support_OpenPGP_smartcards.mdwn 4.89 KB
Newer Older
Tails developers's avatar
Tails developers committed
1
2
[[!toc levels=2]]

Tails developers's avatar
Tails developers committed
3
4
5
6
Plans
=====

1. Get recent ccid / pcscd into Tails (it helps supporting some
7
8
   devices, see bellow) -- this is feature/OpenPGP-SmartCard:
   **done** (merged into devel, pending for Tails 0.15)
Tails developers's avatar
Tails developers committed
9
10
1. Publish a test ISO -- this should be 0.15~rc1
1. Ask for feedback from owners of supposedly-fixed hardware
11
   [[!tag todo/test]]
Tails developers's avatar
Tails developers committed
12
13
14
1. [[!taglink todo/research]] how to support hardware despite the
   Seahorse bug

Tails developers's avatar
Tails developers committed
15
16
Tests
=====
Tails developers's avatar
TODO++    
Tails developers committed
17

Tails developers's avatar
Tails developers committed
18
## Test 0
19

Tails developers's avatar
Tails developers committed
20
21
I tested an OpenPGP smart card reader and card.
It turned out that it worked for me on Tails 0.13~rc1
Tails developers's avatar
Tails developers committed
22
without any additional package installed *but* only when executing gnupg as
23
24
25
root. It seems there is a permission issue, as discussed on tails-dev (see
below).

Tails developers's avatar
Tails developers committed
26
27
28
29
This is despite the fact that the `amnesia` user actually has proper
access (despite the ACL set thanks to
`/lib/udev/rules.d/60-gnupg.rules`, that is shipped by [[!debpkg
gnupg]]) to the USB device:
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

    $ lsusb | grep SCM
    Bus 002 Device 004: ID 04e6:5115 SCM Microsystems, Inc. SCR335 SmartCard Reader
    $ getfacl -a /dev/bus/usb/002/004
    # file: dev/bus/usb/002/004
    # owner: root
    # group: root
    user::rw-
    user:amnesia:rw-

It looks like the problem is related to Seahorse: commenting `use-agent` in
`~/gnupg/gpg.conf` will enable GnuPG to use the card without extra permissions.
One can also call the following:

    GPG_AGENT_INFO= gpg --card-status

This is tracked as <https://bugzilla.gnome.org/show_bug.cgi?id=530439>, no
progress since 2008.
Tails developers's avatar
Tails developers committed
48

49
50
Tester: <alan@boum.org>

51
52
Hardware: USB 04e6:5115 SCM Microsystems, Inc. SCR335 SmartCard Reader

Tails developers's avatar
Tails developers committed
53
## Test 1
54

Tails developers's avatar
Tails developers committed
55
56
### hardware

Tails developers's avatar
Tails developers committed
57
[gemalto USB shell token v2](http://shop.kernelconcepts.de/product_info.php?products_id=119)
Tails developers's avatar
Tails developers committed
58

Tails developers's avatar
Tails developers committed
59
60
61
62
63
64
65
66
67
68
69
	$ lsusb | grep GemPC
	Bus 005 Device 003: ID 08e6:3438 Gemplus GemPC Key SmartCard Reader

	$ getfacl -a /dev/bus/usb/005/003
	getfacl: Removing leading '/' from absolute path names
	# file: dev/bus/usb/005/003
	# owner: root
	# group: root
	user::rw-
	group::rw-
	other::r--
Tails developers's avatar
Tails developers committed
70
71
72
73
74
75
76

	gpg --card-status:
	  gpg: detected reader `Gemalto GemPC Key 00 00'
	  Application ID ...: D2760001240102000005000014DA0000
	  Version ..........: 2.0
	  Manufacturer .....: ZeitControl

Tails developers's avatar
Tails developers committed
77
78
That reader does not get any ACL set by either the GnuPG ruleset, nor
by the libccid one.
Tails developers's avatar
Tails developers committed
79

Tails developers's avatar
Tails developers committed
80
All needed software is now shipped in Tails 0.15-rc1.
81

82
83
Testers: Patrick Bx <patrickbx@gmail.com>

Tails developers's avatar
Tails developers committed
84
### tests
Tails developers's avatar
Tails developers committed
85

Tails developers's avatar
Tails developers committed
86
87
> The user credentials issues are discussed on tails-dev:
> <CALSDXiB1VWcEQ-BxJzXF95_mPg_UyHL6b83wXCGQz-a2hMvAYA@mail.gmail.com>
Tails developers's avatar
Tails developers committed
88

Tails developers's avatar
Tails developers committed
89
#### with pcscd installed
Tails developers's avatar
Tails developers committed
90
91
92
93
94

* can't use the card as a non-root user
* can use the card as a non-root user who is a member of the `pcscd` group
* can use the card as root

Tails developers's avatar
Tails developers committed
95
#### without pcscd, without gnupg-pkcs11-scd
Tails developers's avatar
Tails developers committed
96
97
98

* can't use the card as a non-root user
* can't use the card as a non-root user who is a member of the
Tails developers's avatar
Tails developers committed
99
100
101
102
103
  `pcscd` group; this hangs and must be killed by hand:

	$ gpg --card-status
	gpg: detected reader `Gemalto USB Shell Token V2 00 00'

Tails developers's avatar
Tails developers committed
104
105
* can't use the card as root

Tails developers's avatar
Tails developers committed
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#### gpg2

* non-root user:

	$ gpg2 --card-status
	gpg: OpenPGP card not available: No SmartCard daemon

* root user:

	$ sudo gpg2 --card-status
	[sudo] password for amnesia:
	can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
	gpg-agent[8175]: can't connect server: `ERR 67109133 can't exec
	`/usr/bin/scdaemon': No such file or directory'
	gpg-agent[8175]: can't connect to the SCdaemon: IPC connect call failed
	gpg: OpenPGP card not available: No SmartCard daemon

#### without pcscd, with gnupg-pkcs11-scd
Tails developers's avatar
Tails developers committed
124
125
126
127
128
129
130
131
132

adding a line containing:

`scdaemon-program /usr/bin/gnupg-pkcs11-scd`  to `~/.gnupg/gpg-agent.conf`

=> does not help, but perhaps it was not setup correctly.

Testers: Patrick Bx <patrickbx@gmail.com>

Tails developers's avatar
Tails developers committed
133
134
135
136
137
138
## Test 3

[[!taglink todo/wait]] for results from Patrick Bx:

  * with gnupg2, pcscd and scdaemon (as per Corsac's howto)

Tails developers's avatar
Tails developers committed
139
140
Resources
=========
Tails developers's avatar
Tails developers committed
141

Tails developers's avatar
Tails developers committed
142
143
* [[!wikipedia OpenPGP_card]]
* [[!debwiki Smartcards/OpenPGP]]
Tails developers's avatar
Tails developers committed
144
145
146
147
148
* [corsac's howto](http://www.corsac.net/?rub=blog&post=1548) for the
  [OpenPGP smartcard v2](http://g10code.com/p-card.html) plugged into
  a [Gemalto PC ExpressCard
  reader](http://shop.kernelconcepts.de/product_info.php?products_id=121),
  on Debian, with gnupg2, pcscd and scdaemon
Tails developers's avatar
Tails developers committed
149
150
* Liberté Linux' implementation: ccid, pcsc-lite, GnuPG built without
  libusb support, and `gnupg-pkcs11-scd` used as a `scdaemon-program`
Tails developers's avatar
Tails developers committed
151
152
153
154
155
156
  (available, commented-out in the default `gpg-agent.conf`); see
  commit f29ce64272 in their Git. Their reason for disabling CCID over
  libusb ("supporting direct CCID interface via libusb makes no sense,
  since the devices are accessible only to "pcscd" daemon") may not
  apply in the Debian and Tails case, since the packages take care to
  give access to devices to the `amnesia` user, using an ACL.
Tails developers's avatar
Tails developers committed
157
158
159
160
161
162
* [pcscd auto
  start](http://ludovicrousseau.blogspot.com/2010/09/pcscd-auto-start.html)
  on Ludovic Rousseau blog
* [Installation of Card
  Reader](http://gnupg.org/howtos/card-howto/en/ch02s03.html)
  in GnuPG's documentation
Tails developers's avatar
Tails developers committed
163