gpg-agent stops working after OSX Upgrade to Yosemite

Florian Müller's Avatar

Florian Müller

20 Oct, 2014 03:43 PM

Situation: I'm using the gpg-tools on OSX for yubikey-ssh-authentification. After Upgrade to OSX 10.10 Yosemite, gpg-agent seems to stop working after some time.

Setup:
Installed latest gpg-tools from this website.
Added "enable-ssh-support" to .gnupg/gpg-agent.conf and restarted mac
export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
Connect to an ssh-server.

Problem:
After some time (~1-2 Hours maybe, not sure), the agent isn't working anymore. It's still listed as active in the processlist, but everything related to my yubikey fails (no error, just nothing happens, no segfaults).
Connecting to a ssh-server results in nothing, as well as gpg --card-status

Temporary Fix:
On shell: Kill gpg-agent with signal 9 and execute gpg --card-status, to launch the gpg-agent again. This works for another 1-2 hours.

  1. 1 Posted by Stephen Oliver on 21 Oct, 2014 12:18 AM

    Stephen Oliver's Avatar

    In the past i've had to do the same thing even on 10.9, right now killing gpg-agent is only helping periodically, even removing the card doesn't change anything in those cases.

    I used to also kill pcscd as well as scdaemon too. Now pcscd is called com.apple.ctkpcscd in 10.10 (part of transition to CryptoToken framework), and there are frequently a few of those and a few scdaemon processes running (there should only be one scdaemon as far as I'm aware, I'm not sure about ctkpcscd), which may be the cause of the problem (at least on this machine) when killing gpg-agent alone doesn't help.

  2. Support Staff 2 Posted by Steve on 21 Oct, 2014 01:54 PM

    Steve's Avatar

    Hi Florian and mrsteveman1,

    thank you both for your input. I've created a ticket for this problem and hope we can come up with a solution soon:

    https://gpgtools.lighthouseapp.com/projects/66001/tickets/140

    If this discussion get's closed, it will be re-opened as soon as the ticket is closed so you'll receive a notification. Feel free to open a new discussions should you run into further problems or need assistance.

    All the best,
    steve

  3. 3 Posted by Florian Müller on 21 Oct, 2014 02:04 PM

    Florian Müller's Avatar

    I tried to install the latest nightly build, it seems to fix the problem for me.

    A coworker has the same problem, but the nightly didn't solve that for him...

    Thanks for looking into that... some of us are restoring their osx backups with 10.9...

  4. Support Staff 4 Posted by Luke Le on 21 Oct, 2014 02:06 PM

    Luke Le's Avatar

    Hi Florian,

    if by any chance your coworker runs into that problem again, any chance they could contact us so we could debug it? GDB might help finding out what's going on.

  5. 5 Posted by Florian Müller on 21 Oct, 2014 02:08 PM

    Florian Müller's Avatar

    Hi Luke,

    I'll tell him. Is there a faster way to reach you?

    Best.

  6. Support Staff 6 Posted by Luke Le on 21 Oct, 2014 02:14 PM

    Luke Le's Avatar

    Yep, he can use our live chat: http://www.hipchat.com/gi8zHW4K3

    Thank you!

  7. Support Staff 7 Posted by Luke Le on 23 Oct, 2014 05:29 PM

    Luke Le's Avatar

    After some investigation we found out that this seems in fact to be directly related to the gnupg-pcsc-wrapper which is responsible for communicating with smart cards using the OS X PCSC framework.

  8. 8 Posted by adam on 24 Oct, 2014 03:26 PM

    adam's Avatar

    How we can solve this problem?

  9. Support Staff 9 Posted by Luke Le on 24 Oct, 2014 03:28 PM

    Luke Le's Avatar

    Hi adam,

    we're still looking into it. It might be possible to use a build of pcsc-lite which doesn't rely on PCSC.framework

  10. 10 Posted by bartosz.malkows... on 30 Oct, 2014 10:39 AM

    bartosz.malkowski's Avatar

    Any news? When we (more or less) can expect fix?
    I'm not pushing you. I just want to know :-)

  11. 11 Posted by Patrick on 03 Nov, 2014 05:17 AM

    Patrick's Avatar

    I am having same issue and haven't been able to use the program. I went back to Mavericks but lost things in the process so I had to do a clean install of yosemite and would really love, well need, to install GPG.

    Thanks

  12. 12 Posted by Sam on 27 Nov, 2014 11:03 AM

    Sam's Avatar

    Having the same issue here. It's absolutely a killer - the worst part is that Mail.app is so terrible, that it's easy to not notice that emails just go to Drafts and never get sent. I've had a few miscommunications in the last days caused by this. This bug should be considered critical IMO.

  13. 13 Posted by Yazz on 18 Dec, 2014 11:39 AM

    Yazz's Avatar

    Still seems to be happening for me me and I have the latest beta.

    "GPG Suite - 2014.11.Yosemite-b3.dmg"

  14. 14 Posted by Samuel Reed on 18 Dec, 2014 11:41 AM

    Samuel Reed's Avatar

    I ended up switching away from Mail.app for this reason, over to Thunderbird + Enigmail. Works fine.

    I was able to clear up some of my yubikey issues by downloading the latest Yubikey NEO Manager (1.0.0 at this time), and disabling and enabling CCID mode. This seems to have triggered something internally; previously I was seeing intermittent problems with OTP & HMAC access but that is now gone.

    Perhaps it could help.

  15. Support Staff 15 Posted by Steve on 30 Dec, 2014 10:50 PM

    Steve's Avatar

    Sadly this is not fixed yet in GPG Suite b4.

    It's a high priority and we hope to take a closer look soon.

  16. 16 Posted by An5n on 10 Jan, 2015 02:00 PM

    An5n's Avatar

    Are there any progress regarding this nasty bug?

  17. 17 Posted by William Ahern on 15 Jan, 2015 01:39 AM

    William Ahern's Avatar

    I've been informed by a credible source that PCSC fixes will be forthcoming with Yosemite 10.10.2. Perhaps somebody with BETA access could confirm?

    Those fixes might not yet have been written or committed, so a negative result wouldn't conflict with the information I've been given. Or the PCSC fixes scheduled for 10.10.2 might not be sufficient, which would suck.

    But there is hope!

  18. 18 Posted by Stephen Oliver on 15 Jan, 2015 03:44 AM

    Stephen Oliver's Avatar

    I'm senior engineer at an iOS & OS X consulting company and have access to betas, however for the same reason unfortunately I can't comment here on whether or not they've fixed anything yet.

  19. 19 Posted by William Ahern on 16 Jan, 2015 02:26 AM

    William Ahern's Avatar

    I just upgraded to the latest 10.10.2 beta release and the issue appears to still exist. For awhile after rebooting I thought all the headaches were history, but then it happened again: SSH authentication stalls out, gpg --card-status stalls out, and after reinserting the card simply gpg --card-status errors out.

    I have to kill -9 gpg-agent, then reinsert the card. And then I'm left with another scdaemon processes hanging around (at this point in the process I dunno which one to kill).

    Oh well.

  20. 20 Posted by Stephen Oliver on 17 Jan, 2015 06:56 AM

    Stephen Oliver's Avatar

    Has anyone tried forcing GPG (scdaemon) to use its internal CCID driver to talk to the card directly? I'm testing a bit of a crude hack to do this at the moment, seems to be working but we'll see, I'll post my findings soon :)

  21. Support Staff 21 Posted by Luke Le on 17 Jan, 2015 09:38 AM

    Luke Le's Avatar

    If your smart card is supported by the internal ccid driver that might as well be a working solution. As far as we know, only the non-internal, PCSC based driver shows these problems.

  22. 22 Posted by Samuel Reed on 17 Jan, 2015 09:39 AM

    Samuel Reed's Avatar

    @mrsteveman1 that sounds like a great workaround until Apple starts to care about PCSC (IMO unlikely to happen any time soon). Does your workaround work for a Yubikey NEO?

  23. Support Staff 23 Posted by Luke Le on 17 Jan, 2015 09:41 AM

    Luke Le's Avatar

    Hi Samuel,

    it's easy to try. Simply comment out the disable-ccid line in your scdaemon.conf, kill gpg-agent (which will in turn kill scdaemon and pcsc-wrapper) and run gpg --card-status

    If you're not seeing any errors, you should be good to go.

  24. 24 Posted by Samuel Reed on 17 Jan, 2015 09:46 AM

    Samuel Reed's Avatar

    Great. That appears to have worked, I'll report back if I see the usual hangups.

    For reference I didn't have a ~/.gnupg/scdaemon.conf so I simply created one with the single line disable-ccid.

  25. Support Staff 25 Posted by Luke Le on 17 Jan, 2015 09:52 AM

    Luke Le's Avatar

    Hi Samuel,

    that's interesting, because the CCID driver is used by default. With the disable-ccid you just disabled it.
    If the internal CCID driver however can't be used, scdaemon falls back to the PCSC driver.
    In order to see what's going on now, you can add the following lines to your scdaemon.conf:

    debug-ccid-driver
    verbose
    log-file /var/log/scdaemon.log
    

    and remove the line

    disable-ccid
    

    again

    After that, kill gpg-agent again, run gpg --card-status and inspect the output in /var/log/scdaemon.log

  26. 26 Posted by Samuel Reed on 17 Jan, 2015 09:56 AM

    Samuel Reed's Avatar

    Ah, I see - I read your comment backwards.

    With what you posted above, I see this in the scdaemon.log:

    2015-01-17 10:55:42 scdaemon[7571] Ext-Lc-Le ......: no
    2015-01-17 10:55:42 scdaemon[7571] Status Indicator: 00
    2015-01-17 10:55:42 scdaemon[7571] GnuPG-No-Sync ..: no
    2015-01-17 10:55:42 scdaemon[7571] GnuPG-Def-PW2 ..: no
    2015-01-17 10:55:42 scdaemon[7571] Key-Attr-sign ..: RSA, n=2048, e=17, fmt=crt+n
    2015-01-17 10:55:42 scdaemon[7571] Key-Attr-encr ..: RSA, n=2048, e=17, fmt=crt+n
    2015-01-17 10:55:42 scdaemon[7571] Key-Attr-auth ..: RSA, n=2048, e=17, fmt=crt+n
    2015-01-17 10:55:43 scdaemon[7571] reading public key failed: Card error
    2015-01-17 10:55:43 scdaemon[7571] updating slot 0 status: 0x0000->0x0007 (0->1)
    2015-01-17 10:55:43 scdaemon[7571] sending signal 31 to client 7570
    
  27. 27 Posted by bartosz.malkows... on 17 Jan, 2015 10:37 AM

    bartosz.malkowski's Avatar

    I haven't card error.

    card-status with "disable-ccid":

    2015-01-17 11:31:14 scdaemon[16522] listening on socket `/tmp/gpg-5XBbsy/S.scdaemon'
    2015-01-17 11:31:14 scdaemon[16522] handler for fd -1 started
    2015-01-17 11:31:14 scdaemon[16522] pcsc_control failed: invalid parameter (0x80100004)
    2015-01-17 11:31:14 scdaemon[16522] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65538
    2015-01-17 11:31:14 scdaemon[16522] reader slot 0: not connected
    2015-01-17 11:31:14 scdaemon[16522] slot 0: ATR=3B FC 13 00 00 81 31 FE 45 59 75 62 69 6B 65 79 4E 45 4F 72 33 B1
    2015-01-17 11:31:14 scdaemon[16522] AID: D2 76 00 01 24 01 02 00 00 00 01 74 04 03 00 00
    2015-01-17 11:31:14 scdaemon[16522] Historical Bytes: 00 73 00 00 80 00 00 00 00 00 00 00 00 00 00
    2015-01-17 11:31:14 scdaemon[16522] Version-2 ......: yes
    2015-01-17 11:31:14 scdaemon[16522] Get-Challenge ..: yes (255 bytes max)
    2015-01-17 11:31:14 scdaemon[16522] Key-Import .....: yes
    2015-01-17 11:31:14 scdaemon[16522] Change-Force-PW1: yes
    2015-01-17 11:31:14 scdaemon[16522] Private-DOs ....: no
    2015-01-17 11:31:14 scdaemon[16522] Algo-Attr-Change: no
    2015-01-17 11:31:14 scdaemon[16522] SM-Support .....: yes (3DES)
    2015-01-17 11:31:14 scdaemon[16522] Max-Cert3-Len ..: 1216
    2015-01-17 11:31:14 scdaemon[16522] Max-Cmd-Data ...: 255
    2015-01-17 11:31:14 scdaemon[16522] Max-Rsp-Data ...: 255
    2015-01-17 11:31:14 scdaemon[16522] Cmd-Chaining ...: yes
    2015-01-17 11:31:14 scdaemon[16522] Ext-Lc-Le ......: no
    2015-01-17 11:31:14 scdaemon[16522] Status Indicator: 00
    2015-01-17 11:31:14 scdaemon[16522] GnuPG-No-Sync ..: no
    2015-01-17 11:31:14 scdaemon[16522] GnuPG-Def-PW2 ..: no
    2015-01-17 11:31:14 scdaemon[16522] Key-Attr-sign ..: RSA, n=2048, e=17, fmt=crt+n
    2015-01-17 11:31:14 scdaemon[16522] Key-Attr-encr ..: RSA, n=2048, e=17, fmt=crt+n
    2015-01-17 11:31:14 scdaemon[16522] Key-Attr-auth ..: RSA, n=2048, e=17, fmt=crt+n
    2015-01-17 11:31:15 scdaemon[16522] updating slot 0 status: 0x0000->0x0007 (0->1)
    2015-01-17 11:31:15 scdaemon[16522] sending signal 31 to client 16518
    

    card-status without disable-ccid:

    2015-01-17 11:30:15 scdaemon[16505] listening on socket `/tmp/gpg-TeoHxv/S.scdaemon'
    2015-01-17 11:30:15 scdaemon[16505] handler for fd -1 started
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver: using CCID reader 0 (ID=1050:0111:X:0)
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver: idVendor: 1050  idProduct: 0111  bcdDevice: 0303
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver: ChipCard Interface Descriptor:
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   bLength                54
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   bDescriptorType        33
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   bcdCCID              1.00
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   nMaxSlotIndex           0
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   bVoltageSupport         7  ?
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   dwProtocols             2  T=1
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   dwDefaultClock       4000
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   dwMaxiumumClock      4000
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   bNumClockSupported      0
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   dwDataRate           9600 bps
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   dwMaxDataRate      307200 bps
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   bNumDataRatesSupp.      0
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   dwMaxIFSD            1400
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   dwSyncProtocols  00000000 
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   dwMechanical     00000000 
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   dwFeatures       000400FE
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:     Auto configuration based on ATR (assumes auto voltage)
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:     Auto activation on insert
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:     Auto voltage selection
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:     Auto clock change
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:     Auto baud rate change
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:     Auto parameter negotiation made by CCID
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:     WARNING: conflicting negotiation features
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:     Short and extended APDU level exchange
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   dwMaxCCIDMsgLen      1400
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   bClassGetResponse    echo
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   bClassEnvelope       echo
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   wlcdLayout           none
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   bPINSupport             0 
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver:   bMaxCCIDBusySlots       1
    2015-01-17 11:30:16 scdaemon[16505] DBG: ccid-driver: usb_claim_interface failed: -13
    2015-01-17 11:30:16 scdaemon[16505] pcsc_control failed: invalid parameter (0x80100004)
    2015-01-17 11:30:16 scdaemon[16505] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65538
    2015-01-17 11:30:16 scdaemon[16505] reader slot 0: not connected
    2015-01-17 11:30:16 scdaemon[16505] slot 0: ATR=3B FC 13 00 00 81 31 FE 45 59 75 62 69 6B 65 79 4E 45 4F 72 33 B1
    2015-01-17 11:30:17 scdaemon[16505] AID: D2 76 00 01 24 01 02 00 00 00 01 74 04 03 00 00
    2015-01-17 11:30:17 scdaemon[16505] Historical Bytes: 00 73 00 00 80 00 00 00 00 00 00 00 00 00 00
    2015-01-17 11:30:17 scdaemon[16505] Version-2 ......: yes
    2015-01-17 11:30:17 scdaemon[16505] Get-Challenge ..: yes (255 bytes max)
    2015-01-17 11:30:17 scdaemon[16505] Key-Import .....: yes
    2015-01-17 11:30:17 scdaemon[16505] Change-Force-PW1: yes
    2015-01-17 11:30:17 scdaemon[16505] Private-DOs ....: no
    2015-01-17 11:30:17 scdaemon[16505] Algo-Attr-Change: no
    2015-01-17 11:30:17 scdaemon[16505] SM-Support .....: yes (3DES)
    2015-01-17 11:30:17 scdaemon[16505] Max-Cert3-Len ..: 1216
    2015-01-17 11:30:17 scdaemon[16505] Max-Cmd-Data ...: 255
    2015-01-17 11:30:17 scdaemon[16505] Max-Rsp-Data ...: 255
    2015-01-17 11:30:17 scdaemon[16505] Cmd-Chaining ...: yes
    2015-01-17 11:30:17 scdaemon[16505] Ext-Lc-Le ......: no
    2015-01-17 11:30:17 scdaemon[16505] Status Indicator: 00
    2015-01-17 11:30:17 scdaemon[16505] GnuPG-No-Sync ..: no
    2015-01-17 11:30:17 scdaemon[16505] GnuPG-Def-PW2 ..: no
    2015-01-17 11:30:17 scdaemon[16505] Key-Attr-sign ..: RSA, n=2048, e=17, fmt=crt+n
    2015-01-17 11:30:17 scdaemon[16505] Key-Attr-encr ..: RSA, n=2048, e=17, fmt=crt+n
    2015-01-17 11:30:17 scdaemon[16505] Key-Attr-auth ..: RSA, n=2048, e=17, fmt=crt+n
    2015-01-17 11:30:18 scdaemon[16505] updating slot 0 status: 0x0000->0x0007 (0->1)
    2015-01-17 11:30:18 scdaemon[16505] sending signal 31 to client 16500
    

    I try to use gpg with "disable-ccid" for some time.

  28. Support Staff 28 Posted by Luke Le on 17 Jan, 2015 10:58 AM

    Luke Le's Avatar

    @Samuel: What version of gnupg are you using? Do you have beta 4 of GPG Suite installed?

    @Bartosz: It looks like in your case the internal ccid driver fails to connect and falls back to using the PCSC driver. So it doesn't really matter whether you specific disable-ccid or not, it will regardless use the PCSC driver.

  29. Support Staff 29 Posted by Luke Le on 17 Jan, 2015 11:00 AM

    Luke Le's Avatar

    Also please make sure to remove the debug-* lines after testing, since they might leak confidential Information into the scdaemon.log file when used in signing/encrypting/decrypting operations

  30. 30 Posted by Samuel Reed on 17 Jan, 2015 11:33 AM

    Samuel Reed's Avatar

    @Luke: I just updated and ran again:

    2015-01-17 12:31:49 scdaemon[9662] Ext-Lc-Le ......: no
    2015-01-17 12:31:49 scdaemon[9662] Status Indicator: 00
    2015-01-17 12:31:49 scdaemon[9662] GnuPG-No-Sync ..: no
    2015-01-17 12:31:49 scdaemon[9662] GnuPG-Def-PW2 ..: no
    2015-01-17 12:31:49 scdaemon[9662] Key-Attr-sign ..: RSA, n=2048, e=17, fmt=crt+n
    2015-01-17 12:31:49 scdaemon[9662] Key-Attr-encr ..: RSA, n=2048, e=17, fmt=crt+n
    2015-01-17 12:31:49 scdaemon[9662] Key-Attr-auth ..: RSA, n=2048, e=17, fmt=crt+n
    2015-01-17 12:31:50 scdaemon[9662] reading public key failed: Card error
    2015-01-17 12:31:50 scdaemon[9662] updating slot 0 status: 0x0000->0x0007 (0->1)
    2015-01-17 12:31:50 scdaemon[9662] sending signal 31 to client 9661
    

    Looks like identical output.

    However, gpg --card-status IS recognizing the card.

    It seems to me like this won't have the desired effect; previously on my machine, there was no ~/.gnupg/scdaemon.conf, which means the gpg ccid driver was being used, right? Yet I was still getting the intermittent freezes as described in this ticket.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac