tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/50028-macgpg2-scdaemon-pcsc-open-failed-sharing-violation-0x8010000bGPGTools: Discussion 2019-05-10T12:27:58Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772016-09-07T11:32:24Z2016-09-07T11:32:24ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>Hi,</p>
<p>we absolutely understand your troubles and don't like this
limitation either.<br>
It's best to bring this issue up with the gnupg developers at the
developer mailinglist <a href="https://lists.gnupg.org/mailman/listinfo/gnupg-devel">https://lists.gnupg.org/mailman/listinfo/gnupg-devel</a>.
We've brought this issue up in the past, but if I remember
correctly there was no answer, and we didn't want to change this
without their go ahead.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772016-09-08T21:03:44Z2016-09-08T23:58:47ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><blockquote>
<p>We've brought this issue up in the past, but if I remember
correctly there was no answer, and we didn't want to change this
without their go ahead.</p>
</blockquote>
<p>I am not sure this is the right way forward, because in the past
GnuPG developers showed what I'd call a "religious attitude"
towards this and some other issues.</p>
<p>The choice is between greater security and better usability.
They opted to sacrifice usability for security. I think that the
security loss here would be minimal, while usability gains would be
significant. Neither side has performed a comprehensive security
and risk analysis, but the common sense seems to bear with my
assertions.</p>
<p>I again urge the GPGTools developers to add the ability to turn
the "non-sharing" off via config option or parameter.</p>
<p>P.S. I will bring this up with the GnuPG people, but despite the
fact that I've been on the original PGP Evaluation Team back in the
90-ties I expect no progress from that end.</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772016-09-13T00:42:49Z2016-09-13T00:43:10ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>I've submitted a request to gnupg-devel at gnupg.org. If there
is a response - I'll post here. In the meanwhile - could you please
add a config option for scdaemon to not connect to the token in the
exclusive mode?</p>
<p>P.S. See Martin Paljak's <a href="https://lists.gnupg.org/pipermail/gnupg-devel/2011-August/026210.html">
good explanation</a> why it makes sense.</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772016-11-14T16:43:26Z2016-11-14T16:43:26ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>any response? can you add a link to the web-version of your
mailinst list post?</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772016-11-15T04:53:24Z2016-11-15T04:53:24ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>See <a href="https://lists.gnupg.org/pipermail/gnupg-devel/2016-September/031588.html">
this thread</a> on the Gnupg-devel mailing list.</p>
<p>I think we all might be better off doing it here.</p>
<p>P.S. As I'm on Sierra now, I probably won't benefit from any
development until the Mail plugin works with the new Apple Mail
again.</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772016-11-18T19:41:42Z2016-11-18T19:41:42ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>Hi mouse008,</p>
<p>we're making good progress on Sierra and hope to have a first
beta in the next few weeks, so that's something :)</p>
<p>There's been a branch on github which implemented very
experimental support for this shared access feature. I've tried it
once and it basically worked, so this could be taken as starting
point. We also do believe that this feature is crucial for properly
using a token with PGP on macOS. The workaround killing tokend and
others are simply painful.</p>
<p>Unfortunately I could only find this commit on github: <a href="https://github.com/lbschenkel/gnupg/commit/6d1728b9a0554edc948764dce079a3eaa833ee98">
https://github.com/lbschenkel/gnupg/commit/6d1728b9a0554edc948764dc...</a><br>
Hardly doubt that this is all that's necessary.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772016-11-23T23:54:38Z2016-11-23T23:54:38ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>First - it's great to know that Sierra version is coming.</p>
<p>Second - I'm very glad that the team agrees with me that this
issue has to be resolved, and by means nicer than killing tokend.
;-)</p>
<p>The referred commit makes sense. As for whether it is sufficient
- it depends on whether the scdaemon (or gpg-agent - I keep mixing
the two, there are so many demons around :) code can check the
token status and adjust if necessary (e.g., re-login if the token's
security status was reset or another applet was selected).</p>
<p>I'd be happy to collaborate with the developers who work on this
issue.</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772016-12-01T16:19:42Z2016-12-01T16:19:42ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>Unfortunately we currently don't have the resources to work on
this issue. Once GPGMail for Sierra is ready we might be able to
revisit it.</p>
<p>We have a ticket for this problem. I connected this discussion
with the existing ticket. That means, should this discussion get
closed, it will be re-opened as soon as the ticket is closed. That
way you'll stay in the loop and get notified as soon as we have
news. Feel free to open a new discussions should you run into
further problems or need assistance.</p>
<p>All the best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772016-12-14T16:58:25Z2016-12-14T16:58:25ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><blockquote>
<p>Unfortunately we currently don't have the resources to work on
this issue. Once GPGMail for Sierra is ready we might be able to
revisit it.</p>
</blockquote>
<p>Understand perfectly. I want GPGMail to run on Sierra as much!
;-)</p>
<p>Are there specific problems? If you could share them (here, or
privately) I might be able to do something about them.</p>
<blockquote>
<p>We have a ticket for this problem. I connected this discussion
with the existing ticket.</p>
</blockquote>
<p>Thank you!</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772016-12-30T21:08:30Z2016-12-30T21:08:30ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>GPGMail beta 1 for 10.12 Sierra is out:</p>
<p><a href="https://gpgtools.tenderapp.com/discussions/problems/49449">https://gpgtools.tenderapp.com/discussions/problems/49449</a></p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-06-21T12:13:25Z2017-06-21T12:13:25ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>Hey mouse008,</p>
<p>could you test the latest nightly from here: <a href="https://releases.gpgtools.org/nightlies/">https://releases.gpgtools.org/nightlies/</a> and let me know if that changes anything regarding the usage of S/MIME and OpenPGP with your smartcard?</p>
<p>The nightly now comes with gpg 2.1 so we'd be curious to learn if that has changed anything for the better or worse.</p>
<p>Kind regards,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-06-21T18:34:36Z2017-06-21T18:34:36ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>First, I'm happy with the move to GPG-2.1. Having said that - everything else is worse now. I'm on MacOS Sierra 10.12.5. When I start Apple Mail and do S/MIME stuff with the nightly, there's no way to proceed to OpenPGP even by killing the tokend:<br></p>
<pre>
<code>$ gpg2 --version
gpg: keyserver option 'include-disabled' is unknown
gpg: keyserver option 'honor-http-proxy' is unknown
gpg (GnuPG/MacGPG2) 2.1.21
libgcrypt 1.7.6
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.<br><br>
<br>Home: /Users/ur20980/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
$ gpg2 --card-status
gpg: keyserver option 'include-disabled' is unknown
gpg: keyserver option 'honor-http-proxy' is unknown
gpg: selecting openpgp failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device
$</code>
</pre>
<p>When I switch to OpenPGP mode, even the checkboxes for encrypting and signing outgoing email disappear (see the attached screenshots).</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-06-21T18:41:00Z2017-06-21T18:41:00ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>Hi,</p>
<p>for some (not necessarily obvious) reason, gpg refuses to work if unknown options are found.<br>
So you'll have to remove the following options:<br>
include-disabled<br>
honor-http-proxy</p>
<p>Once we completely switch to gnupg2.1 we'll hopefully be abe to provide a smoother migration.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-06-21T18:56:43Z2017-06-21T18:56:43ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><pre>
<code>$ gpg2 --card-status
gpg: selecting openpgp failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device
$</code>
</pre>
<p>The above is symptomatic of trying to fail on "exclusive open".</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-06-21T19:04:29Z2017-06-21T21:50:29ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>Also, with GPGTools (persistent and old bug) signed and encrypted messages (S/MIME) are showed only as Signed. When I uninstall GPGTools, Apple Mail depicts them correctly (as Signed, Encrypted, or Signed and Encrypted as appropriate). See the attached screenshots:</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-06-21T21:51:58Z2017-06-21T21:51:58ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>Screenshots are attached here.</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-06-21T22:19:45Z2017-06-22T02:05:34ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>I re-installed 2017-b3-v2, but still unable to even access the card via GPG, let alone do OpenPGP email. It may be a Sierra thing. I'm running 10.12.5.<br></p>
<pre>
<code>$ cat ~/.gpg-agent-info
GPG_AGENT_INFO=/Users/ur20980/.gnupg/S.gpg-agent:4331:1
SSH_AUTH_SOCK=/Users/ur20980/.gnupg/S.gpg-agent.ssh
SSH_AGENT_PID=4331
$ . ~/.gpg-agent-info
$ gpg2 --card-status
gpg: selecting openpgp failed: Card not present
gpg: OpenPGP card not available: Card not present
$</code>
</pre>
<p><strong>Update</strong> I was too hasty. Getting home (another MacOS Sierra 10.12.5 machine), uninstalling GPGTools and installing plain gnupg-2.0 from Macports (<code>port install gnupg2 gpg-agent pinentry-mac</code>) I was able to work with the card using <code>gpg2</code> - after killing the tokend of course.</p>
<p>Problem: <code>scademon</code> still fails to work, as indicated by the screen output and the log messages. Screen output (look at the first line!):<br></p>
<pre>
<code>$ gpg2 --card-status
gpg: can't connect to the agent - trying fall back
Application ID ...: D2760001240102000006038241700000
Version ..........: 2.0
Manufacturer .....: Yubico
. . . . .
ssb> 2048R/0x43EEB185FD3F6BEE created: 2016-01-12 expires: 2019-06-11
card-no: 0006 03824170
$</code>
</pre>
<p>The log:<br></p>
<pre>
<code>. . . . .
2017-06-21 21:42:53 scdaemon[60520] pcsc_control failed: invalid parameter (0x80100004)
2017-06-21 21:42:53 scdaemon[60520] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65538
2017-06-21 21:42:54 scdaemon[60520] updating slot 0 status: 0x0000->0x0007 (0->1)
2017-06-21 21:42:54 scdaemon[60520] sending signal 31 to client 60516
2017-06-21 21:43:11 scdaemon[60520] DBG: asking for PIN '||Please enter the PIN'
2017-06-21 21:43:16 scdaemon[60520] DBG: asking for PIN '|N|New PIN'
2017-06-21 21:44:35 scdaemon[60520] signatures created so far: 57
2017-06-21 21:44:35 scdaemon[60520] DBG: asking for PIN '||Please enter the PIN%0A[sigs done: 57]'
2017-06-21 21:46:56 scdaemon[60520] updating slot 0 status: 0x0007->0x0000 (1->2)
2017-06-21 21:46:56 scdaemon[60520] sending signal 31 to client 60516
2017-06-21 21:47:10 scdaemon[60592] PC/SC OPEN failed: sharing violation (0x8010000b)
2017-06-21 21:47:10 scdaemon[60592] PC/SC OPEN failed: sharing violation (0x8010000b)
2017-06-21 21:47:38 scdaemon[60592] PC/SC OPEN failed: sharing violation (0x8010000b)
2017-06-21 21:47:41 scdaemon[60592] PC/SC OPEN failed: sharing violation (0x8010000b)
2017-06-21 21:53:54 scdaemon[60592] pcsc_control failed: invalid parameter (0x80100004)
2017-06-21 21:53:54 scdaemon[60592] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65538
2017-06-21 21:53:55 scdaemon[60592] updating slot 0 status: 0x0000->0x0007 (0->1)
2017-06-21 21:53:55 scdaemon[60592] sending signal 31 to client 60516</code>
</pre>
Process 60516 is <code>gpg-agent</code>:<br>
<pre>
<code>$ ifrun 60516
mouse 60516 0.0 0.0 2463360 1040 ?? Ss 9:42PM 0:00.09 gpg-agent --homedir /Users/uri/.gnupg --use-standard-socket --daemon
$</code>
</pre></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-07-10T13:23:25Z2017-07-10T13:23:25ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>Hi mouse008,</p>
<p>unfortunately unless gnupg enables SHARED mode, you'll be continuing to run into issues.<br>
Following are some workarounds proposed by usb key vendor nitrokey:<br>
<a href="https://www.nitrokey.com/documentation/frequently-asked-questions#openpgp-card-not-available">https://www.nitrokey.com/documentation/frequently-asked-questions#o...</a></p>
<p>Unless tokend is moved, macOS will try to restart it, which probably causes the latest issue you're seeing.</p>
<p>Apparently they were quite successful patching gnupg itself, and according to them the single line change we've seen in one of my previous posts (git commit link) suffices.<br>
<a href="https://www.nitrokey.com/documentation/frequently-asked-questions#how-to-make-gnupg-release-exclusive-smartcard-access">https://www.nitrokey.com/documentation/frequently-asked-questions#h...</a></p>
<p>We've filed a ticket with gnupg and hope this will be adressed and this now lives in the GnuPG bug tracker as <a href="https://dev.gnupg.org/T3267">#3267</a> Should you consider patching gnupg itself, it would be interesting if you could report back your experience with using gnupg in PCSC_SHARED mode</p>
<p>All the best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-07-11T14:11:21Z2017-07-11T14:11:21ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>Hi mouse008,</p>
<p>this issue has been fixed. It would be helpful if you could test the fix. Please download our <a href="https://releases.gpgtools.org/nightlies/">latest nightly GPG Suite</a>. That page also has sig and SHA1 to verify the download. Build 1932n and later have the fix.</p>
<p>Then add the line "shared-access" to ~/.gnupg/scdaemon.conf</p>
<p>Looking forward to your feedback.</p>
<p>Best, steve</p>
<p>Disclaimer: This is a development version which has not been thoroughly tested yet, so bugs or crashes are to be expected. Thanks for helping us test this fix.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-07-11T19:27:11Z2017-07-11T19:27:11ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>I've installed the 1932n. Inconclusive yet - but very promising.</p>
<p>I will do more tests when I'm back - and report. Again, so far it<br>
looks far-far better than before.</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-07-12T09:31:02Z2017-07-12T09:31:02ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>Great, just let us know when you get around to testing this a bit more.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-07-13T02:38:30Z2017-07-13T02:38:30ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>Hmm... I've just installed the current (1934n) suite on my "main" Sierra 10.12.5 machine. And observe with surprise that it fails to work, in a weird way:<br></p>
<pre>
<code>$ gpg --version
gpg (GnuPG/MacGPG2) 2.1.21
libgcrypt 1.7.8
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.<br><br>
<br>Home: /Users/uri/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
$ gpg --card-status
gpg: error getting version from 'scdaemon': No SmartCard daemon
gpg: OpenPGP card not available: No SmartCard daemon
$</code>
</pre>
<p>Here's <code>gpg-agent.conf</code>:<br></p>
<pre>
<code>pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
#pinentry-program /opt/local/bin/pinentry-mac.app/Contents/MacOS/pinentry-mac
#pinentry-program /Applications/MacPorts/pinentry-mac.app/Contents/MacOS/pinentry-mac
scdaemon-program /usr/local/MacGPG2/libexec/scdaemon
#scdaemon-program /opt/local/libexec/scdaemon
default-cache-ttl 600
max-cache-ttl 7200
#use-standard-socket
enable-ssh-support
write-env-file</code>
</pre>
<p>Attaching <code>gpg-home-fixer.log</code>.</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-07-13T02:41:20Z2017-07-13T03:10:41ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>More in the same key:<br></p>
<pre>
<code>$ /usr/local/MacGPG2/libexec/scdaemon --daemon
SCDAEMON_INFO=/Users/uri/.gnupg/S.scdaemon:20560:1; export SCDAEMON_INFO;
$ ifrun scdaemon
uri 20560 0.0 0.0 2443612 460 ?? Ss 10:39PM 0:00.00 /usr/local/MacGPG2/libexec/scdaemon --daemon
$ gpg --card-status
gpg: error getting version from 'scdaemon': No SmartCard daemon
gpg: OpenPGP card not available: No SmartCard daemon
$ ifrun gpg-agent
uri 19543 0.0 0.0 2443632 1084 ?? S 10:24PM 0:00.01 /bin/bash /usr/local/MacGPG2/libexec/shutdown-gpg-agent
uri 19537 0.0 0.0 2471616 976 ?? Ss 10:24PM 0:00.11 /usr/local/MacGPG2/bin/gpg-agent --daemon
$</code>
</pre>
<p>Then I killed everything gpg-related, and tried again. Surprisingly, seemed to get success. The following is very encouraging:<br></p>
<pre>
<code>$ gpg --card-status<br><br>
<br>Reader ...........: Yubico Yubikey NEO OTP U2F CCID
Application ID ...: D2760001240102000006038241700000
Version ..........: 2.0
Manufacturer .....: Yubico
. . . . .
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: 7ACC 2166 010F CD10 AAB7 5465 6C34 A497 41E9 0902
created ....: 2016-01-04 00:58:53
Encryption key....: 2080 5D50 EC69 217C 2E7A B789 D3C7 9381 E5A4 FF45
created ....: 2010-07-29 23:37:37
Authentication key: FE2A C36E CFF7 4903 48DD 6F4E 43EE B185 FD3F 6BEE
created ....: 2016-01-12 00:23:14
General key info..: sub rsa2048/0x6C34A49741E90902 2016-01-04 Uri Blumenthal (MIT) <uri@mit.edu>
sec rsa2048/0x9BAD9629C89BF6E5 created: 2010-07-29 expires: 2019-06-10
ssb> rsa2048/0xD3C79381E5A4FF45 created: 2010-07-29 expires: 2019-06-11
card-no: 0006 03824170
ssb> rsa2048/0x6C34A49741E90902 created: 2016-01-04 expires: 2019-06-11
card-no: 0006 03824170
ssb> rsa2048/0x43EEB185FD3F6BEE created: 2016-01-12 expires: 2019-06-11
card-no: 0006 03824170
$ pkcs15-tool -r 01
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID
-----BEGIN CERTIFICATE-----
MIIDoDCCAgigAwIBAgIEV6nftjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9G
b3Jlc3QgQ0EgUlNBIDQwHhcNMTYwODA5MTM1MjA5WhcNMTkwODA5MTM1MjA5WjAY
MRYwFAYDVQQDDA1VcmkgdGhlIEdyZWF0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAnXiivwb9IBkbFPH2er4bAbGf5++CZNbhPX2U6YZXgvfcJNap40xR
. . . . .
FdIJBNU3dH0aC0TLoNi2JbQCICUFDUHTMDAsfbz9m+irN83YjxJar+qHelgNWT2S
9Y28jZ75DybSf4H2Og4iwAaj37I=
-----END CERTIFICATE-----</code>
</pre>
<p>Retry and Signature counters are displayed as zero - this looks rather bad. I suspect it has something to do with the GPG-2.0 vs GPG-2.1 incompatibility - but what can I do with keys on a hardware token? Help is welcome! ;-)</p>
<p>This is my <code>~/.gnupg/scd-event</code> file:<br></p>
<pre>
<code>#!/bin/sh
state=$8
if [ "$state" = "NOCARD" ]; then
pkill -9 scdaemon
fi</code>
</pre>
<p><strong>Update</strong> Trying to OpenPGP-sign outgoing email showed that this GPG cannot work with the keys currently on my token - see the attached screenshot in the next comment. Help...?</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-07-13T03:50:56Z2017-07-13T03:50:56ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>After more experiments, the card now reacts differently to <code>gpg --card-status</code>:<br></p>
<pre>
<code>. . . . .
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 5 5 5
Signature counter : 58
. . . . .</code>
</pre>
<p>It seems to switch fairly smoothly from S/MIME to OpenPGP. I tested only signing outgoing email.</p>
<p>It does not switch smoothly from OpenPGP to S/MIME: you have to re-insert the token, often repeating this process two or more times.</p>
<p>It is still better than having to not only re-insert the token, but kill some running software.</p>
<p>The likely cause of this lack of smooth switch back to S/MIME is that (as Doug Engert thinks) the PIV applet on the token is not selected again. So when the time comes for a PIV operation - the token still has OpenPGP applet selected from the previous run...</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-07-14T06:09:47Z2017-07-14T12:12:06ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p><strong>Update 2</strong></p>
<p>With Yubikey tokens I found a workaround for the appropriate applet selection:</p>
<ul>
<li>Switching from S/MIME emails to OpenPGP emails - usually one needs to do nothing, just use OpenPGP mode. But if automatic switch hasn't happened - typing in a Terminal window <code>gpg --card-status</code> should do the job.</li>
<li>Switching from OpenPGP back to S/MIME often (always so far?) does not happen automatically. To manually switch the Yubikey token from OpenPGP applet to PIV applet, just type in the terminal window <code>yubico-piv-tool -a status</code>. That's enough to bring the token back to PIV mode.</li>
</ul>
<p>I've tested the above with Yubikey NEO and Apple Mail. It allowed me to send an OpenPGP-signed email, then send an S/MIME-signed email. Without killing or restarting anything, without having to remove and re-insert the token. Very smooth.</p>
<p>Two problems with this workaround:<br>
1. It works only for Yubikey tokens - I don't know how (or using what tool) to force a multi-applet token to select its PIV applet. <em>On the other hand, I</em> <strong>don't know</strong> <em>of any multi-applet token other than Yubikey</em>.<br>
2. It's much-much better than whatever I had to use before - but it still requires "manual" intervention. Ideally, it all should happen transparently, so the user isn't even aware of the active applet selection on the token.</p>
<p>Still, what we have now is a very significant progress, and a reasonably good solution. Having to type a CLI command (aka manually selecting active applet on a multi-applet token) isn't too bad. As I said, it's incomparably better than what we had before - searching through the running processes, killing some of them, re-inserting the token, and doing it all in certain sequence (because doing these right steps in a wrong order won't work)...</p>
<p><strong>Update 3</strong> To make sure it's clear: we're talking about 1934n build. Hopefully the following builds would be even better! ;-)</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-07-17T10:12:51Z2017-07-17T10:12:51ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>Hi mouse008,</p>
<p>thanks for taking the time to thoroughly test this. Good to hear that this is now somewhat usable. While this is not ideal, it probably is good enough for now. So you may probably not see further patches in this area for a while.</p>
<p>All the best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-07-17T20:06:59Z2017-07-17T20:07:52ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>Thank you! Yes, it's certainly good enough for now - though I'd love to encourage you to keep improving it! ;-)</p>
<p>I'm using it now.</p>
<p>P.S. I'm not holding my breath - but might it be possible to convince the upstream folks to incorporate your patch?</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-07-17T20:29:04Z2017-07-17T20:29:04ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>No, we filed a ticket, which was closed as wontfix: <a href="https://dev.gnupg.org/T3267">https://dev.gnupg.org/T3267</a></p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-07-17T20:48:42Z2017-07-17T20:48:42ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>:-)</p>
<p>I requested them to re-consider. Let's see. But as long as GPGTools can do the right thing, I guess it's not too big a deal. ;-)</p></div>mouse008tag:gpgtools.tenderapp.com,2011-11-04:Comment/406979772017-07-18T21:30:12Z2017-07-18T21:30:54ZMacGPG2: scdaemon PC/SC OPEN failed: sharing violation (0x8010000b)<div><p>@steve, would you be able to provide the patch for scdaemon (I assume that's the only component that had to be changed)? One of my colleagues may want to use it with the gpg setup on Linux (they use Yubikeys for PIV-based SSH and VPN, but sign email using OpenPGP).</p>
<p>Thanks!</p>
<p>P.S> And of course, please feel free to close this discussion again, as your solution works.</p></div>mouse008