support OpenPGP smartcards
Originally created by Tails on #5931 (Redmine)
done in 0.17.
- Get recent ccid / pcscd into Tails (it helps supporting some devices, see bellow) — this is feature/OpenPGP-SmartCard: done (merged into devel, pending for Tails 0.15)
- Publish a test ISO — this should be 0.15~rc1 done
- test with supposedly-fixed hardware
I tested an OpenPGP smart card reader and card. It turned out that it worked for me on Tails 0.13~rc1 without any additional package installed but only when executing gnupg as root. It seems there is a permission issue, as discussed on tails-dev (see below).
This is despite the fact that the
amnesia user actually has proper
access (despite the ACL set thanks to
/lib/udev/rules.d/60-gnupg.rules, that is shipped by
gnupg to the USB device:
$ lsusb | grep SCM Bus 002 Device 004: ID 04e6:5115 SCM Microsystems, Inc. SCR335 SmartCard Reader $ getfacl -a /dev/bus/usb/002/004 # file: dev/bus/usb/002/004 # owner: root # group: root user::rw- user:amnesia:rw-
It looks like the problem is related to Seahorse: commenting
~/gnupg/gpg.conf will enable GnuPG to use the card without extra
permissions. One can also call the following:
GPG_AGENT_INFO= gpg --card-status
This is tracked as https://bugzilla.gnome.org/show_bug.cgi?id=530439, no progress since 2008.
Hardware: USB 04e6:5115 SCM Microsystems, Inc. SCR335 SmartCard Reader
$ lsusb | grep GemPC Bus 005 Device 003: ID 08e6:3438 Gemplus GemPC Key SmartCard Reader $ getfacl -a /dev/bus/usb/005/003 getfacl: Removing leading '/' from absolute path names # file: dev/bus/usb/005/003 # owner: root # group: root user::rw- group::rw- other::r-- gpg --card-status: gpg: detected reader `Gemalto GemPC Key 00 00' Application ID ...: D2760001240102000005000014DA0000 Version ..........: 2.0 Manufacturer .....: ZeitControl
That reader does not get any ACL set by either the GnuPG ruleset, nor by the libccid one.
All needed software is now shipped in Tails 0.15-rc1.
Testers: Patrick Bx firstname.lastname@example.org
The user credentials issues are discussed on tails-dev: CALSDXiB1VWcEQ-BxJzXF95_mPg_UyHL6b83wXCGQz-a2hMvAYA@mail.gmail.com
with pcscd installed
- can’t use the card as a non-root user
- can use the card as a non-root user who is a member of the
- can use the card as root
without pcscd, without gnupg-pkcs11-scd
can’t use the card as a non-root user
can’t use the card as a non-root user who is a member of the
pcscdgroup; this hangs and must be killed by hand:
$ gpg —card-status gpg: detected reader `Gemalto USB Shell Token V2 00 00’
can’t use the card as root
$ gpg2 —card-status gpg: OpenPGP card not available: No SmartCard daemon
$ sudo gpg2 —card-status [sudo] password for amnesia: can’t connect to
/root/.gnupg/S.gpg-agent': No such file or directory gpg-agent: can't connect server:ERR 67109133 can’t exec `/usr/bin/scdaemon’: No such file or directory’ gpg-agent: can’t connect to the SCdaemon: IPC connect call failed gpg: OpenPGP card not available: No SmartCard daemon
without pcscd, with gnupg-pkcs11-scd
adding a line containing:
scdaemon-program /usr/bin/gnupg-pkcs11-scd to
=> does not help, but perhaps it was not setup correctly.
Testers: Patrick Bx email@example.com
On Debian Wheezy, using
systemd, same hardware as Patrick Bx’s
(Gemalto USB shell token v2).
# apt-get install pcscd scdaemon $ GPG_AGENT_INFO= gpg --card-status
pcscd is automatically started thanks to socket-based
and exits after a bit of idle time.
On Tails 0.15, same hardware as Patrick Bx’s (Gemalto USB shell token v2).
$ GPG_AGENT_INFO= gpg --card-status
Does not work:
$ gpg --card-status gpg: selecting openpgp failed: unknown command gpg: OpenPGP card not available: general error
So, apparently the only blocking issue is the Seahorse bug.
- OpenPGP card
- corsac’s howto for the OpenPGP smartcard v2 plugged into a Gemalto PC ExpressCard reader, on Debian, with gnupg2, pcscd and scdaemon
- Liberte Linux’ implementation: ccid, pcsc-lite, GnuPG built without
libusb support, and
gnupg-pkcs11-scdused as a
scdaemon-program(available, commented-out in the default
gpg-agent.conf); see commit f29ce64272 in their Git. Their reason for disabling CCID over libusb ("supporting direct CCID interface via libusb makes no sense, since the devices are accessible only to "pcscd" daemon") may not apply in the Debian and Tails case, since the packages take care to give access to devices to the
amnesiauser, using an ACL.
- pcscd auto start on Ludovic Rousseau blog
- Installation of Card Reader in GnuPG’s documentation