Dear all,
I'd appreciate some advice. I recently returned back from a year abroad to my trusted hardware, and it seems an upgrade of gpg in the meantime broke things. Setup: * OpenPGP card with S, E, A subkeys; using both gnupg and ssh with the card * SPR532 USB card reader with pinpad ~/.bashrc (after consultation of the list archives): GPG_TTY=$(tty) gpg-connect-agent updatestartuptty /bye >/dev/null unset SSH_AGENT_PID unset SSH_ASKPASS export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" Symptoms: 1) first, sign something (e.g. detached file signature): works as expected (pinentry window pops up, pin entered on keypad) 2) then, use ssh with pubkey authentication: pinentry window pops up, pin is not accepted ("wrong beep") alternatively (after removing card, unpowering reader, plugging reader and card back in) 1) gpg --card-status finds the card and starts the agent 2) use ssh with pubkey authentication: pinentry window pops up, pin is accepted, works 3) then, sign something: pinentry window pops up, pin is not accepted ("wrong beep") Here's an excerpt from the debug log: 2021-03-15 19:41:01 gpg-agent[12004] starting a new PIN Entry 2021-03-15 19:41:01 gpg-agent[12004] DBG: connection to PIN entry established 2021-03-15 19:41:01 gpg-agent[12004] DBG: chan_11 -> END 2021-03-15 19:41:05 gpg-agent[12004] DBG: agent_cache_housekeeping 2021-03-15 19:41:06 gpg-agent[12004] DBG: chan_11 <- INQUIRE DISMISSPINPADPROMPT 2021-03-15 19:41:06 gpg-agent[12004] DBG: chan_11 -> END 2021-03-15 19:41:06 gpg-agent[12004] DBG: chan_11 <- ERR 100663351 Invalid value <SCD> 2021-03-15 19:41:06 gpg-agent[12004] smartcard signing failed: Invalid value Any clue what's happening? TIA, Andreas -- Andreas K. Hüttel [hidden email] Gentoo Linux developer (council, toolchain, base-system, perl, libreoffice) _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
On Tue, 16 Mar 2021 23:25, Andreas K. Huettel said:
> 3) then, sign something: pinentry window pops up, pin is not accepted ("wrong > beep") We need a log from the scdaemon. Put --8<---------------cut here---------------start------------->8--- log-file /somewhere/scd.log verbose debug ipc,reader --8<---------------cut here---------------end--------------->8--- into scdaemon.conf. You may also want to add debug-pinentry to gpg-agent.conf. Then gpgconf --kill scdaemon or gpgconf --kill all Which gnupg version are you running? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
Am Mittwoch, 17. März 2021, 09:48:58 CET schrieb Werner Koch:
> On Tue, 16 Mar 2021 23:25, Andreas K. Huettel said: > > 3) then, sign something: pinentry window pops up, pin is not accepted > > ("wrong beep") > > We need a log from the scdaemon. Here's the critical part from the scdaemon log, when signing fails in step 3: 2021-03-17 16:15:37 scdaemon[4932] DBG: dismiss pinpad entry prompt 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> INQUIRE DISMISSPINPADPROMPT 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- END 2021-03-17 16:15:37 scdaemon[4932] Prüfung des CHV1 fehlgeschlagen: Ungültiger Wert 2021-03-17 16:15:37 scdaemon[4932] operation sign result: Ungültiger Wert 2021-03-17 16:15:37 scdaemon[4932] app_sign failed: Ungültiger Wert 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> ERR 100663351 Ungültiger Wert <SCD> 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- RESTART 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> OK [Not being familiar with the details, I dont know if I can post the full log here or if it contains sensitive data.] > Which gnupg version are you running? huettel@kailua ~ $ gpg --version gpg (GnuPG) 2.2.25 libgcrypt 1.8.6 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/huettel/.gnupg Unterstützte Verfahren: Öff. Schlüssel: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Verschlü.: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Komprimierung: nicht komprimiert, ZIP, ZLIB, BZIP2 If I do gpg signing a file first and ssh later, this is the detail when after successful signing the ssh command fails: 2021-03-17 16:28:49 scdaemon[26257] DBG: dismiss pinpad entry prompt 2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 -> INQUIRE DISMISSPINPADPROMPT 2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 <- END 2021-03-17 16:28:49 scdaemon[26257] Prüfung des CHV2 fehlgeschlagen: Ungültiger Wert 2021-03-17 16:28:49 scdaemon[26257] operation auth result: Ungültiger Wert 2021-03-17 16:28:49 scdaemon[26257] app_auth failed: Ungültiger Wert 2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 -> ERR 100663351 Ungültiger Wert <SCD> 2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 <- RESTART 2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 -> OK -- PD Dr. Andreas K. Huettel Institute for Experimental and Applied Physics University of Regensburg 93040 Regensburg Germany tel. +49 151 241 67748 (mobile) tel. +49 941 943 1618 (office) e-mail [hidden email] http://www.akhuettel.de/ http://www.physik.uni-r.de/forschung/huettel/ _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
Hi Andreas,
Am Mi den 17. Mär 2021 um 16:31 schrieb Andreas K. Huettel: > Am Mittwoch, 17. März 2021, 09:48:58 CET schrieb Werner Koch: > > On Tue, 16 Mar 2021 23:25, Andreas K. Huettel said: > > > 3) then, sign something: pinentry window pops up, pin is not accepted > > > ("wrong beep") > > > > We need a log from the scdaemon. > > Here's the critical part from the scdaemon log, when signing fails in step 3: > > 2021-03-17 16:15:37 scdaemon[4932] DBG: dismiss pinpad entry prompt > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> INQUIRE DISMISSPINPADPROMPT > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- END > 2021-03-17 16:15:37 scdaemon[4932] Prüfung des CHV1 fehlgeschlagen: Ungültiger > Wert > 2021-03-17 16:15:37 scdaemon[4932] operation sign result: Ungültiger Wert > 2021-03-17 16:15:37 scdaemon[4932] app_sign failed: Ungültiger Wert > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> ERR 100663351 Ungültiger > Wert <SCD> > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- RESTART > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> OK haben? gpg-agent --version /usr/lib/gnupg/scdaemon --version Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <[hidden email]> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
Am Mittwoch, 17. März 2021, 20:52:26 CET schrieb Klaus Ethgen:
> Hi Andreas, > > Am Mi den 17. Mär 2021 um 16:31 schrieb Andreas K. Huettel: > > Am Mittwoch, 17. März 2021, 09:48:58 CET schrieb Werner Koch: > > > On Tue, 16 Mar 2021 23:25, Andreas K. Huettel said: > > > > 3) then, sign something: pinentry window pops up, pin is not accepted > > > > ("wrong beep") > > > > > > We need a log from the scdaemon. > > > > Here's the critical part from the scdaemon log, when signing fails in step > > 3: > > > > 2021-03-17 16:15:37 scdaemon[4932] DBG: dismiss pinpad entry prompt > > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> INQUIRE > > DISMISSPINPADPROMPT 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- END > > 2021-03-17 16:15:37 scdaemon[4932] Prüfung des CHV1 fehlgeschlagen: > > Ungültiger Wert > > 2021-03-17 16:15:37 scdaemon[4932] operation sign result: Ungültiger Wert > > 2021-03-17 16:15:37 scdaemon[4932] app_sign failed: Ungültiger Wert > > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> ERR 100663351 Ungültiger > > Wert <SCD> > > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- RESTART > > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> OK > > Kann es sein, daß der Agent und GnuPG grob unterschiedliche Versionen > haben? > > gpg-agent --version > /usr/lib/gnupg/scdaemon --version (I rebooted the machine a few minutes earlier because of a kernel update.) huettel@kailua ~ $ /usr/libexec/scdaemon --version scdaemon (GnuPG) 2.2.25 libgcrypt 1.8.6 libksba 1.3.5 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. huettel@kailua ~ $ gpg-agent --version gpg-agent (GnuPG) 2.2.25 libgcrypt 1.8.6 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. -- PD Dr. Andreas K. Huettel Institute for Experimental and Applied Physics University of Regensburg 93040 Regensburg Germany tel. +49 151 241 67748 (mobile) tel. +49 941 943 1618 (office) fax +49 941 943 3196 e-mail [hidden email] http://www.akhuettel.de/ _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
Am Mittwoch, 17. März 2021, 21:07:16 CET schrieb Andreas K. Huettel:
> > I'm pretty sure they didnt have different versions, sorry. > (I rebooted the machine a few minutes earlier because of a kernel update.) > OK now it's getting very strange. On a second PC with the same reader hardware model, the same gpg version, and the same chipcard, things work perfectly fine. Could this be a hardware defect (i.e., reader was too long in the sun)? -- PD Dr. Andreas K. Huettel Institute for Experimental and Applied Physics University of Regensburg 93040 Regensburg Germany tel. +49 151 241 67748 (mobile) tel. +49 941 943 1618 (office) fax +49 941 943 3196 e-mail [hidden email] http://www.akhuettel.de/ _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
Andreas K. Huettel wrote:
> Am Mittwoch, 17. März 2021, 21:07:16 CET schrieb Andreas K. Huettel: > >> I'm pretty sure they didnt have different versions, sorry. >> (I rebooted the machine a few minutes earlier because of a kernel update.) > OK now it's getting very strange. > > On a second PC with the same reader hardware model, the same gpg version, and > the same chipcard, things work perfectly fine. > > Could this be a hardware defect (i.e., reader was too long in the sun)? > Can you swap the readers between the two computers and see if the problem follows the suspected-bad reader? -- Jacob _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
In reply to this post by Andreas K. Huettel-2
On 2021-03-17 at 21:16 +0100, Andreas K. Huettel wrote:
> > OK now it's getting very strange. > > On a second PC with the same reader hardware model, the same gpg > version, and > the same chipcard, things work perfectly fine. > > Could this be a hardware defect (i.e., reader was too long in the > sun)? I don't think so. You report that the first program which uses the card (either gpg or ssh) "keeps" it, and the other is unable to (btw, would e.g. a second sign work?). This looks like the first one locks use of the card. May gpg and ssh be launchihng separete scdaemon instances? Does it help if you use --card-timeout on scdaemon config? _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
In reply to this post by GnuPG - User mailing list
>
> Can you swap the readers between the two computers and see if the > problem follows the suspected-bad reader? > Possible as last resort, I'd rather figure this out some other way though. -- PD Dr. Andreas K. Huettel Institute for Experimental and Applied Physics University of Regensburg 93040 Regensburg Germany tel. +49 151 241 67748 (mobile) tel. +49 941 943 1618 (office) fax +49 941 943 3196 e-mail [hidden email] http://www.akhuettel.de/ _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
In reply to this post by Andreas K. Huettel-2
On Wed, 17 Mar 2021 16:31, Andreas K. Huettel said:
> 2021-03-17 16:15:37 scdaemon[4932] Prüfung des CHV1 fehlgeschlagen: Ungültiger > [Not being familiar with the details, I dont know if I can post the full log > here or if it contains sensitive data.] At that debug level it is okay. However with a higher debug level (debug cardio) the log would show your PIN if you have used disable-pinpad. With a pinpad it won't show it, of course. > gpg (GnuPG) 2.2.25 We fixed a reader bug in 2.2.26 which also changed how the SPR532 is accessed. See https://dev.gnupg.org/T5167 - Thus you better update to the latest version first. If you want to debug things, put debug cardio debug-ccid-driver into scdameon.conf, kill and retry. You may send the log to me by PM; I would then only share it with my colleague Gniibe. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list [hidden email] http://lists.gnupg.org/mailman/listinfo/gnupg-users |
Free forum by Nabble | Edit this page |