support OpenPGP smartcards
Fixed by "using the regular GnuPG agent":./regular_GnuPG_agent.html to workaround a Seahorse bug: (GNOME bug #530439).
done in 0.17.
- Get recent ccid / pcscd into Tails (it helps supporting some devices, see bellow) -- this is feature/OpenPGP-SmartCard: done (merged into devel, pending for Tails 0.15)
- Publish a test ISO -- this should be 0.15~rc1 done
- test with supposedly-fixed hardware
I tested an OpenPGP smart card reader and card. It turned out that it worked for me on Tails 0.13~rc1 without any additional package installed but only when executing gnupg as root. It seems there is a permission issue, as discussed on tails-dev (see below).
This is despite the fact that the
amnesia user actually has proper access (despite the ACL set thanks to
/lib/udev/rules.d/60-gnupg.rules, that is shipped by gnupg) to the USB device:
Bus 002 Device 004: ID 04e6:5115 SCM Microsystems, Inc. SCR335 SmartCard Reader
$ getfacl -a /dev/bus/usb/002/004
- file: dev/bus/usb/002/004
- owner: root
- group: root
It looks like the problem is related to Seahorse: commenting
~/gnupg/gpg.conf will enable GnuPG to use the card without extra permissions. One can also call the following:
bc. GPG_AGENT_INFO= gpg --card-status
This is tracked as https://bugzilla.gnome.org/show_bug.cgi?id=530439, no progress since 2008.
Hardware: USB 04e6:5115 SCM Microsystems, Inc. SCR335 SmartCard Reader
$ lsusb | grep GemPC Bus 005 Device 003: ID 08e6:3438 Gemplus GemPC Key SmartCard Reader $ getfacl -a /dev/bus/usb/005/003 getfacl: Removing leading '/' from absolute path names # file: dev/bus/usb/005/003 # owner: root # group: root user::rw- group::rw- other::r-- gpg --card-status: gpg: detected reader `Gemalto GemPC Key 00 00' Application ID ...: D2760001240102000005000014DA0000 Version ..........: 2.0 Manufacturer .....: ZeitControl
That reader does not get any ACL set by either the GnuPG ruleset, nor by the libccid one.
All needed software is now shipped in Tails 0.15-rc1.
Testers: Patrick Bx email@example.com
The user credentials issues are discussed on tails-dev: CALSDXiB1VWcEQ-BxJzXF95_mPg_UyHL6b83wXCGQz-a2hMvAYA@mail.gmail.com
with pcscd installed¶
- can't use the card as a non-root user
- can use the card as a non-root user who is a member of the
- can use the card as root
without pcscd, without gnupg-pkcs11-scd¶
<li>can't use the card as a non-root user</li>
<li><p>can't use the card as a non-root user who is a member of the
pcscd group; this hangs and must be killed by hand:</p>
<p>$ gpg --card-status gpg: detected reader `Gemalto USB Shell Token V2 00 00'</p></li>
<li><p>can't use the card as root</p></li>
<p>$ gpg2 --card-status gpg: OpenPGP card not available: No SmartCard daemon</p></li>
<p>$ sudo gpg2 --card-status [sudo] password for amnesia: can't connect to @/root/.gnupg/S.gpg-agent': No such file or directory gpg-agent8175: can't connect server:@ERR 67109133 can't exec `/usr/bin/scdaemon': No such file or directory' gpg-agent8175: can't connect to the SCdaemon: IPC connect call failed gpg: OpenPGP card not available: No SmartCard daemon</p></li>
without pcscd, with gnupg-pkcs11-scd¶
adding a line containing:
scdaemon-program /usr/bin/gnupg-pkcs11-scd to
=> does not help, but perhaps it was not setup correctly.
Testers: Patrick Bx firstname.lastname@example.org
On Debian Wheezy, using
systemd, same hardware as Patrick Bx's (Gemalto USB shell token v2).
bc. # apt-get install pcscd scdaemon
$ GPG_AGENT_INFO= gpg --card-status
pcscd is automatically started thanks to socket-based activation, and exits after a bit of idle time.
On Tails 0.15, same hardware as Patrick Bx's (Gemalto USB shell token v2).
bc. $ GPG_AGENT_INFO= gpg --card-status
Does not work:
bc. $ gpg --card-status
gpg: selecting openpgp failed: unknown command
gpg: OpenPGP card not available: general error
So, apparently the only blocking issue is the Seahorse bug.
- OpenPGP card
- corsac's howto for the OpenPGP smartcard v2 plugged into a Gemalto PC ExpressCard reader, on Debian, with gnupg2, pcscd and scdaemon
- Liberte Linux' implementation: ccid, pcsc-lite, GnuPG built without libusb support, and
gnupg-pkcs11-scdused as a
scdaemon-program(available, commented-out in the default
gpg-agent.conf); see commit f29ce64272 in their Git. Their reason for disabling CCID over libusb ("supporting direct CCID interface via libusb makes no sense, since the devices are accessible only to "pcscd" daemon") may not apply in the Debian and Tails case, since the packages take care to give access to devices to the
amnesiauser, using an ACL.
- pcscd auto start on Ludovic Rousseau blog
- Installation of Card Reader in GnuPG's documentation