git commit signing: Asked for smartcard as it's plugged in

gaugendre's Avatar

gaugendre

13 Feb, 2018 10:08 PM

Hello there,

I'm trying to use GPGTools for git commit signing or email signing/encrypting/decrypting/verifying.

I used this tutorial https://www.yubico.com/support/knowledge-base/categories/articles/u... (I guess, it was a while ago) to generate a key pair and add subkeys to my yubikey.

Whenever I need to sign/encrypt/decrypt a message or a git commit, I need to plug my Yubikey in and type the pin code. That works perfectly just after logging into my session, but if the computer goes to sleep (that's my guess, not sure about that) and I wake it up and try to sign/encrypt/decrypt another message, GPGTools pinentry keeps asking to plug the yubikey in even though it's already there.

As a workaround, I'm forced to go to the terminal, killall gpg-agent and then retry the operation, then it works. Do you know why that happens ?

Best regards,
Gabriel

  1. Support Staff 1 Posted by Steve on 27 Mar, 2018 08:36 AM

    Steve's Avatar

    Hi Gabriel,

    welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.

    Could you take this question to the gnupg users mailling list. Feel free to keep us posted on where this case is going and what may have been causing this.

    All the best,
    steve

  2. Support Staff 2 Posted by Luke Le on 30 Mar, 2018 09:44 PM

    Luke Le's Avatar

    Hi Gabriel,

    I saw your message to the gnupg mailing list. Until the fix is available, there's one thing you could try, which is to add the following option to your ~/.gnupg/scdaemon.conf file

    shared-access
    

    This is only available with our version of GnuPG and allows shared access to the smart card instead of exclusive access which is sometimes cumbersome. It's not heavily tested, so we would appreciate any feedback.

  3. Support Staff 3 Posted by Steve on 30 Mar, 2018 09:52 PM

    Steve's Avatar

    For reference Niibe Yutaka writes:
    I fixed a problem of GnuPG scdaemon and implemented work around for
    device problem. It will be in 2.2.6. With the fix and the work around,
    scdaemon tries to reset device after such a failure. So, you won't need
    to manually re-plug your device, but PIN input will be required, since
    the device will be reset.

    https://lists.gnupg.org/pipermail/gnupg-users/2018-March/060179.html

  4. 4 Posted by gaugendre on 31 Mar, 2018 09:39 AM

    gaugendre's Avatar

    Thanks for the workaround proposal, I'll try it.
    When is 2.2.6 expected to be released in GPGTools ?

  5. Support Staff 5 Posted by Steve on 31 Mar, 2018 10:52 AM

    Steve's Avatar

    Currently 2.2.6 has not been release by gnupg. Once they release it we will integrate it in our hotfix build and then chances are it will be included in the next stable release after that.

  6. 6 Posted by gaugendre on 31 Mar, 2018 03:24 PM

    gaugendre's Avatar

    Tested the shared-access approach, didn't work.

  7. Support Staff 7 Posted by Luke Le on 02 Apr, 2018 06:40 PM

    Luke Le's Avatar

    Attached to this discussion you will find a custom MacGPG2 version which includes the latest smart card fixes from GnuPG.

    If you are interested in testing this version, please let us know if it solves your problem.

  8. 8 Posted by gaugendre on 02 Apr, 2018 08:30 PM

    gaugendre's Avatar

    Thanks @Luke, the first tests tend to show that the issue is solved. I'll get back to you on this ticket if it's actually not.

  9. 9 Posted by gaugendre on 03 Apr, 2018 09:35 AM

    gaugendre's Avatar

    I just had the same problem again, using the version of MacGPG included in the previous post.

  10. Support Staff 10 Posted by Luke Le on 04 Apr, 2018 04:34 PM

    Luke Le's Avatar

    Hmmm... that's bad. Is this always reproducible, after your computer goes to sleep or only some time?

  11. 11 Posted by gaugendre on 04 Apr, 2018 05:02 PM

    gaugendre's Avatar

    It's always reproducible after a significant amount of time (couple of minutes).

  12. Support Staff 12 Posted by Luke Le on 04 Apr, 2018 05:07 PM

    Luke Le's Avatar

    Even if not in sleep mode, or if in sleep mode for a couple of minutes?
    Could we ask you to write down the "workflow" in detailed steps? That would be a great help to learn more.

  13. 13 Posted by gaugendre on 04 Apr, 2018 05:10 PM

    gaugendre's Avatar

    It's as I wrote in the first post :

    • Sign a commit -> success
    • Go to sleep for a couple of minutes
    • Try to sign a commit -> fail

    I would be glad to provide more details but I don't know what you need to know :)

  14. Support Staff 14 Posted by Luke Le on 04 Apr, 2018 05:14 PM

    Luke Le's Avatar

    What might help is if you could turn on debug log for scdaemon and then try to re-produce the error and send us the scdaemon.log file

    1.) Enable debug log for scdaemon

    log-file /tmp/scdaemon.log
    debug-level expert
    debug-all
    

    2.) Kill scdaemon

    killall scdaemon
    

    Thanks!

  15. 15 Posted by gaugendre on 05 Apr, 2018 05:15 AM

    gaugendre's Avatar

    Here is the logfile (your system prevents me from attaching the raw .log file so I zipped it).

    The steps I tried are :

    • Enable debug log info + kill scdaemon
    • killall gpg-agent
    • Try to sign commit -> success
    • Close lid, wait for half a minute
    • Try to sign a commit -> success
    • Close lid, wait for couple of minutes
    • Try to sign commit -> fail

    It's important to note that this time the fail was different. Usually, the pinentry program pops up and prompts me to insert key with given ID. When I plug the key and press OK, the same popup appears again, and again, ...
    This time, it didn't event bother to pop up, I had this error right upfront :

    error: gpg failed to sign the data
    fatal: failed to write commit object
    

    I usually have this same error after pressing Cancel when I'm in the "insert yubikey" loop.

  16. Support Staff 16 Posted by Luke Le on 06 Apr, 2018 12:16 PM

    Luke Le's Avatar

    Thank you very much for the detailed steps and log file. We will try to re-produce the problem with the steps outlined and will get back to you once we find something.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac