Ubuntu
gnupg2 package

Yubikey stopped working after noble upgrade

Bug #2061708 reported by Mario Limonciello
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Arch Linux on Launchpad
Fix Released
Unknown
gnupg2 (Ubuntu)
Triaged
Undecided
Unassigned
pcsc-lite (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

In Ubuntu 22.04 I used by GPG key stored on a Yubikey smart card, but since upgrading to Noble I get the following trying to access it.

$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

If I run this as root it works:

$ sudo gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240100000006090826160000
Application type .: OpenPGP
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: XXXXXXXX
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 10 0 10
Signature counter : 1172
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: <redacted>
      created ....: <redacted>
Encryption key....: <redacted>
      created ....: <redacted>
Authentication key: [none]
General key info..: [none]

If I manually run pcscd.service then it stops working both as root and a user.

$ sudo pkill -9 scdaemon
$ sudo systemctl start pcscd.service
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
$ sudo gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

It might be worth mentioning I'm accessing the machine over SSH, so I also did experiment with a polkit rule like this:

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        subject.isInGroup("sudo")) {
        return polkit.Result.YES;
    }
});
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.isInGroup("sudo")) {
        return polkit.Result.YES;
    }
});

Added into /etc/polkit-1/rules.d/99-pcscd.rules and then reloading polkit.service in case this was a polkit issue, but this didn't do anything.

Versions in noble:
pcscd: 2.0.3-1build1
libpcslite1: 2.0.3-1build1
gnupg: 2.4.4-2ubuntu17
scdaemon: 2.4.4-2ubuntu17

Mario Limonciello (superm1)
affects: gnupg (Ubuntu) → gnupg2 (Ubuntu)
Revision history for this message
Mario Limonciello (superm1) wrote :

I managed to get it working as a user by manually starting pcscd.service and with the following to force scdaemon to use it.

# cat ~/.gnupg/scdaemon.conf
card-timeout 5
disable-ccid

To me this seems to be a regression in behavior from 2.2.27-3ubuntu2.1 to 2.4.4-2ubuntu17.

Revision history for this message
Mario Limonciello (superm1) wrote (last edit ):

According to the upstream bug, this appears to be a new intended behavior with newer gnupg2:

https://dev.gnupg.org/T6871

Changed in pcsc-lite (Ubuntu):
status: New → Invalid
Bug Watch Updater (bug-watch-updater)
Changed in archlinux-lp:
status: Unknown → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gnupg2 (Ubuntu):
status: New → Confirmed
Revision history for this message
Julian Andres Klode (juliank) wrote :

I don't recommend running with pcscd, it's much more stable to run with direct access, but I do not know why it doesn't seem to work for you, it certainly does for me.

It failing with pcscd is nice, it not telling us why and how to fix it is bad UX though.

Changed in gnupg2 (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Ludovic Rousseau (ludovic-rousseau-gmail) wrote :

https://blog.apdu.fr/posts/2024/04/gnupg-and-pcsc-conflicts-episode-2/

I do not use GnuPG with a smartcard. So I don't know which configuration is more stable.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.