Bug 1197723

(In reply to Cosmin Tanczel from comment #0)
> After the last update 

Which update?

Hi Andreas,

There was an update on 28th of March.

If needed I can later check the zypper logs.

On 28th off March I did the usual zypper dup and since then gpg doesn't detected any of the cards I have.

Created attachment 857548 [details]
zypper package updates on 2022-03-28

Not a permission issue since I got the same error when running as root.
Yubikey manager shows that there is a slot configure for openpgp

Created attachment 857550 [details]
zypper package updates on 2022-03-29

adding the install log on 29 since I'm not sure when was the day that affected the gpg.

Are there any workaround?? Since I am using ssh agent (with HW keys) it's quite urgent.
Is there any other info needed?

I think we need you to cut down the list of packages - there is no obvious candidate. Can you please selectively upgrade some of them until you find a set or single package that causes this?

That's kind of hard to do it in a short time. I'm traveling on this weekend so the earliest I can do this is tomorrow night, but I am forced to temporary use another distro just because of this :(

After the update: 

#echo scd getinfo reader_list | gpg-connect-agent --decode 
D 1050:0407:X:0
OK

#ykman list --serials
*******

#ykman --device ******* info
Device type: YubiKey 5 Nano
Serial number: *******
Firmware version: 5.2.7
Form factor: Nano (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID

Applications
FIDO2           Enabled      
OTP             Enabled      
FIDO U2F        Enabled      
OATH            Enabled      
YubiHSM Auth    Not available
OpenPGP         Enabled      
PIV             Enabled      

#gpg --card-status 
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

Well none of gpg2 or it's dependencies were touched in your update logs. Hence me asking. Please also provide an strace of the gpg execition.

Created attachment 857725 [details]
strace gpg not detecting keys

strace gpg not detecting keys

Created attachment 857726 [details]
strace gpg detecting keys

I am also adding a strace of the gpg --card-status from another computer that was not yet updated, where it works.

Sorry but I really don't have time to debug further, but the problem seems to be related to pcscd.

The workaround is to stop pcscd socket and the cards are detected:

systemctl stop pcscd.socket

Can you please check further?

Ok, found some spare time:

It seems after the last update we enable pcscd.service by default at boot time.
On the computer that was not updated and gpg works (detects the cards), the pcscd service is NOT enabled by default at boot time.

So this is what it was changed.

Anyways... it should also work with pcscd service enabled, but I think the service is starting with 'disable-ccid' instead of 'pcsc-shared'. And ... to be honest, I am not sure how secure it is to start with pcsc-shared, because if we start it with pcsc-share, scdaemon gets exclusive access to the card and for it can cache some information from the card.

But again... I am just a user, so I am not sure if what I said above makes any sense for you :)

Bottom line, after the last update we enable pcscd.service by default and this makes gpg not able to detect the card, so the solution was to disable this service. 

I think it's just a workaround since pcscd service might be used for something else, so it's not really a solution for those who really need it.

But again... I am just a user, so I am not sure if what I said above makes any sense for you :)

Please let me know if I can provide any other information to get this solved.

Thank you!

Can someone please check if the pcscd.service is enabled by default with the latest update?

Just trying to make sure it was not a manual action that I did. 

Thanks,

We auto-start pcscd.socket since bug 1063983 but not pcscd.socket. 
Wolfgang?

Don't really understand. I just installed the OS again and this how it is for me:


systemctl status pcscd.service 
* pcscd.service - PC/SC Smart Card Daemon
     Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled)
     Active: inactive (dead)
TriggeredBy: * pcscd.socket
       Docs: man:pcscd(8)


systemctl status pcscd.socket  
* pcscd.socket - PC/SC Smart Card Daemon Activation Socket
     Loaded: loaded (/usr/lib/systemd/system/pcscd.socket; enabled; vendor preset: enabled)
     Active: active (listening) since Mon 2022-04-04 19:23:21 EEST; 14min ago
      Until: Mon 2022-04-04 19:23:21 EEST; 14min ago
   Triggers: * pcscd.service
     Listen: /run/pcscd/pcscd.comm (Stream)
     CGroup: /system.slice/pcscd.socket

So pcscd.service enabled but not active and pcscd.socket enabled AND started !

I guess you meant to say:
We auto-start pcscd.socket since bug 1063983 but not pcscd.service.

??

Thanks

That is how it was and is intended, yes.

There is also nothing new about it. That is how pcsc is "enabled" in openSUSE since quite a while.

If something changed it might be some application which is accessing the pcscd socket and then starts up the service for you.
The behavior seems to be the best approach to run pcscd for those with corresponding cardreaders.

I'm also using a cyberjack reader via pcscd and at the same time an OpenPGP enabled yubikey.

To make those work in parallel I had to configure ~/.gnupg/scdaemon.conf:

disable-ccid
pcsc-driver /usr/lib64/libpcsclite.so
reader-port "Yubico YubiKey OTP+FIDO+CCID 00 00"

Not sure what has been fixed but it works out of the box now.