gpg-agent stops working after OSX Upgrade to Yosemite
Situation: I'm using the gpg-tools on OSX for yubikey-ssh-authentification. After Upgrade to OSX 10.10 Yosemite, gpg-agent seems to stop working after some time.
Setup:
Installed latest gpg-tools from this website.
Added "enable-ssh-support" to .gnupg/gpg-agent.conf and restarted
mac
export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
Connect to an ssh-server.
Problem:
After some time (~1-2 Hours maybe, not sure), the agent isn't
working anymore. It's still listed as active in the processlist,
but everything related to my yubikey fails (no error, just nothing
happens, no segfaults).
Connecting to a ssh-server results in nothing, as well as gpg
--card-status
Temporary Fix:
On shell: Kill gpg-agent with signal 9 and execute gpg
--card-status, to launch the gpg-agent again. This works for
another 1-2 hours.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by Stephen Oliver on 21 Oct, 2014 12:18 AM
In the past i've had to do the same thing even on 10.9, right now killing gpg-agent is only helping periodically, even removing the card doesn't change anything in those cases.
I used to also kill pcscd as well as scdaemon too. Now pcscd is called com.apple.ctkpcscd in 10.10 (part of transition to CryptoToken framework), and there are frequently a few of those and a few scdaemon processes running (there should only be one scdaemon as far as I'm aware, I'm not sure about ctkpcscd), which may be the cause of the problem (at least on this machine) when killing gpg-agent alone doesn't help.
Support Staff 2 Posted by Steve on 21 Oct, 2014 01:54 PM
Hi Florian and mrsteveman1,
thank you both for your input. I've created a ticket for this problem and hope we can come up with a solution soon:
https://gpgtools.lighthouseapp.com/projects/66001/tickets/140
If this discussion get's closed, it will be re-opened as soon as the ticket is closed so you'll receive a notification. Feel free to open a new discussions should you run into further problems or need assistance.
All the best,
steve
3 Posted by Florian Müller on 21 Oct, 2014 02:04 PM
I tried to install the latest nightly build, it seems to fix the problem for me.
A coworker has the same problem, but the nightly didn't solve that for him...
Thanks for looking into that... some of us are restoring their osx backups with 10.9...
Support Staff 4 Posted by Luke Le on 21 Oct, 2014 02:06 PM
Hi Florian,
if by any chance your coworker runs into that problem again, any chance they could contact us so we could debug it? GDB might help finding out what's going on.
5 Posted by Florian Müller on 21 Oct, 2014 02:08 PM
Hi Luke,
I'll tell him. Is there a faster way to reach you?
Best.
Support Staff 6 Posted by Luke Le on 21 Oct, 2014 02:14 PM
Yep, he can use our live chat: http://www.hipchat.com/gi8zHW4K3
Thank you!
Support Staff 7 Posted by Luke Le on 23 Oct, 2014 05:29 PM
After some investigation we found out that this seems in fact to be directly related to the gnupg-pcsc-wrapper which is responsible for communicating with smart cards using the OS X PCSC framework.
8 Posted by adam on 24 Oct, 2014 03:26 PM
How we can solve this problem?
Support Staff 9 Posted by Luke Le on 24 Oct, 2014 03:28 PM
Hi adam,
we're still looking into it. It might be possible to use a build of pcsc-lite which doesn't rely on PCSC.framework
10 Posted by bartosz.malkows... on 30 Oct, 2014 10:39 AM
Any news? When we (more or less) can expect fix?
I'm not pushing you. I just want to know :-)
11 Posted by Patrick on 03 Nov, 2014 05:17 AM
I am having same issue and haven't been able to use the program. I went back to Mavericks but lost things in the process so I had to do a clean install of yosemite and would really love, well need, to install GPG.
Thanks
12 Posted by Sam on 27 Nov, 2014 11:03 AM
Having the same issue here. It's absolutely a killer - the worst part is that Mail.app is so terrible, that it's easy to not notice that emails just go to Drafts and never get sent. I've had a few miscommunications in the last days caused by this. This bug should be considered critical IMO.
13 Posted by Yazz on 18 Dec, 2014 11:39 AM
Still seems to be happening for me me and I have the latest beta.
"GPG Suite - 2014.11.Yosemite-b3.dmg"
14 Posted by Samuel Reed on 18 Dec, 2014 11:41 AM
I ended up switching away from Mail.app for this reason, over to Thunderbird + Enigmail. Works fine.
I was able to clear up some of my yubikey issues by downloading the latest Yubikey NEO Manager (1.0.0 at this time), and disabling and enabling CCID mode. This seems to have triggered something internally; previously I was seeing intermittent problems with OTP & HMAC access but that is now gone.
Perhaps it could help.
Support Staff 15 Posted by Steve on 30 Dec, 2014 10:50 PM
Sadly this is not fixed yet in GPG Suite b4.
It's a high priority and we hope to take a closer look soon.
16 Posted by An5n on 10 Jan, 2015 02:00 PM
Are there any progress regarding this nasty bug?
17 Posted by William Ahern on 15 Jan, 2015 01:39 AM
I've been informed by a credible source that PCSC fixes will be forthcoming with Yosemite 10.10.2. Perhaps somebody with BETA access could confirm?
Those fixes might not yet have been written or committed, so a negative result wouldn't conflict with the information I've been given. Or the PCSC fixes scheduled for 10.10.2 might not be sufficient, which would suck.
But there is hope!
18 Posted by Stephen Oliver on 15 Jan, 2015 03:44 AM
I'm senior engineer at an iOS & OS X consulting company and have access to betas, however for the same reason unfortunately I can't comment here on whether or not they've fixed anything yet.
19 Posted by William Ahern on 16 Jan, 2015 02:26 AM
I just upgraded to the latest 10.10.2 beta release and the issue appears to still exist. For awhile after rebooting I thought all the headaches were history, but then it happened again: SSH authentication stalls out, gpg --card-status stalls out, and after reinserting the card simply gpg --card-status errors out.
I have to kill -9 gpg-agent, then reinsert the card. And then I'm left with another scdaemon processes hanging around (at this point in the process I dunno which one to kill).
Oh well.
20 Posted by Stephen Oliver on 17 Jan, 2015 06:56 AM
Has anyone tried forcing GPG (scdaemon) to use its internal CCID driver to talk to the card directly? I'm testing a bit of a crude hack to do this at the moment, seems to be working but we'll see, I'll post my findings soon :)
Support Staff 21 Posted by Luke Le on 17 Jan, 2015 09:38 AM
If your smart card is supported by the internal ccid driver that might as well be a working solution. As far as we know, only the non-internal, PCSC based driver shows these problems.
22 Posted by Samuel Reed on 17 Jan, 2015 09:39 AM
@mrsteveman1 that sounds like a great workaround until Apple starts to care about PCSC (IMO unlikely to happen any time soon). Does your workaround work for a Yubikey NEO?
Support Staff 23 Posted by Luke Le on 17 Jan, 2015 09:41 AM
Hi Samuel,
it's easy to try. Simply comment out the disable-ccid line in your scdaemon.conf, kill gpg-agent (which will in turn kill scdaemon and pcsc-wrapper) and run gpg --card-status
If you're not seeing any errors, you should be good to go.
24 Posted by Samuel Reed on 17 Jan, 2015 09:46 AM
Great. That appears to have worked, I'll report back if I see the usual hangups.
For reference I didn't have a ~/.gnupg/scdaemon.conf so I simply created one with the single line
disable-ccid
.Support Staff 25 Posted by Luke Le on 17 Jan, 2015 09:52 AM
Hi Samuel,
that's interesting, because the CCID driver is used by default. With the disable-ccid you just disabled it.
If the internal CCID driver however can't be used, scdaemon falls back to the PCSC driver.
In order to see what's going on now, you can add the following lines to your scdaemon.conf:
and remove the line
again
After that, kill gpg-agent again, run gpg --card-status and inspect the output in /var/log/scdaemon.log
26 Posted by Samuel Reed on 17 Jan, 2015 09:56 AM
Ah, I see - I read your comment backwards.
With what you posted above, I see this in the scdaemon.log:
27 Posted by bartosz.malkows... on 17 Jan, 2015 10:37 AM
I haven't card error.
card-status with "disable-ccid":
card-status without disable-ccid:
I try to use gpg with "disable-ccid" for some time.
Support Staff 28 Posted by Luke Le on 17 Jan, 2015 10:58 AM
@Samuel: What version of gnupg are you using? Do you have beta 4 of GPG Suite installed?
@Bartosz: It looks like in your case the internal ccid driver fails to connect and falls back to using the PCSC driver. So it doesn't really matter whether you specific disable-ccid or not, it will regardless use the PCSC driver.
Support Staff 29 Posted by Luke Le on 17 Jan, 2015 11:00 AM
Also please make sure to remove the debug-* lines after testing, since they might leak confidential Information into the scdaemon.log file when used in signing/encrypting/decrypting operations
30 Posted by Samuel Reed on 17 Jan, 2015 11:33 AM
@Luke: I just updated and ran again:
Looks like identical output.
However,
gpg --card-status
IS recognizing the card.It seems to me like this won't have the desired effect; previously on my machine, there was no
~/.gnupg/scdaemon.conf
, which means the gpg ccid driver was being used, right? Yet I was still getting the intermittent freezes as described in this ticket.