1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Re: Unable to access to Yubikey after recent GPG changes

    From Chris Hofstaedtler@21:1/5 to All on Sat May 10 22:50:01 2025
    * Yadd <yadd@debian.org> [250510 22:39]:
    I can no more use my Yubikey with GPG aftre recent changes. I followed >https://wiki.debian.org/Smartcards/OpenPGP instructions but nothing >succeeded.
    I'm running a Debian testing.

    Did someone find a solution ?

    People on IRC said this yubikey support article helped them:

    https://support.yubico.com/hc/en-us/articles/4819584884124-Resolving-GPG-s-CCID-conflicts

    Chris

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Yadd@21:1/5 to All on Sat May 10 22:40:02 2025
    Hi,

    I can no more use my Yubikey with GPG aftre recent changes. I followed https://wiki.debian.org/Smartcards/OpenPGP instructions but nothing
    succeeded.
    I'm running a Debian testing.

    Did someone find a solution ?

    $ pcsc_scan
    PC/SC device scanner
    V 1.7.3 (c) 2001-2024, Ludovic Rousseau <ludovic.rousseau@free.fr>
    Using reader plug'n play mechanism
    Scanning present readers...
    0: Yubico YubiKey OTP+FIDO+CCID 00 00

    Sat May 10 22:33:51 2025
    Reader 0: Yubico YubiKey OTP+FIDO+CCID 00 00
    Event number: 0
    Card state: Card inserted, Shared Mode,
    ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4

    ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4
    + TS = 3B --> Direct Convention
    + T0 = F8, Y(1): 1111, K: 8 (historical bytes)
    TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
    43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
    TB(1) = 00 --> VPP is not electrically connected
    TC(1) = 00 --> Extra guard time: 0
    TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
    -----
    TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1
    -----
    TA(3) = FE --> IFSC: 254
    TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
    + Historical bytes: 59 75 62 69 6B 65 79 34
    Category indicator byte: 59 (proprietary format)
    + TCK = D4 (correct checksum)

    Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
    3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4
    Yubico Yubikey 4 OTP+CCID

    [then process is blocked, waiting a long time]
    SCardGetStatusChange: RPC transport error.

    $ sudo killall scdaemon; sudo killall gnome-keyring-daemon
    $ gpg --card-edit

    gpg: selecting card failed: No such device
    gpg: OpenPGP card not available: No such device

    gpg/card>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Yadd@21:1/5 to Yadd on Sat May 10 22:50:02 2025
    Found: echo 'disable-ccid' >> ~/.gnupg/scdaemon.conf

    An entry in /usr/share/doc/gnupg/README.Debian could help here

    On 5/10/25 22:39, Yadd wrote:
    Hi,

    I can no more use my Yubikey with GPG aftre recent changes. I followed https://wiki.debian.org/Smartcards/OpenPGP instructions but nothing succeeded.
    I'm running a Debian testing.

    Did someone find a solution ?

    $ pcsc_scan
    PC/SC device scanner
    V 1.7.3 (c) 2001-2024, Ludovic Rousseau <ludovic.rousseau@free.fr>
    Using reader plug'n play mechanism
    Scanning present readers...
    0: Yubico YubiKey OTP+FIDO+CCID 00 00

    Sat May 10 22:33:51 2025
     Reader 0: Yubico YubiKey OTP+FIDO+CCID 00 00
      Event number: 0
      Card state: Card inserted, Shared Mode,
      ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4

    ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4
    + TS = 3B --> Direct Convention
    + T0 = F8, Y(1): 1111, K: 8 (historical bytes)
      TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
        43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
      TB(1) = 00 --> VPP is not electrically connected
      TC(1) = 00 --> Extra guard time: 0
      TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
    -----
      TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1
    -----
      TA(3) = FE --> IFSC: 254
      TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
    + Historical bytes: 59 75 62 69 6B 65 79 34
      Category indicator byte: 59 (proprietary format)
    + TCK = D4 (correct checksum)

    Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
    3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4
            Yubico Yubikey 4 OTP+CCID

    [then process is blocked, waiting a long time]
     SCardGetStatusChange: RPC transport error.

    $ sudo killall scdaemon; sudo killall gnome-keyring-daemon
    $ gpg --card-edit

    gpg: selecting card failed: No such device
    gpg: OpenPGP card not available: No such device

    gpg/card>


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrew Bower@21:1/5 to Yadd on Sat May 10 23:30:01 2025
    On Sat, May 10, 2025 at 10:47:51PM +0200, Yadd wrote:
    Found: echo 'disable-ccid' >> ~/.gnupg/scdaemon.conf

    An entry in /usr/share/doc/gnupg/README.Debian could help here

    There's an entry in /usr/share/doc/gnupg/NEWS.Debian.gz documenting
    this, which should show up on upgrades:

    gnupg2 (2.4.7-15) unstable; urgency=medium

    GnuPG 2.4 will not automatically fallback to the PC/SC driver for smartcard
    access if direct access fails. Users using pcscd for hardware access will
    need to explicitly disable the gnupg CCID driver. See --disable-ccid in
    scdaemon.1 and #1102717

    -- Andreas Metzler <ametzler@debian.org> Sun, 13 Apr 2025 13:50:29 +0200

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Philipp Huebner@21:1/5 to All on Mon Jun 23 12:30:01 2025
    Hi,

    Am Samstag, dem 10.05.2025 um 22:39 +0200 schrieb Yadd:
    Hi,

    I can no more use my Yubikey with GPG aftre recent changes. I
    followed
    https://wiki.debian.org/Smartcards/OpenPGP instructions but nothing succeeded.
    I'm running a Debian testing.

    Did someone find a solution ?

    Yes I did: sudo apt purge pcscd

    Turns out you do not need pcscd to use the Yubikey's PGP applet.
    On the contrary: I now have way less hassle/issues and it works like a
    charm all the time.

    Colleagues had to delete their ~/.gnupg/scdaemon.conf though for this
    to work (I did not have that file on my systems).

    Best wishes
    --
    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ Philipp Huebner <debalance@debian.org>
    ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: 671925C5B8CDE74A52253DF9E5CA8C4925E4205F
    ⠈⠳⣄

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Philipp Kern@21:1/5 to Philipp Huebner on Mon Jun 23 14:40:01 2025
    On 2025-06-23 12:20, Philipp Huebner wrote:
    Am Samstag, dem 10.05.2025 um 22:39 +0200 schrieb Yadd:
    Hi,

    I can no more use my Yubikey with GPG aftre recent changes. I
    followed
    https://wiki.debian.org/Smartcards/OpenPGP instructions but nothing
    succeeded.
    I'm running a Debian testing.

    Did someone find a solution ?

    Yes I did: sudo apt purge pcscd

    Turns out you do not need pcscd to use the Yubikey's PGP applet.
    On the contrary: I now have way less hassle/issues and it works like a
    charm all the time.

    Colleagues had to delete their ~/.gnupg/scdaemon.conf though for this
    to work (I did not have that file on my systems).

    Generally it's sufficient to temporarily stop pcscd. But also
    disable-ccid and pcsc-shared in scdaemon.conf should help.

    (Not that I'm claiming that this is good UX.)

    Kind regards
    Philipp Kern

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)