Gemalto smart card problem El Capitan 10.11.2 "OpenPGP card not available: Card error"
Good smart folks,
GPG is essential for my work and I use GPGTools daily. Updating to El Capitan has broken use of my smart card. Help if you can, please.
~BG
Which of our tools is giving you problems?
GPGServices
Paste version info of your installed software:
Mac OS X 10.11.2 (15C50)
Libmacgpg 0.6.1 752
GPGMail 2.5.2 1060 <=== I don't use Mail but in fact I installed
2.6B2
GPG Keychain 1.2.1 1147
GPGServices 1.10.1 871
MacGPG2 2.0.28 855
GPGPreferences 1.5 846
Note: I use MailMate, not the native Mail client, but that's not material to this problem. GPG doesn't see my smart card on the command line either.
Note2: I am running GPGTools inside a VMWare Fusion 8 virtual machine with OSX guest. I explain below why this does not seem pertinent either.
Describe your problem. Add as much detail as possible.
With Mavericks and Yosemite, GPGTools worked smoothly with my OpenPGP 2 smart card in a Gemalto shell token v2. I updated to OSX 10.11.2, and now GPG can't find my smart card.
> gpg2 --card-status
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error
I tried:
> gpg2 --card-edit
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error
gpg/card>
I can of course encrypt something to my public key (OpenPGP: Encrypt Selection in the context menu) without the private key. But when I try to decrypt the same way (OpenPGP: Decrypt Selection in the context menu), I get:
Decrypt failed! (Card error)
Code = 108
Of course I've tried removing and re-inserting the smart card. I also confirmed the same card still works on OSX Yosemite 10.10.5.
I mentioned above that I am running GPGTools inside a virtual machine. I would not get hung up on that as it seems unlikely to me to be the problem. Still, here's the setup: VMWare Fusion 8.1.0 running on a Macbook Pro (2015, retina, 13") host. I use multiple OSX guest VMs on this machine. VMWare lets you specify which VM controls the Gemalto shell token. The Gemalto token has always worked fine inside a VMWare VM for me. In fact, the same card still does work when I tell VMWare Fusion to mount it in a VM running OSX Yosemite 10.10.5. The problem is present only in the El Capitan VM. But that's the one I use for email, and where I need my smartcard key.
I'm really in a pickle. Hope you can help.
What did you expect instead
Smart card would work.
Describe steps leading to the problem.
- Updated the Mac (the VMWare OSX VM) from Yosemite to El Capitan.
If your problem concerns GPGMail, are other plugins installed in Mail.app?
As noted, I don't use Mail.app. I use MailMate, which integrates GPG just fine when GPGTools are installed.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by n0trab on 11 Dec, 2015 12:35 AM
This is pretty urgent for me. I use GPG every day. Thanks again.
Support Staff 2 Posted by Luke Le on 15 Dec, 2015 10:43 PM
Hi,
sorry for not responding earlier.
Could you please enable debug modus in your gpg-agent.conf by adding the following line to your gpg-agent.conf file:
After that run the following command:
Please attach the gpg-agent.log file to this discussion, or send it to team @ gpgtools.org
Support Staff 3 Posted by Luke Le on 15 Dec, 2015 11:36 PM
Hmmm... as i expected, gnupg believes the card is not present.
Could you please check Console.app for log messages related to "Gemalto" and send them to us as well?
Also, please post the exact Gemalto model you have. Smart Card support is very particular and Apple is known to include bugs in their framework accessing the smart cards.
4 Posted by n0trab on 16 Dec, 2015 07:52 PM
The Gemalto model is the IDBridge K30, previously known as the USB Shell Token v2 - GemPC key. According to the driver support page, it is natively supported "since OS X 10.10" and needs no driver. It certainly works for me under 10.10, and as I recall it worked fine under 10.9 as well.
The smart card inside the shell token is the OpenPGP Card, version 2, sold by Kernel Concepts in Germany.
Here's what I get from Console after I try
12/16/15 2:45:16.159 PM com.apple.SecurityServer[81]: Token reader Gemalto USB Shell Token V2 inserted into system
12/16/15 2:45:16.159 PM com.apple.SecurityServer[81]: reader Gemalto USB Shell Token V2: state changed 0 -> 18
12/16/15 2:45:16.227 PM com.apple.SecurityServer[81]: reader Gemalto USB Shell Token V2: state changed 16 -> 34
12/16/15 2:45:16.233 PM com.apple.SecurityServer[81]: token in reader Gemalto USB Shell Token V2 cannot be used (error 229)
12/16/15 2:45:42.628 PM com.apple.SecurityServer[81]: reader Gemalto USB Shell Token V2: state changed 32 -> 162
12/16/15 2:45:42.628 PM com.apple.SecurityServer[81]: token in reader Gemalto USB Shell Token V2 cannot be used (error 229)
12/16/15 2:45:45.703 PM com.apple.SecurityServer[81]: reader Gemalto USB Shell Token V2: state changed 160 -> 34
12/16/15 2:45:45.704 PM com.apple.SecurityServer[81]: token in reader Gemalto USB Shell Token V2 cannot be used (error 229)
12/16/15 2:45:45.991 PM com.apple.SecurityServer[81]: reader Gemalto USB Shell Token V2: state changed 32 -> 162
12/16/15 2:45:45.992 PM com.apple.SecurityServer[81]: token in reader Gemalto USB Shell Token V2 cannot be used (error 229)
12/16/15 2:45:48.994 PM com.apple.SecurityServer[81]: reader Gemalto USB Shell Token V2: state changed 160 -> 34
12/16/15 2:45:48.994 PM com.apple.SecurityServer[81]: token in reader Gemalto USB Shell Token V2 cannot be used (error 229)
12/16/15 2:45:49.003 PM com.apple.SecurityServer[81]: reader Gemalto USB Shell Token V2: state changed 32 -> 18
12/16/15 2:45:49.363 PM com.apple.SecurityServer[81]: reader Gemalto USB Shell Token V2: state changed 16 -> 34
12/16/15 2:45:49.364 PM com.apple.SecurityServer[81]: token in reader Gemalto USB Shell Token V2 cannot be used (error 229)
5 Posted by n0trab on 16 Dec, 2015 08:13 PM
Wait, this is very strange. I used it in an OS X 10.10 Virtual Machine just now and it worked fine. Yet Console still threw errors. See below.
It gives a normal status message, beginning with:
Application ID ...: [redacted by n0trab]
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....:[redacted by n0trab]
Here's the full Terminal message, which I'm encrypting to the team at GPG Tools to protect my privacy.
-----BEGIN PGP MESSAGE-----
hQIOAwfq5Jrby+ZxEAf/a9ZUQR1u+SCOIyZ56zBUVmFIT8Ji5hkJY+wlHPBgtZCW
lObCNljLx4pHZ5FjlvQEGABDL5V4cTgZoJl0w24Tfz7ztnXtvLPTD4Jh0iqyzPQa
8279FvbkfQgO/urgLAf6EGLTxpi/Ph3Nt/Gd9rAwEz1euaJjK52dz7uyDbk3uTBP
WyRZ7JKDjavYkI4VXPYyUl0JC5+vT6wU9WCT0h5P6BCNGqCaD8flP0jLL3A704r7
4aVI5MDCNmSZUztph6AyNlgAGRmy+FjrohPAhCwduXPbpWmlr5JR6Tw06B9uBw/R
H9hatkoHYJx6eNID4V5saoI4OP9HLiObt1conUmETAf9EJtUEkClYsC2Zjh81aR+
MmaPeTqIAKGLSYDznI00RUEEi19DqWvaZIp0JVZgv7P8i3CXpW/YosBlQpiC1N/Q
0QnyJu27VRRCwRJEZaygLseUlNmJC59c3jO/GWNk0j95ORl8BWck510qrQ+4pm2w
K9mzufC5JQBUx78vu6YvWKcpl25FNPjThW2/rZ9mT5TuzqP6dLhJymxUl7pkKH9d
GrdNBuMpJLYdRg6oKzy2ksjjp0Ni+vL+LtIfRz+cJXjT6ILZYtnWyyJDi4wfA0fV
wi5uly1bnQL/9vV3IIFNtAxraxvm2mGLVgeCtFAdx+z9m1I3LFQ2w7CnLOgN0+Wg
NIUBjAPKM0KLsFJCogEMAIHd3QyVyW+ywkcpmXLRoYbclwULUrJiMxSedvlxvaPI
H+10CBZ/zEqZ8d3rqxten2kobcfpPTkqhrmXVmfh5JFqGo9ALb7lLzrWsc+2Vkfx
5Lr4T0q3iBDoXefvA51nPXw4gNKG4W4VkJ5Io+ZcAyv6HQiJrmQzNwrkA06czOIP
hpBDcF+LMfFAN6cqN1zQ2Nz1P6YA2B3njsijAgJQ4bKno8i2Hp+RyusNyfxSBLVt
t7fBvyv4G2tcbLnFQAn+PCz8IaG899bZA8+4ho0qkiYxgzUKIj+cKjlNqliBHDdI
5LpWFvYD1vmGFxwYWk/iQ1gDjr3+5msBmhZD4lOirDdcuZm+120oCY+gb524Xp1M
f8qMwxAN8qlNfSzIPc9Y8HXiEBTafifWv7O55AWXaYY/NlkYCsnNZ60szP0eeSni
XIaMB/UWBEumIjSJmG1k+gr1knq7in1Y+DPMbsCj1Au94VibblQGeIh6GrBnVdmi
LjshqA5VDaD/uA/bHYp9GtLqAZJdq1LptFaVaDaDk6npCtZjIA4ca4OCMNLXv9QD
qY53FLFrDmT6Gw38W7cB38zJg8nezt5WzJqQxb2Tsa5scvC7mavMal2ULJmMDhsS
bUS9X87U/NSjIiCnypMvLbFVLEoC2Vn6k9LYX0iAH97gcEwGfDbtUeo/S3P92SaK
p8K9eNo571+YYaDEe1Hw2KhRTQopSTZps9p/A/fZrRKMe7W2Gs1EXIQsfDuwYLgd
fC13NZIJYS6DN+4U3zN7akCxfzyxFlodNYCIEBUNXYHgzU0VorruYy7SlXHHnTTO
YkO+PY664ndKrRmI8IJ1dO2KOmorIKc0gL1mquzEu5D44wNdaWHkWlPXNv+1hicm
208ix8NXOwZJPxZ+JctxjVNsfWgSk2T8K3nGJNATTCNv9jP75YspeqtLZ0HUWq3H
kRuP9IxmT9OSrBEYvJWae7ttCMKYS3tDap7ZRaPy8abboxX+UBQI/VYFgkx46rcb
3oAbMCmFov2hhQE0dMJ885W2uPmqXDgqCMTYURRTRyesolGVSf50qfjf7N2rdRO4
+U8D/8d1suCLwygCZ3OhpapWwABXV2hnPIvBDyK8rauooi6XNZWbOovmZGfkm4Kn lUSLEOYpSMzuDJAqyIMSIuh3jhKNycb1Wurh9wqubZOsYlWb8f947TowtU0nI5Nm
1549/8XYenXMCry8MKfFtZiopyKfi+N91nfR7z6xyRL5HLQtx9KMbLf+EDMC1tLV
7hn5eeC4Mnzemld7s93V6SYiGzt6Eb9pl5LT6UFgnIt1n/+6iKym5I2kz8CYKpgd
8Tl9o9vkPfaCcs999u0PHHnnPiLQ0q5KgDPQaN48RmtWOpqxP3+0V+weT53rxg6S
YDBbwzn/bvuwHrjLXc6hBTHf3XHfdbabTzk3DDIoMnqTuODnsFH1v9AR4nDRY2gi
U18+XdS/sKy7ZYRGr9hJ50phHf3DkZvcsC7ehX105v6Py2NR1nE9RzUFNTJTIHWi
97BrNQFK3489GoSGX/55di49ZHpvT/fbQ0YjUYiifEpdcxsYuB44iLqgUiu990ik
Z1B9BiRGYs8ga0KDOc59SvF8A+YHMV8kzuZ8SRN1+MQTY+f/a/3iWpvnGLfvTrns
Ye81MPy/u/+KEp79sOe41RmgdOjI1CO9LiLqdS30ANO7wsk7Tds4DCrRwOZiOF2H
SwoDd1YwcZWodtxX0aJr6H3eTC7hkI0rR7JuZIGbBqFipfy8vBAVRUUrq6qjyBJS
IgEGtih8S80U9vmgiMnzB3mJCuuXePeO628asEmZkO8ALxXAb6Qa+i7eFihlNQJl
vtVO1eIu45a3L3jASO/FkqjjUwVHkaqwdHRFXADBpkNd4L99TEVPYpyNY1NP4LP3
6nNmY6Q+zuaspmRVvV3vX5a65+u1qRY59j6IGGMNcQwB3GiuKm0KPBlvkIgEsA0y
72dW+w7Zh+ADfv8u1+6/mMH3Y33N5Z+TEh5fN/VJZQYGEira8fNwuLhn3Cqd9gxI
zhRwct8pEnWF+li4FSPHWyzS8oNeAEDRUVB81vg6fBulmSrTtEILlJTtNgn/3k22
/BWehdistehcFJt/feWFHeqOmU6+uIWn3W/7NIxTKmP2Pw== =TiRF -----END PGP MESSAGE-----
The same smart card also decrypted a file successfully, a moment before.
AND YET, here's from Console.app:
12/16/15 3:07:22.544 PM com.apple.SecurityServer[79]: Token reader Gemalto USB Shell Token V2 inserted into system
12/16/15 3:07:22.544 PM com.apple.SecurityServer[79]: reader Gemalto USB Shell Token V2: state changed 0 -> 34
12/16/15 3:07:22.553 PM com.apple.SecurityServer[79]: token in reader Gemalto USB Shell Token V2 cannot be used (error 229)
12/16/15 3:07:31.366 PM com.apple.SecurityServer[79]: reader Gemalto USB Shell Token V2: state changed 32 -> 162
How can it be throwing an error for a card that works just fine? I can even use gpg --card-edit.
Support Staff 6 Posted by Luke Le on 17 Dec, 2015 08:37 PM
Hi,
the errors, as strange as it sounds, don't have to mean that something's not working in this scenario.
Unfortunately all the messages are also net telling much.
Could you try one thing that might help.
Add the following line to scdaemon.conf (in ~/.gnupg):
You might have to create the file if it doesn't exist.
Afterwards run the following commands:
killall gpg2 killall gpg-agent killall scdaemon
(Best stop any apps accessing gnupg before doing that)
After that try to sign or decrypt some content.
7 Posted by n0trab on 17 Dec, 2015 09:51 PM
OK. No joy but slightly different error message the first time I tried gpg2 --card-status. If that helps.
Then:
Then
Then
Here I get a new error message:
Repeating the command produced the error I've been getting previously:
I tried, with the card in that unavailable state, to encrypt and sign using the private key on the card. Instead of throwing an error, it appeared to sort-of encrypt the selection.
Specifically, I selected some text in TextWrangler, then Services ... OpenPGP: Encrypt Selection. I chose the private key on the smart card for encryption and signing, and no other recipient. There was no error message and no request for my smart card PIN. The output was as follows. Note there's no "END PGP MESSAGE" at the end.
-----BEGIN PGP MESSAGE-----
hQGMA8ozQouwUkKiAQv+OZYvp2bG/wVgvEhOUidTmlGatf1H01Bpc1sFZDD+2XSj
vWYJ4hsbZSgEsz4w3NDGpkZTRDrgY76Vz4a9zdHu8yhuolupjhSMxYfFqLbQ+Ola
ilgLrJnAh/riLM2i3IUCNjHQWk9EdYu3SEIL5vPw7B6SnxgionTuqZxRz7PK07dn
2rUls3Ah6dV5dTspPxAYKCML+4lyIKoKzrC4SS+JW3idKN+1jI2a5MfwBjyDaGiA
ZledTopq55CsE5Kc0qPdJz4UXq2DKwrwsmtaqa3xoq8jFx93vqCKWh8IW6VQEGVB
B/DSid4XUTaHrwF8u0GbrdNXHXtE7shpxrrGhb4smgnqOKh/5zmrMoO8RA4nXv+w
RVk/nHCpvCyG4YzML/wAtp/6ESUvU6euEaUmqt6H7tia1WBfsQPW5pUQA0dtsvo9
lwioDoN1z9IEuN8AXFj9uQImR02oZ4dBTpOnIpeCiLZnNDfZZzi2Ynk00RedokvO
trKOOwSNrAb/+p/3HNfU
(that's where it ended)
Support Staff 8 Posted by Luke Le on 17 Dec, 2015 10:19 PM
That's curious that it fails to connect to gpg-agent at first.
Would you mind contacting Gemalto And asking them if they know of some incompatibility with El Capitan.
We know of different users using a smart card or usb token with El Capitan and havent't heard of any problems yet, so I'm starting to think this might be related to the driver
9 Posted by n0trab on 18 Dec, 2015 04:41 AM
Would it be a bad idea to install or update something with Homebrew?
Right now my setup looks like this:
In case it's relevant:
Is there any chance I should brew install or uninstall or upgrade anything? Or ...?
Support Staff 10 Posted by Luke Le on 18 Dec, 2015 10:05 AM
Hi,
that's something you could try.
Best uninstall GPG Suite using the uninstaller provided in the installer dmg.
After that, run:
brew install gpg2 gpg-agent
And then check if you can now use your smart card.
If you can, there's probably something wrong with our changes to gnupg for os x.
Our changes are pretty minor, but it's certainly worth giving it a shot.
11 Posted by n0trab on 18 Dec, 2015 04:01 PM
Uninstalled GPG Suite.
Ran brew update and brew doctor.
Ran
$ brew install gpg2 gpg-agent
No joy.
I don't understand any of the scdaemon lines. Do I have or need an scdaemon to go with the .conf file?In any case, I removed from the gpg-agent.conf file the debug line you asked me to try earlier (debug-level expert log-file ~/.gnupg/gpg-agent.log) and I also removed the scdaemon.conf file I had added earlier in this thread. It had nothing in it but the 'disable-ccid' line you gave me.
After that I'm back to:
I'm grateful you are staying with me on this. It's driving me nuts. So...Thanks again.
12 Posted by n0trab on 18 Dec, 2015 04:01 PM
Ah, just saw I could make it public, and did so.
13 Posted by n0trab on 18 Dec, 2015 05:11 PM
I have found a couple of threads around the net that look as though they might be relevant, but they are over my head technically.
Does this one on SmartCard Services have any relevance?
Based on a thread I found here, I tried pcsctest. (I still have only the brew versions of GPG2 and gpg-agent installed.)
I don't know how to interpret that, other than that OS X 10.11x sees the Gemalto token, sees that a card is inserted but can't talk to the card. Again, I know for sure the card is good because it works on OS X 10.10.
Grrrr.
14 Posted by n0trab on 18 Dec, 2015 06:11 PM
Sorry for flooding this thread but I have one more bit for comparison. Uninstalled Brew versions of gpg2 and gpg-agent, reinstalled the latest GPG Tools, and put in a Yubikey 4. I don't actually want to use that at the moment but here's what happened -- I got further with pcsctest, but then gpg said the card was "not supported." The Yubikey, too, works on OS X 10.10.
Then:
AndSupport Staff 15 Posted by Luke Le on 18 Dec, 2015 06:23 PM
There's one other approach that might shed more light on the problem.
Could you please kill all gpg processes again:
After that, run the following command:
in a different Terminal window, try to run gpg --card-status again
Send us the output of the terminal running scdaemon.
16 Posted by n0trab on 18 Dec, 2015 07:49 PM
Here you go.
Then, after I run gpg --card-status in another window (which returns the "card not present" error):
Note that this is all with the Gemalto/OpenPGP Smartcard combination.
17 Posted by n0trab on 18 Dec, 2015 09:07 PM
One more bit to throw at the wall:
Support Staff 18 Posted by Luke Le on 18 Dec, 2015 09:28 PM
Do you have any chance to test in a non-VMWare environment?
That would be great to at least eliminate one point of error.
19 Posted by n0trab on 20 Dec, 2015 10:05 PM
Not immediately but I guess I'll upgrade the host. I don't use the smartcard there anyway.
20 Posted by Rambler on 16 Feb, 2016 08:17 AM
I am apparently having the same problem:
gpg --card-status (works)
gpg2 --card-status (fails)
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error
Trying to use gpg2 so that I can transfer my 4096 keys.
I stopped Gnome from interfering with the gpg-agent.
Support Staff 21 Posted by Steve on 17 Feb, 2016 12:23 PM
Rambler could you try using gpg2 from homebrew and see if that works?
Support Staff 22 Posted by Steve on 30 Mar, 2016 11:05 AM
Closing, since no further user feedback was received. Should your problem persist, feel free to re-open this discussion any time.
All the best, steve
Steve closed this discussion on 30 Mar, 2016 11:05 AM.