Feature #5931

support OpenPGP smartcards

Added by Tails 2013-07-18 07:48:17 . Updated 2013-07-19 01:43:39 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

{{toc}}

Plans

Fixed by using the regular GnuPG agent to workaround a Seahorse bug: (GNOME bug #530439.

done in 0.17.

Done

  1. Get recent ccid / pcscd into Tails (it helps supporting some devices, see bellow) — this is feature/OpenPGP-SmartCard: done (merged into devel, pending for Tails 0.15)
  2. Publish a test ISO — this should be 0.15~rc1 done
  3. test with supposedly-fixed hardware

Tests

Test 0

I tested an OpenPGP smart card reader and card. It turned out that it worked for me on Tails 0.13~rc1 without any additional package installed but only when executing gnupg as root. It seems there is a permission issue, as discussed on tails-dev (see below).

This is despite the fact that the amnesia user actually has proper access (despite the ACL set thanks to /lib/udev/rules.d/60-gnupg.rules, that is shipped by gnupg to the USB device:

$ lsusb | grep SCM
Bus 002 Device 004: ID 04e6:5115 SCM Microsystems, Inc. SCR335 SmartCard Reader
$ getfacl -a /dev/bus/usb/002/004
# file: dev/bus/usb/002/004
# owner: root
# group: root
user::rw-
user:amnesia:rw-

It looks like the problem is related to Seahorse: commenting use-agent in ~/gnupg/gpg.conf will enable GnuPG to use the card without extra permissions. One can also call the following:

GPG_AGENT_INFO= gpg --card-status

This is tracked as https://bugzilla.gnome.org/show_bug.cgi?id=530439, no progress since 2008.

Tester: alan@boum.org

Hardware: USB 04e6:5115 SCM Microsystems, Inc. SCR335 SmartCard Reader

Test 1

hardware

gemalto USB shell token v2

$ lsusb | grep GemPC
Bus 005 Device 003: ID 08e6:3438 Gemplus GemPC Key SmartCard Reader

$ getfacl -a /dev/bus/usb/005/003
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/005/003
# owner: root
# group: root
user::rw-
group::rw-
other::r--

gpg --card-status:
  gpg: detected reader `Gemalto GemPC Key 00 00'
  Application ID ...: D2760001240102000005000014DA0000
  Version ..........: 2.0
  Manufacturer .....: ZeitControl

That reader does not get any ACL set by either the GnuPG ruleset, nor by the libccid one.

All needed software is now shipped in Tails 0.15-rc1.

Testers: Patrick Bx patrickbx@gmail.com

tests

The user credentials issues are discussed on tails-dev: CALSDXiB1VWcEQ-BxJzXF95_mPg_UyHL6b83wXCGQz-a2hMvAYA@mail.gmail.com

with pcscd installed

  • can’t use the card as a non-root user
  • can use the card as a non-root user who is a member of the pcscd group
  • can use the card as root

without pcscd, without gnupg-pkcs11-scd

  • can’t use the card as a non-root user

  • can’t use the card as a non-root user who is a member of the pcscd group; this hangs and must be killed by hand:

    $ gpg —card-status gpg: detected reader `Gemalto USB Shell Token V2 00 00’

  • can’t use the card as root

gpg2

  • non-root user:

    $ gpg2 —card-status gpg: OpenPGP card not available: No SmartCard daemon

  • root user:

    $ sudo gpg2 —card-status [sudo] password for amnesia: can’t connect to /root/.gnupg/S.gpg-agent': No such file or directory gpg-agent[8175]: can't connect server:ERR 67109133 can’t exec `/usr/bin/scdaemon’: No such file or directory’ gpg-agent[8175]: can’t connect to the SCdaemon: IPC connect call failed gpg: OpenPGP card not available: No SmartCard daemon

without pcscd, with gnupg-pkcs11-scd

adding a line containing:

scdaemon-program /usr/bin/gnupg-pkcs11-scd to ~/.gnupg/gpg-agent.conf

=> does not help, but perhaps it was not setup correctly.

Testers: Patrick Bx patrickbx@gmail.com

Test 3

On Debian Wheezy, using systemd, same hardware as Patrick Bx’s (Gemalto USB shell token v2).

Works:

# apt-get install pcscd scdaemon
$ GPG_AGENT_INFO= gpg --card-status

pcscd is automatically started thanks to socket-based activation, and exits after a bit of idle time.

Test 4

On Tails 0.15, same hardware as Patrick Bx’s (Gemalto USB shell token v2).

Works:

$ GPG_AGENT_INFO= gpg --card-status

Does not work:

$ gpg --card-status
gpg: selecting openpgp failed: unknown command
gpg: OpenPGP card not available: general error

So, apparently the only blocking issue is the Seahorse bug.

Resources

  • OpenPGP card
  • Smartcards/OpenPGP
  • corsac’s howto for the OpenPGP smartcard v2 plugged into a Gemalto PC ExpressCard reader, on Debian, with gnupg2, pcscd and scdaemon
  • Liberte Linux’ implementation: ccid, pcsc-lite, GnuPG built without libusb support, and gnupg-pkcs11-scd used as a scdaemon-program (available, commented-out in the default gpg-agent.conf); see commit f29ce64272 in their Git. Their reason for disabling CCID over libusb ("supporting direct CCID interface via libusb makes no sense, since the devices are accessible only to "pcscd" daemon") may not apply in the Debian and Tails case, since the packages take care to give access to devices to the amnesia user, using an ACL.
  • pcscd auto start on Ludovic Rousseau blog
  • Installation of Card Reader in GnuPG’s documentation

Subtasks

History

#1 Updated by intrigeri 2013-07-19 01:43:39

  • Type of work set to Code

Type of work: Code