[pkg-gnupg-maint] Bug#814584: gnupg2: gpg2 --card-status fail on armel / Raspberry Pi - "Card error"
Petter Reinholdtsen
pere at hungry.com
Fri Aug 5 13:52:09 UTC 2016
Thank you for the quick response. I still had the test box ready, which
made it easier to test some more. :)
[NIIBE Yutaka]
> In 2.1.14, libusb has been changed, so, the error message is
> different, but it also means access error. It's highly likely access
> permission problem.
Aha.
> Please try again with proper permission.
I assumed that since the first run was able to find the card, the
access was ok. Apparently not.
> I don't know about FreedomBox image.
It is using the Debian packages from testing.
> Apparently, udev rules doesn't work well. Please try manually chmod
> or chgrp device file under /dev/bus/usb/
I did this:
fbx at freedombox:~$ sudo chmod a+rw /dev/bus/usb/001/00*
fbx at freedombox:~$ gpg2 --card-status
Reader ...........: 08E6:3438:C4CC14F3:0
Application ID ...: D2760001240102010005000042020000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 00004202
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
fbx at freedombox:~$
Indeed, access was the problem!
Trying to figure out why it did not work out of the box, I noticed the
the scdaemon udev rule do not list my card reader, and tried to add my
cards USB ID like this:
--- /tmp/60-scdaemon.rules 2016-05-21 22:34:16.700000000 +0000
+++ /lib/udev/rules.d/60-scdaemon.rules 2016-05-22 02:26:28.070000000 +0000
@@ -20,6 +20,7 @@
ATTR{idVendor}=="076b", ATTR{idProduct}=="6622", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
## Gemalto
ATTR{idVendor}=="08e6", ATTR{idProduct}=="3437", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+ATTR{idVendor}=="08e6", ATTR{idProduct}=="3438", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
ATTR{idVendor}=="08e6", ATTR{idProduct}=="3478", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
ATTR{idVendor}=="08e6", ATTR{idProduct}=="34c2", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
ATTR{idVendor}=="08e6", ATTR{idProduct}=="34ec", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
This did not help.
Then I noticed the /dev/bus/usb/001/004 lacked the acl marker (+), and
suspected this to be caused by the fact that the 'acl' package is
missing on the FreedomBox. After installing 'acl' and rebooting
(because I did not sit next to the box and could not easily reconnect
the smart card reader) I still did not get it to work over ssh. Then it
occurred to me that local device access required console login, not ssh
login, and I walked over to the box to give it a go. There it worked
out of the box. After logging in, I saw the missing '+':
root at freedombox:~# ls -l /dev/bus/usb/001/*
crw-rw-r-- 1 root root 189, 0 mai 21 22:31 /dev/bus/usb/001/001
crw-rw-r-- 1 root root 189, 1 mai 21 22:31 /dev/bus/usb/001/002
crw-rw-r-- 1 root root 189, 2 mai 21 22:31 /dev/bus/usb/001/003
crw-rw-r--+ 1 root root 189, 3 mai 21 22:31 /dev/bus/usb/001/004
crw-rw-r-- 1 root root 189, 4 mai 21 22:31 /dev/bus/usb/001/005
root at freedombox:~#
Then I tried again after doing 'apt purge acl', and it still worked (the
'+' showed up as it should). Finally, I removed the line I added from
/lib/udev/rules.d/60-scdaemon.rules and tried again to verify that it
was really needed. This time it failed.
So I guess the key to getting this to work is simply to add the USB ID
of my card reader to the scdaemon udev setup. Daniel, do you want a
separate bug report for that, or can you apply the patch above to the
next upload?
Thank you very much for your help and patience. :)
--
Happy hacking
Petter Reinholdtsen
More information about the pkg-gnupg-maint
mailing list