[pkg-gnupg-maint] Bug#814584: gnupg2: gpg2 --card-status fail on armel / Raspberry Pi - "Card error"

Fri Aug 5 13:52:09 UTC 2016

Thank you for the quick response.  I still had the test box ready, which
made it easier to test some more. :)

[NIIBE Yutaka]
> In 2.1.14, libusb has been changed, so, the error message is
> different, but it also means access error.  It's highly likely access
> permission problem.

Aha.

> Please try again with proper permission.

I assumed that since the first run was able to find the card, the
access was ok.  Apparently not.

> I don't know about FreedomBox image.

It is using the Debian packages from testing.

> Apparently, udev rules doesn't work well.  Please try manually chmod
> or chgrp device file under /dev/bus/usb/

I did this:

fbx at freedombox:~$ sudo chmod a+rw /dev/bus/usb/001/00*
fbx at freedombox:~$ gpg2 --card-status
Reader ...........: 08E6:3438:C4CC14F3:0
Application ID ...: D2760001240102010005000042020000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 00004202
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
fbx at freedombox:~$

Indeed, access was the problem!

Trying to figure out why it did not work out of the box, I noticed the
the scdaemon udev rule do not list my card reader, and tried to add my
cards USB ID like this:

--- /tmp/60-scdaemon.rules      2016-05-21 22:34:16.700000000 +0000
+++ /lib/udev/rules.d/60-scdaemon.rules 2016-05-22 02:26:28.070000000 +0000
@@ -20,6 +20,7 @@
 ATTR{idVendor}=="076b", ATTR{idProduct}=="6622", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
 ## Gemalto
 ATTR{idVendor}=="08e6", ATTR{idProduct}=="3437", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+ATTR{idVendor}=="08e6", ATTR{idProduct}=="3438", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
 ATTR{idVendor}=="08e6", ATTR{idProduct}=="3478", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
 ATTR{idVendor}=="08e6", ATTR{idProduct}=="34c2", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
 ATTR{idVendor}=="08e6", ATTR{idProduct}=="34ec", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"

This did not help.

Then I noticed the /dev/bus/usb/001/004 lacked the acl marker (+), and
suspected this to be caused by the fact that the 'acl' package is
missing on the FreedomBox.  After installing 'acl' and rebooting
(because I did not sit next to the box and could not easily reconnect
the smart card reader) I still did not get it to work over ssh.  Then it
occurred to me that local device access required console login, not ssh
login, and I walked over to the box to give it a go.  There it worked
out of the box.  After logging in, I saw the missing '+':

root at freedombox:~# ls -l /dev/bus/usb/001/*
crw-rw-r--  1 root root 189, 0 mai   21 22:31 /dev/bus/usb/001/001
crw-rw-r--  1 root root 189, 1 mai   21 22:31 /dev/bus/usb/001/002
crw-rw-r--  1 root root 189, 2 mai   21 22:31 /dev/bus/usb/001/003
crw-rw-r--+ 1 root root 189, 3 mai   21 22:31 /dev/bus/usb/001/004
crw-rw-r--  1 root root 189, 4 mai   21 22:31 /dev/bus/usb/001/005
root at freedombox:~#

Then I tried again after doing 'apt purge acl', and it still worked (the
'+' showed up as it should).  Finally, I removed the line I added from
/lib/udev/rules.d/60-scdaemon.rules and tried again to verify that it
was really needed.  This time it failed.

So I guess the key to getting this to work is simply to add the USB ID
of my card reader to the scdaemon udev setup.  Daniel, do you want a
separate bug report for that, or can you apply the patch above to the
next upload?

Thank you very much for your help and patience. :)

-- 
Happy hacking
Petter Reinholdtsen

