MacGPG: Inability to use smart card reader pinpad.

Anonymous Coward's Avatar

Anonymous Coward

12 Feb, 2018 06:11 PM

Which of our tools is giving you problems? I have an issue with pinentry-mac. I have a smartcard and a smartcard reader with a keypad. When I try to perform an operation on the card, the PIN entered on the computer keyboard works, but the pin entered on the smartcard reader gets ignored.

I am having an issue similar to the one at https://gpgtools.tenderapp.com/discussions/beta/1015-cannot-use-key..., except that I cannot use the reader keypad at all (whether I run gpg from the terminal or not). I have the Gemalto PC pinpad reader, which has a physical keyboard for PIN entry.

Could you consider adding support for this on GPGTools? Gemalto provides some sample PIN entry code which may be useful: http://support.gemalto.com/fileadmin/user_upload/drivers/GemPC_Pinp...

  1. 1 Posted by Anonymous Cowar... on 23 Feb, 2018 10:42 PM

    Anonymous Coward 's Avatar

    Hello,

    I have managed to resolve this issue, but fixing it globally it requires some changes to GPG Tools.

    The first thing I noticed is that whilst scdaemon was using the PCSC driver for my reader on macOS, scdaemon on Linux and Windows was using the internal CCID driver. My reader pinpad works with the CCID driver, but not quite with the PCSC driver in my tests (well, certainly not in macOS Sierra). Unfortunately, it seems like the scdaemon distributed with GPG Tools doesn't have CCID support (which in turn needs libusb). Then, the other issue is that the CCID driver won't work if com.apple.ifdreader is running, which runs by default on my system.

    So, the fix was:
    1. Compile my own version of scdaemon with CCID support. This requires libusb.
    2. Ensure that com.apple.ifdreader is not running. This service can be disabled, or it can be manually stopped / killed. If the latter, reconnecting the reader restarts the service.

    Would it be possible to include CCID support in a future GPG Tools release?

  2. Support Staff 2 Posted by Steve on 22 Mar, 2018 03:23 PM

    Steve's Avatar

    Hi Anonymous Coward,

    welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.

    Unfortunately smart card support on macOS is pretty buggy at the moment, since gnupg doesn't use the macOS system API (which is also buggy) but its own. We have recently added ccid support to our build of GnuPG, which wasn't present in the last official release.

    Could you please download and install our latest hotfix GPG Suite and see if that solves your problem.

    All the best,
    steve

    Disclaimer: This is a development version which has not been thoroughly tested yet - bugs or crashes are to be expected. Thanks for helping us test.

  3. 3 Posted by Anonymous Cowar... on 08 May, 2018 07:24 PM

    Anonymous Coward's Avatar

    The nightly build did indeed resolve the issue, for so long as com.apple.ifdreader remains disabled. I suppose this is the best that can be done without having GPG use the macOS API.

    Thanks!

  4. 4 Posted by Alex on 04 Jun, 2018 01:01 PM

    Alex's Avatar

    After uninstalling 2018.1, rebooting, and installing nightly 2189n, the device's pinpad is still unusable and pinentry-mac still allows only keyboard input.

  5. 5 Posted by Anonymous Cowar... on 04 Jun, 2018 01:10 PM

    Anonymous Coward's Avatar

    I'm the original anonymous coward. Have you tried killing com.apple.ifdreader? You need to kill com.apple.ifdreader (after connecting your reader) and then restart gpg-agent. com.apple.ifdreader seems to prevent GPG agent from using the internal CCID driver, which in my experience is the only way to get the pinpad working.

    I disabled com.apple.ifdreader from launching at all, which solves the manual killing issue.

    A downside of disabling or killing com.apple.ifdreader is that you won't be able to use macOS native smartcard support (such as Keychain integration), so a long term solution would be to get GPG working without this step (possibly fixing GPG to support pinpad entry using the PCSC driver on macOS.)

  6. 6 Posted by Alex on 04 Jun, 2018 01:23 PM

    Alex's Avatar

    Killing com.apple.ifdreader works, yes. OpenSC works fine with the native drivers in macOS High Sierra, so why is GPGTools not using them on that OS version? :/

  7. Support Staff 7 Posted by Luke Le on 07 Jul, 2018 02:15 PM

    Luke Le's Avatar

    Hi Alex,

    while of course using the OpenSC or Apple's token framework might be the better option to use smart cards with OpenPGP on macOS, unfortunately that's not what GnuPG does. And it is currently out of the scope of GPG Suite to add such an implementation to GnuPG.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac