support OpenPGP smartcards
{{toc}}
Plans
Fixed by using the regular GnuPG agent to workaround a Seahorse bug: (GNOME bug #530439.
done in 0.17.
Done
- Get recent ccid / pcscd into Tails (it helps supporting some devices, see bellow) — this is feature/OpenPGP-SmartCard: done (merged into devel, pending for Tails 0.15)
- Publish a test ISO — this should be 0.15~rc1 done
- test with supposedly-fixed hardware
Tests
Test 0
I tested an OpenPGP smart card reader and card. It turned out that it worked for me on Tails 0.13~rc1 without any additional package installed but only when executing gnupg as root. It seems there is a permission issue, as discussed on tails-dev (see below).
This is despite the fact that the amnesia
user actually has proper
access (despite the ACL set thanks to
/lib/udev/rules.d/60-gnupg.rules
, that is shipped by
gnupg to the USB device:
$ lsusb | grep SCM
Bus 002 Device 004: ID 04e6:5115 SCM Microsystems, Inc. SCR335 SmartCard Reader
$ getfacl -a /dev/bus/usb/002/004
# file: dev/bus/usb/002/004
# owner: root
# group: root
user::rw-
user:amnesia:rw-
It looks like the problem is related to Seahorse: commenting use-agent
in ~/gnupg/gpg.conf
will enable GnuPG to use the card without extra
permissions. One can also call the following:
GPG_AGENT_INFO= gpg --card-status
This is tracked as https://bugzilla.gnome.org/show_bug.cgi?id=530439, no progress since 2008.
Tester: alan@boum.org
Hardware: USB 04e6:5115 SCM Microsystems, Inc. SCR335 SmartCard Reader
Test 1
hardware
$ lsusb | grep GemPC
Bus 005 Device 003: ID 08e6:3438 Gemplus GemPC Key SmartCard Reader
$ getfacl -a /dev/bus/usb/005/003
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/005/003
# owner: root
# group: root
user::rw-
group::rw-
other::r--
gpg --card-status:
gpg: detected reader `Gemalto GemPC Key 00 00'
Application ID ...: D2760001240102000005000014DA0000
Version ..........: 2.0
Manufacturer .....: ZeitControl
That reader does not get any ACL set by either the GnuPG ruleset, nor by the libccid one.
All needed software is now shipped in Tails 0.15-rc1.
Testers: Patrick Bx patrickbx@gmail.com
tests
The user credentials issues are discussed on tails-dev: CALSDXiB1VWcEQ-BxJzXF95_mPg_UyHL6b83wXCGQz-a2hMvAYA@mail.gmail.com
with pcscd installed
- can’t use the card as a non-root user
- can use the card as a non-root user who is a member of the
pcscd
group - can use the card as root
without pcscd, without gnupg-pkcs11-scd
-
can’t use the card as a non-root user
-
can’t use the card as a non-root user who is a member of the
pcscd
group; this hangs and must be killed by hand:$ gpg —card-status gpg: detected reader `Gemalto USB Shell Token V2 00 00’
-
can’t use the card as root
gpg2
-
non-root user:
$ gpg2 —card-status gpg: OpenPGP card not available: No SmartCard daemon
-
root user:
$ sudo gpg2 —card-status [sudo] password for amnesia: can’t connect to
/root/.gnupg/S.gpg-agent': No such file or directory gpg-agent[8175]: can't connect server:
ERR 67109133 can’t exec `/usr/bin/scdaemon’: No such file or directory’ gpg-agent[8175]: can’t connect to the SCdaemon: IPC connect call failed gpg: OpenPGP card not available: No SmartCard daemon
without pcscd, with gnupg-pkcs11-scd
adding a line containing:
scdaemon-program /usr/bin/gnupg-pkcs11-scd
to
~/.gnupg/gpg-agent.conf
=> does not help, but perhaps it was not setup correctly.
Testers: Patrick Bx patrickbx@gmail.com
Test 3
On Debian Wheezy, using systemd
, same hardware as Patrick Bx’s
(Gemalto USB shell token v2).
Works:
# apt-get install pcscd scdaemon
$ GPG_AGENT_INFO= gpg --card-status
pcscd
is automatically started thanks to socket-based
activation,
and exits after a bit of idle time.
Test 4
On Tails 0.15, same hardware as Patrick Bx’s (Gemalto USB shell token v2).
Works:
$ GPG_AGENT_INFO= gpg --card-status
Does not work:
$ gpg --card-status
gpg: selecting openpgp failed: unknown command
gpg: OpenPGP card not available: general error
So, apparently the only blocking issue is the Seahorse bug.
Resources
- OpenPGP card
- Smartcards/OpenPGP
- corsac’s howto for the OpenPGP smartcard v2 plugged into a Gemalto PC ExpressCard reader, on Debian, with gnupg2, pcscd and scdaemon
- Liberte Linux’ implementation: ccid, pcsc-lite, GnuPG built without
libusb support, and
gnupg-pkcs11-scd
used as ascdaemon-program
(available, commented-out in the defaultgpg-agent.conf
); see commit f29ce64272 in their Git. Their reason for disabling CCID over libusb ("supporting direct CCID interface via libusb makes no sense, since the devices are accessible only to "pcscd" daemon") may not apply in the Debian and Tails case, since the packages take care to give access to devices to theamnesia
user, using an ACL. - pcscd auto start on Ludovic Rousseau blog
- Installation of Card Reader in GnuPG’s documentation
Original created by @tails on 5931 (Redmine)