[pkg-gnupg-maint] Bug#934237: Bug#934237: yubikey communication fails on startup

Antoine Beaupré anarcat at debian.org
Fri Aug 9 03:49:08 BST 2019 

On 2019-08-09 09:08:35, NIIBE Yutaka wrote:
> Antoine Beaupre <anarcat at debian.org> wrote:
>> When I login in the morning, my Yubikey setup fails to let me connect
>> to remove SSH servers:
>
> How do you invoke gpg-agent?  If it is through your first SSH
> invocation, gpg-agent wouldn't know the place where to ask PIN (TTY and
> DISPLAY).
>
> You can check if you can use your tokan with SSH after your first
> invocation of:
>
> 	$ gpg --card-status
>
> or
>
>         $ gpg-connect-agent UPDATESTARTUPTTY /bye
>
> Then, that's the case.

Okay, I can confirm the above (`UPDATESTARTUPTTY`) is a valid
workaround.

I also observed something strange. I sign all git commits automatically
here. I just did a commit, and git was able to make gpg-agent pop up the
pinentry dialog without problem for the commit OpenPGP signature, which
happens on the Yubikey. But the *push* part failed as described in this
bug report.

Then the above gpg-connect-agent hack worked around the issue.

It's strange that one function (signing) works while the other
(authentication) doesn't, no?

$ gpg --card-status
Reader ...........: Yubico Yubikey NEO OTP U2F CCID 00 00
Application ID ...: [REDACTED]
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: [REDACTED]
Name of cardholder: [non positionné]
Language prefs ...: [non positionné]
Sex ..............: non indiqué
URL of public key : [non positionné]
Login data .......: [non positionné]
Signature PIN ....: non forcé
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 12896
Signature key ....: 7B16 4204 D096 723B 0196  35AB 3EA1 DDDD B261 D97B
      created ....: 2017-08-23 23:10:50
Encryption key....: 7301 8B4C D3E4 82C6 E90F  B7C3 C665 A3C5 2513 53D0
      created ....: 2017-08-25 18:18:02
Authentication key: 5A23 7308 8863 DBDF 2E00  7607 604E 4B3E EE02 855A
      created ....: 2012-07-20 00:17:35
General key info..: sub  rsa2048/3EA1DDDDB261D97B 2017-08-23 Antoine Beaupré <anarcat at orangeseeds.org>
sec   rsa4096/792152527B75921E  créé : 2009-05-29  expire : 2020-06-05
ssb#  rsa2048/B7F648FED2DF2587  créé : 2012-07-18  expire : jamais    
ssb>  rsa2048/604E4B3EEE02855A  créé : 2012-07-20  expire : jamais    
                                nº de carte : 0006 03647189
ssb#  rsa2048/46DC033CAFD0FDF8  créé : 2012-07-24  expire : jamais    
ssb   rsa4096/A51D5B109C5A5581  créé : 2009-05-29  expire : jamais    
ssb>  rsa2048/3EA1DDDDB261D97B  créé : 2017-08-23  expire : jamais    
                                nº de carte : 0006 03647189

> gpg-agent should know the place where to ask PIN (TTY and DISPLAY), and
> it is told by gpg frontend or gpg-connct-agent.  But in the case of SSH
> (external/foreign program), there is no such mechanism telling the
> place.

But in this case, I ran 'git push' in a terminal I control,
interactively. gpg knows which terminal it's on, and it even knows which
DISPLAY it's on, and could definitely prompt me, either on the terminal
or the GUI.

I'll try again without the startup scripts next.

a.
-- 
Your injured body has become the burden of your digital soul.
                        - Yin Aiwen, 2013, The Massage is the Medium

More information about the pkg-gnupg-maint mailing list