avatar

    Do you have a PUK set?

    From https://developers.yubico.com/yubikey-piv-manager/PIN_and_Managemen...

    PUK

    The PUK can be used to reset the PIN if it is ever lost or becomes blocked after the maximum number of incorrect attempts. Setting a PUK is optional. If you use your PIN as the Management Key, the PUK is disabled for technical reasons, explained in a later section. The requirements and restrictions of the PUK are the same as for the PIN (see above). If PIN complexity is enforced, the same rules are applied to the PUK. If the PUK ever becomes blocked, either by deliberately choosing to block it or by giving the wrong PUK value 3 times, it can only be unblocked by performing a complete reset (explained below).

    Resetting a device

    If an incorrect PIN is given 3 times consecutively, the PIN will become disabled. If you’ve set a PUK, then you can use that PUK to reset the PIN to a new value, and it will become enabled and usable again. If an incorrect PUK is given 3 times consecutively, it will become blocked as well. When both the PIN and the PUK are blocked, the device can be reset. This returns the PIV functionality of the YubiKey to a factory setting, setting the default PIN, PUK and Management Key values, as well as removing any stored keys and certificates. Once reset, the device is ready to be re-initialized.

  23. 23 Posted by teoclaid on 02 Oct, 2017 06:45 PM

    teoclaid's Avatar

    Thanks gpg_dude. I have now set a separate Management PIN, but it still says 'PUK is blocked' in the PIN management window. (Prior to this I was using the PIN as a mangement key so never set up a PUK) Any ideas?

  24. 24 Posted by gpg_dude on 02 Oct, 2017 07:01 PM

    gpg_dude's Avatar

    Sorry Teoclaid - I've never come across that issue before. You might want to try the Yubikey forums and see if anyone there can help.

  25. 25 Posted by gpg_dude on 02 Oct, 2017 07:04 PM

    gpg_dude's Avatar

    Also - my gpg+yubikey has been acting strangely post-update. Specifically, when I try to login and my .bash_profile tries to run "ssh-add -l" it would hang. I would then try and open an encrypted message and Mail.app would also hang trying to "download" the message - even for a message that was already downloaded. I tried running "gpgconf --kill gpg-agent" but the issue persisted. Removing & reinserting the Yubikey after that seems to do the trick. I'm going to try and remove the ~/.gnupg/scdaemon.conf file which only contained one directive I added as part of this debugging:
    card-timeout 15

    and see if it goes back to behaving "normally" (i.e. like it did under GPG 2016.10_v2)

  26. 26 Posted by teoclaid on 02 Oct, 2017 07:17 PM

    teoclaid's Avatar

    Thanks for your help anyway gpg_dude. I'll keep an eye on this thread too in case anyone finally cracks it!

  27. 27 Posted by gpg_dude on 02 Oct, 2017 07:28 PM

    gpg_dude's Avatar

    No worries Teoclaid, let us know if you figure it out

  28. 28 Posted by gpg_dude on 02 Oct, 2017 07:37 PM

    gpg_dude's Avatar

    Also, the hanging issue described by me in #24 is still occurring. I'm going to try a reboot to see if that fixes it.

  29. 29 Posted by teoclaid on 03 Oct, 2017 09:58 AM

    teoclaid's Avatar

    Hi everyone,
    No bites at all on the Yubico forum. There was a suggestion above to downgrade back to the 2016 version of GPGTools in the meantime - how do I do that?

    (Frustratingly the link in this thread which apparently worked(!) just takes me to the main FAQ: https://gpgtools.tenderapp.com/discussions/beta/2486-gpg-tools-ask-... And the official advice on how to downgrade to GnuPG 2.0 doesn't work https://gpgtools.tenderapp.com/kb/faq/gpg-suite-20171-gnupg-20-gnup...)

    Btw, when I exceeded my 3 tries of the PIN in Mail it wiped my key from the Yubikey. About to reinstall the key and see if that solves everything...

  30. 30 Posted by teoclaid on 03 Oct, 2017 02:41 PM

    teoclaid's Avatar

    So it may be that those steps above did actually work - today I realised I was entering my secure PIN, not the Admin PIN when mail prompted me (hangs head sheepishly).

    I tried reinstalling my keys onto the yubikey but ran into more problems (https://forum.yubico.com/viewtopic.php?f=35&t=2740)... :(

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Already uploaded files

  • Screen_Shot_2017-09-25_at_10.08.13_AM.png 86.3 KB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac