Ledger Nano S not detected by GnuPG

rejsmont commented 4 years ago

Hi,

I tried to set up my Ledger Nano S for GnuPG, but I cannot detect the Ledger as a smartcard reader on MacOS Catalina (10.15.7):

# gpg --card-edit

gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

similarly:

# opensc-tool -l
No smart card readers found.

Ledger seems to be already present in libccid bundle:

cat /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist | grep Ledger
        <string>Ledger Nano S</string>
        <string>Ledger Nano X</string>
cat /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist | grep '0x2C97'
        <string>0x2C97</string>
        <string>0x2C97</string>

I have the OpenPGP.XL app installed on my Ledger (installed via Ledger Manager).

Any ideas?

afh commented 3 years ago

Bumping this issue as I'm running into it too. My setup is as follows (click on the ► to toggle details):

macOS Big Sur

``` % sw_vers ~ ProductName: macOS ProductVersion: 11.2 BuildVersion: 20D64 ```

GnuPG 2.2.26 (have also tried 2.2.27 with libgcrypt 1.9.1)

``` gpg (GnuPG) 2.2.26 libgcrypt 1.8.6 Copyright (C) 2020 Free Software Foundation, Inc. License GNU GPL-3.0-or-later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 ```

CCID version 1.4.32, which includes support for the Ledger Nano S and Nano X

``` % /usr/libexec/PlistBuddy -c 'Print CFBundleShortVersionString' /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/version.plist 1.4.32 % /usr/libexec/PlistBuddy -c 'Print ifdVendorID' /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle /Contents/Info.plist | nl | grep 0x2C97 308 0x2C97 309 0x2C97 % /usr/libexec/PlistBuddy -c 'Print ifdProductID' /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle /Contents/Info.plist | nl | grep '0x000[14]' 82 0x0001 121 0x0001 307 0x0001 308 0x0001 309 0x0004 369 0x0001 386 0x0001 408 0x0004 415 0x0001 420 0x0001 423 0x0001 424 0x0001 437 0x0004 472 0x0001 % /usr/libexec/PlistBuddy -c 'Print ifdFriendlyName' /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle | nl | grep -i ledger 308 Ledger Nano S 309 Ledger Nano X ```

System Information ( ► About this Mac then click System Report…) identifies the Ledger Nano S as follows:

I've installed the OpenPGP.XL application version 1.4.3 via Ledger Live version 2.19.0 (with Experimental features enabled) on a Ledger Nano S with firmware version 1.6.1.

The scdaemon is configured according to the documentation as follows:

% cat ~/.gnupg/scdaemon.conf
reader-port "Ledger Token [Nano S] (0001) 01 00"
allow-admin
enable-pinpad-varlen
log-file /tmp/scd.log
debug-level guru
debug-all

and it seems the Ledger Nano S is available as a CCID reader (command-line taken from scdaemon(1)):

% echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print $2}'
2C97:0001:0001:0

I've also tried to use 2C97:0001:0001:0 as a reader-port in the scdaemon.conf, yet with the OpenPGP.XL application open on the Ledger Nano S, when running gpg --card-status or gpg --card-edit the scd.log shows the following error: 2021-02-04 08:31:50 scdaemon[62863] pcsc_connect failed: unknown reader (0x80100009)

% gpg --card-status
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device
% cat /tmp/scd.log                                                                               ~
2021-02-04 08:31:50 scdaemon[62863] DBG: chan_7 <- GETINFO version
2021-02-04 08:31:50 scdaemon[62863] DBG: chan_7 -> D 2.2.26
2021-02-04 08:31:50 scdaemon[62863] DBG: chan_7 -> OK
2021-02-04 08:31:50 scdaemon[62863] DBG: chan_7 <- SERIALNO
2021-02-04 08:31:50 scdaemon[62863] DBG: apdu_open_reader: BAI=140901
2021-02-04 08:31:50 scdaemon[62863] DBG: apdu_open_reader: new device=140901
2021-02-04 08:31:50 scdaemon[62863] ccid open error: skip
2021-02-04 08:31:50 scdaemon[62863] DBG: enter: apdu_open_reader: portstr=Ledger Token [Nano S] (0001)
01 00
2021-02-04 08:31:50 scdaemon[62863] reader slot 0: not connected
2021-02-04 08:31:50 scdaemon[62863] DBG: leave: apdu_open_reader => slot=0 [pc/sc]
2021-02-04 08:31:50 scdaemon[62863] DBG: enter: apdu_connect: slot=0
2021-02-04 08:31:50 scdaemon[62863] pcsc_connect failed: unknown reader (0x80100009)
2021-02-04 08:31:50 scdaemon[62863] reader slot 0: not connected
2021-02-04 08:31:50 scdaemon[62863] DBG: leave: apdu_connect => sw=0x1000c
2021-02-04 08:31:50 scdaemon[62863] DBG: enter: apdu_close_reader: slot=0
2021-02-04 08:31:50 scdaemon[62863] DBG: enter: apdu_disconnect: slot=0
2021-02-04 08:31:50 scdaemon[62863] DBG: leave: apdu_disconnect => sw=0x0
2021-02-04 08:31:50 scdaemon[62863] DBG: leave: apdu_close_reader => 0x0 (close_reader)
2021-02-04 08:31:50 scdaemon[62863] DBG: chan_7 -> ERR 100696144 Operation not supported by device <SCD
>
2021-02-04 08:31:50 scdaemon[62863] DBG: chan_7 <- RESTART
2021-02-04 08:31:50 scdaemon[62863] DBG: chan_7 -> OK

Any help would be very much appreciated as this is a great and versatile app for the Ledger Nano!

afh commented 3 years ago

Quick update, that the Ledger Nano S is recognised correctly using OpenBSD 6.9. I do not seem to be able to verify the PIN, and hence change the PIN mode; trying to change the name results in Bad PIN when using the default PIN, yet this seems a different issue. I'll investigate more and file a new issue as needed.

afh commented 3 years ago

By adding the lines below to ~/.gnupg/scdaemon.conf I was able to verify and change the PIN on OpenBSD:

allow-admin
enable-pinpad-varlen

afh commented 3 years ago

I've enabled enabled logging for the macOS' smart-card subsystem

% sudo defaults write /Library/Preferences/com.apple.security.smartcard Logging -bool yes
% sudo log stream --debug --info --source  --style syslog --predicate '((subsystem == "com.apple.CryptoTokenKit") \|\| (process == "com.apple.ifdreader"))'

(see certgate)

and see the following messages when connecting the Ledger Nano S and opening the OpenPGP.XL app:

2021-02-09 20:16:35.771848+0100  localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] received new request 12 for peer REDACTED_PEER_1
2021-02-09 20:16:35.771957+0100  localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] answering operation 12, result 0
2021-02-09 20:16:35.772320+0100  localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] received new request 12 for peer REDACTED_PEER_1
2021-02-09 20:16:35.772496+0100  localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] answering operation 12, result 0
2021-02-09 20:16:35.981290+0100  localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] deviceRemovalHandler invoked (entryId=REDACTED_ENTRY_ID_1)
2021-02-09 20:16:35.981532+0100  localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] installed device removal notification
2021-02-09 20:16:35.981908+0100  localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] new device arrival: 2c97:1011 14400000 (entryId=REDACTED_ENTRY_ID_1)
2021-02-09 20:16:35.982021+0100  localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] unable to find bundle for device, aborting
2021-02-09 20:16:37.847766+0100  localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] received new request 12 for peer REDACTED_PEER_1
2021-02-09 20:16:37.847876+0100  localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] answering operation 12, result 0
2021-02-09 20:16:37.848170+0100  localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] received new request 12 for peer REDACTED_PEER_1
2021-02-09 20:16:37.848268+0100  localhost com.apple.ctkpcscd[92930]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] answering operation 12, result 0
2021-02-09 20:16:37.926937+0100  localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] deviceRemovalHandler invoked (entryId=REDACTED_ENTRY_ID_2)
2021-02-09 20:16:37.927008+0100  localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] installed device removal notification
2021-02-09 20:16:37.927563+0100  localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] new device arrival: 2c97:0001 14400000 (entryId=REDACTED_ENTRY_ID_2)
2021-02-09 20:16:37.935487+0100  localhost com.apple.ifdbundle[7254]: <com.apple.ifdbundle> [com.apple.CryptoTokenKit:smartcard] bundle loaded: /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle
2021-02-09 20:16:37.939057+0100  localhost com.apple.ifdreader[222]: <com.apple.ifdreader> [com.apple.CryptoTokenKit:smartcard] found bundle for device, resolved entryId=REDACTED_ENTRY_ID_2 to deviceName='Ledger Nano S'
2021-02-09 20:16:37.940006+0100  localhost com.apple.ifdbundle[7254]: <com.apple.ifdbundle> [com.apple.CryptoTokenKit:smartcard] Ledger Nano S: allocate lun: 0
2021-02-09 20:16:37.940305+0100  localhost com.apple.ifdbundle[7254]: <com.apple.ifdbundle> [com.apple.CryptoTokenKit:smartcard] -> IFDHCreateChannelByName(00000000, 'Ledger Nano S')

2021-02-09 20:17:29.055325+0100  localhost scdaemon[94462]: (PCSC) <PCSC`SCardConnect.cold.7> [com.apple.CryptoTokenKit:pcscapi] -> SCardConnect()
2021-02-09 20:17:29.056679+0100  localhost com.apple.ctkpcscd[94463]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] received new request 3 for peer REDACTED_PEER_2
2021-02-09 20:17:29.056747+0100  localhost com.apple.ctkpcscd[94463]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] answering operation 3, result -2146435063
2021-02-09 20:17:29.056797+0100  localhost scdaemon[94462]: (PCSC) <PCSC`SCardConnect.cold.4> [com.apple.CryptoTokenKit:pcscapi] <- (80100009) SCardConnect()
2021-02-09 20:17:29.057362+0100  localhost com.apple.ctkpcscd[94463]: <com.apple.ctkpcscd> [com.apple.CryptoTokenKit:pcsc] terminating peer REDACTED_PEER_2 because of connection error

wigy-opensource-developer commented 3 years ago

Probably you have not bought your Ledger Nano S in the official Apple store. Nah, just kidding. Kind of. I have seen some USB devices that work perfectly on most platforms, but work with a degraded performance or functionality with MacOS. Which is completely understandable with a closed-source OS supported only by hardware sales.

Does that "answering operation 3" result FFEF_FFF7 ring any bells for you, Cédric? @cslashm

afh commented 3 years ago

Friendly nudge on this one @cslashm.

cslashm commented 3 years ago

Hi all, MacOS and smartcard is a pain! It is often a question of security of MacOS fire-walling the HW. Unfortunately I'm not a MacOS expert (I was born a ordinary hospital not in a apple store :) ).

BTW, before playing with gnupg or any other highlevel tool, equivalent MacOS tool to lsusb and pcsc_scan must report correctly the presence of the reader. (see below)

Note: All the code regarding the USB CCID handling is open source either in the SDK or in the app..

NanoX sample:

      $ lsusb -v

      Bus 001 Device 076: ID 2c97:0004 Ledger Nano X
      Device Descriptor:
        bLength                18
        bDescriptorType         1
        bcdUSB               2.00
        bDeviceClass            0
        bDeviceSubClass         0
        bDeviceProtocol         0
        bMaxPacketSize0        64
        idVendor           0x2c97
        idProduct          0x0004
        bcdDevice            2.01
        iManufacturer           1 Ledger
        iProduct                2 Nano X
        iSerial                 3 0001
        bNumConfigurations      1
        Configuration Descriptor:
          bLength                 9
          bDescriptorType         2
          wTotalLength       0x0076
          bNumInterfaces          2
          bConfigurationValue     1
          iConfiguration          2 Nano X
          bmAttributes         0xc0
            Self Powered
          MaxPower              100mA
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        0
            bAlternateSetting       0
            bNumEndpoints           2
            bInterfaceClass         3 Human Interface Device
            bInterfaceSubClass      0
            bInterfaceProtocol      0
            iInterface              2 Nano X
              HID Device Descriptor:
                bLength                 9
                bDescriptorType        33
                bcdHID               1.11
                bCountryCode            0 Not supported
                bNumDescriptors         1
                bDescriptorType        34 Report
                wDescriptorLength      34
               Report Descriptors:
                 ** UNAVAILABLE **
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x82  EP 2 IN
              bmAttributes            3
                Transfer Type            Interrupt
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0040  1x 64 bytes
              bInterval               1
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x02  EP 2 OUT
              bmAttributes            3
                Transfer Type            Interrupt
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0040  1x 64 bytes
              bInterval               1
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        2
            bAlternateSetting       0
            bNumEndpoints           2
            bInterfaceClass        11 Chip/SmartCard
            bInterfaceSubClass      0
            bInterfaceProtocol      0
            iInterface              5 Nano X
            ChipCard Interface Descriptor:
              bLength                54
              bDescriptorType        33
              bcdCCID              1.10  (Warning: Only accurate for version 1.0)
              nMaxSlotIndex           0
              bVoltageSupport         3  5.0V 3.0V
              dwProtocols             1  T=0
              dwDefaultClock       3600
              dwMaxiumumClock      3600
              bNumClockSupported      0
              dwDataRate           9677 bps
              dwMaxDataRate        9677 bps
              bNumDataRatesSupp.      0
              dwMaxIFSD               0
              dwSyncProtocols  00000000
              dwMechanical     00000000
              dwFeatures       000206BA
                Auto configuration based on ATR
                Auto voltage selection
                Auto clock change
                Auto baud rate change
                Auto PPS made by CCID
                NAD value other than 0x00 accepted
                Auto IFSD exchange
                Short APDU level exchange
              dwMaxCCIDMsgLen       271
              bClassGetResponse      00
              bClassEnvelope         00
              wlcdLayout           none
              bPINSupport             3  verification modification
              bMaxCCIDBusySlots       1
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x83  EP 3 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0040  1x 64 bytes
              bInterval               0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x03  EP 3 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0040  1x 64 bytes
              bInterval               0
      Device Status:     0x0003
        Self Powered
        Remote Wakeup Enabled

and

        $ pcsc_scan
        Using reader plug'n play mechanism
        Scanning present readers...
        0: Ledger Nano X [Nano X] (0001) 00 00

        Wed Feb 24 12:52:23 2021
         Reader 0: Ledger Nano X [Nano X] (0001) 00 00
          Event number: 0
          Card state: Card inserted,
          ATR: 3B 00

        ATR: 3B 00
        + TS = 3B --> Direct Convention
        + T0 = 00, Y(1): 0000, K: 0 (historical bytes)

afh commented 3 years ago

Thank you for your response, @cslashm. If one were to engulf in the endeavour of looking into the USB CCID code—which is beyond my expertise currently—where would one start?

Running pcsctest on macOS with the Ledger Nano S attached and the OpenPGP.XL application open just hangs:

% pcsctest                                                                                           ~

MUSCLE PC/SC Lite Test Program

Testing SCardEstablishContext    : Command successful.
Testing SCardGetStatusChange
Please insert a working reader   :

Whereas the device is shown in Apple's equivalent of lsusb:

% system_profiler SPUSBDataType

``` 2021-03-03 20:59:35.349 system_profiler[46551:765647] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be USB: USB 3.1 Bus: Host Controller Driver: AppleUSBXHCIAR PCI Device ID: 0x15d4 PCI Revision ID: 0x0002 PCI Vendor ID: 0x8086 Bus Number: 0x01 USB 3.1 Bus: Host Controller Driver: AppleUSBXHCIAR PCI Device ID: 0x15d4 PCI Revision ID: 0x0002 PCI Vendor ID: 0x8086 Bus Number: 0x00 USB 3.0 Bus: Host Controller Driver: AppleUSBXHCISPT PCI Device ID: 0xa12f PCI Revision ID: 0x0031 PCI Vendor ID: 0x8086 Nano S: Product ID: 0x0001 Vendor ID: 0x2c97 Version: 2.01 Serial Number: 0001 Speed: Up to 12 Mb/s Manufacturer: Ledger Location ID: 0x14400000 / 34 Current Available (mA): 500 Current Required (mA): 100 Extra Operating Current (mA): 0 Apple T1 Controller: Product ID: 0x8600 Vendor ID: 0x05ac (Apple Inc.) Version: 1.01 Manufacturer: Apple Inc. Location ID: 0x14200000 ```

Inspecting the IO registry the Nano S is listed on various planes/classes:

% ioreg -C IOUSBHostInterface

``` * | | | | +-o Nano S@14400000 | | | | | { | | | | | "kUSBSerialNumberString" = "0001" | | | | | "bDeviceClass" = 0 | | | | | "bDeviceSubClass" = 0 | | | | | "iSerialNumber" = 3 | | | | | "Built-In" = No | | | | | "IOServiceDEXTEntitlements" = (("com.apple.developer.driverkit.transport.usb")) | | | | | "iProduct" = 2 | | | | | "USB Serial Number" = "0001" | | | | | "USB Vendor Name" = "Ledger" | | | | | "USBSpeed" = 1 | | | | | "IOPowerManagement" = {"PowerOverrideOn"=Yes,"CapabilityFlags"=32768,"MaxPowerState"=2,"DevicePowerState"=2,"DriverPowerState"=0,"ChildrenPowerState"=1,"CurrentPowerState"=2} | | | | | "bNumConfigurations" = 1 * | | | | | "kUSBProductString" = "Nano S" | | | | | "IOServiceLegacyMatchingRegistryID" = 4294989508 | | | | | "kUSBVendorString" = "Ledger" * | | | | | "USB Product Name" = "Nano S" | | | | | "iManufacturer" = 1 | | | | | "idVendor" = 11415 | | | | | "Device Speed" = 1 | | | | | "kUSBCurrentConfiguration" = 1 | | | | | "idProduct" = 1 | | | | | "bcdDevice" = 513 | | | | | "sessionID" = 118934697078674 | | | | | "USB Address" = 34 | | | | | "non-removable" = "no" | | | | | "IOCFPlugInTypes" = {"9dc7b780-9ec0-11d4-a54f-000a27052861"="IOUSBHostFamily.kext/Contents/PlugIns/IOUSBLib.bundle"} | | | | | "IOClassNameOverride" = "IOUSBDevice" | | | | | "USBPortType" = 0 | | | | | "bDeviceProtocol" = 0 | | | | | "locationID" = 339738624 | | | | | "bcdUSB" = 512 | | | | | "kUSBAddress" = 34 | | | | | "IOGeneralInterest" = "IOCommand is not serializable" | | | | | "bMaxPacketSize0" = 64 | | | | | } | | | | | | | | | +-o AppleUSBHostLegacyClient | | | | +-o AppleUSBHostCompositeDevice * | | | | +-o Nano S@0 | | | | | +-o AppleUserUSBHostHIDDevice | | | | | +-o IOHIDInterface * | | | | +-o Nano S@2 ```

% ioreg -C AppleUSBInterface

``` * | | +-o Nano S@14400000 * | | +-o Nano S@0 | | | { | | | "IOCFPlugInTypes" = {"2d9786c6-9ef3-11d4-ad51-000a27052861"="IOUSBHostFamily.kext/Contents/PlugIns/IOUSBLib.bundle"} | | | "bcdDevice" = 513 | | | "idProduct" = 1 | | | "bInterfaceSubClass" = 0 | | | "bConfigurationValue" = 1 | | | "locationID" = 339738624 * | | | "USB Interface Name" = "Nano S" | | | "AppleUSBAlternateServiceRegistryID" = 4294989518 | | | "IOClassNameOverride" = "IOUSBInterface" | | | "bInterfaceProtocol" = 0 | | | "iInterface" = 2 | | | "bAlternateSetting" = 0 | | | "idVendor" = 11415 | | | "bInterfaceNumber" = 0 | | | "bInterfaceClass" = 3 | | | "bNumEndpoints" = 2 | | | } | | | * | | +-o Nano S@2 | | { | | "IOCFPlugInTypes" = {"2d9786c6-9ef3-11d4-ad51-000a27052861"="IOUSBHostFamily.kext/Contents/PlugIns/IOUSBLib.bundle"} | | "bcdDevice" = 513 | | "idProduct" = 1 | | "bInterfaceSubClass" = 0 | | "bConfigurationValue" = 1 | | "locationID" = 339738624 * | | "USB Interface Name" = "Nano S" | | "AppleUSBAlternateServiceRegistryID" = 4294989519 | | "IOClassNameOverride" = "IOUSBInterface" | | "bInterfaceProtocol" = 0 | | "iInterface" = 5 | | "bAlternateSetting" = 0 | | "idVendor" = 11415 | | "bInterfaceNumber" = 2 | | "bInterfaceClass" = 11 | | "bNumEndpoints" = 2 | | } ```

% ioreg -c AppleUSBDevice

``` * | | +-o Nano S@14400000 | | | { | | | "sessionID" = 118934697078674 | | | "idProduct" = 1 | | | "iManufacturer" = 1 | | | "bDeviceClass" = 0 | | | "bMaxPacketSize0" = 64 | | | "bcdDevice" = 513 | | | "iProduct" = 2 | | | "iSerialNumber" = 3 | | | "bNumConfigurations" = 1 | | | "Bus Power Available" = 250 | | | "USB Address" = 34 | | | "Built-In" = No | | | "locationID" = 339738624 | | | "bDeviceSubClass" = 0 | | | "bcdUSB" = 512 * | | | "USB Product Name" = "Nano S" | | | "PortNum" = 4 | | | "non-removable" = "no" | | | "kUSBSerialNumberString" = "0001" | | | "bDeviceProtocol" = 0 | | | "AppleUSBAlternateServiceRegistryID" = 4294989506 | | | "IOCFPlugInTypes" = {"9dc7b780-9ec0-11d4-a54f-000a27052861"="IOUSBHostFamily.kext/Contents/PlugIns/IOUSBLib.bundle"} | | | "IOPowerManagement" = {"DevicePowerState"=0,"CurrentPowerState"=3,"CapabilityFlags"=65536,"MaxPowerState"=4,"DriverPowerState"=3} | | | "Device Speed" = 1 | | | "USB Vendor Name" = "Ledger" | | | "idVendor" = 11415 | | | "kUSBCurrentConfiguration" = 1 | | | "IOGeneralInterest" = "IOCommand is not serializable" * | | | "kUSBProductString" = "Nano S" | | | "USB Serial Number" = "0001" | | | "kUSBVendorString" = "Ledger" | | | "IOClassNameOverride" = "IOUSBDevice" | | | } | | | * | | +-o Nano S@0 * | | +-o Nano S@2 ```

Is there anything that strikes you as odd or that would be a good starting point for further investigation?

afh commented 3 years ago

Friendly ping on ☝️ for @cslashm :)

Lohann commented 3 years ago

Same issue here, my YubiKey works fine on MacOs Catalina, but it can't recognize Ledger Nano X as a smart-card.

gpg --card-status
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

robbiet480 commented 3 years ago

Same issue here as well for both of my Ledger Nano X.

juan-sebastian commented 3 years ago

Hello I updated my Nano S and Nano X to the last firmware version 2.0.0. The GPG app stop working on the Nano X but on the Nano S still works fine, here below are the of scdeamon.

Ledger Nano S GPG App 1.4.4

$ pcsctest

MUSCLE PC/SC Lite Test Program

Testing SCardEstablishContext    : Command successful.
Testing SCardGetStatusChange
Please insert a working reader   : Command successful.
Testing SCardListReaders         : Command successful.
Reader 01: Ledger Nano S
Enter the reader number          : 1
Waiting for card insertion
                                 : Command successful.
Testing SCardConnect             : Command successful.
Testing SCardStatus              : Command successful.
Current Reader Name              : Ledger Nano S
Current Reader State             : 0x54
Current Reader Protocol          : 0x0
Current Reader ATR Size          : 2 (0x2)
Current Reader ATR Value         : 3B 00
Testing SCardDisconnect          : Command successful.
Testing SCardReleaseContext      : Command successful.
Testing SCardEstablishContext    : Command successful.
Testing SCardGetStatusChange
Please insert a working reader   : Command successful.
Testing SCardListReaders         : Command successful.
Reader 01: Ledger Nano S
Enter the reader number          : ^C

Ledger Nano X GPG App 1.4.4

$ pcsctest

MUSCLE PC/SC Lite Test Program

Testing SCardEstablishContext    : Command successful.
Testing SCardGetStatusChange
Please insert a working reader   : Command successful.
Testing SCardListReaders         : Command successful.
Reader 01: Ledger Nano X
Enter the reader number          : 1
Waiting for card insertion
^C

Ledger Nano S GPG App 1.4.4

2021-10-26 17:27:40 scdaemon[41206] listening on socket '/Users/juan/.gnupg/S.scdaemon'
2021-10-26 17:27:40 scdaemon[41206] handler for fd -1 started
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 <- GETINFO socket_name
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 -> D /Users/juan/.gnupg/S.scdaemon
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 -> OK
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 <- OPTION event-signal=31
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 -> OK
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 <- GETINFO version
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 -> D 2.2.27
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 -> OK
2021-10-26 17:27:40 scdaemon[41206] DBG: chan_7 <- SERIALNO
2021-10-26 17:27:40 scdaemon[41206] DBG: enter: apdu_open_reader: portstr=(null)
2021-10-26 17:27:40 scdaemon[41206] detected reader 'Ledger Nano S'
2021-10-26 17:27:40 scdaemon[41206] detected reader ''
2021-10-26 17:27:40 scdaemon[41206] reader slot 0: not connected
2021-10-26 17:27:40 scdaemon[41206] DBG: leave: apdu_open_reader => slot=0 [pc/sc]
2021-10-26 17:27:40 scdaemon[41206] DBG: enter: apdu_connect: slot=0
2021-10-26 17:27:40 scdaemon[41206] pcsc_control failed: not transacted (0x80100016)
2021-10-26 17:27:40 scdaemon[41206] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65547
2021-10-26 17:27:40 scdaemon[41206] reader slot 0: active protocol: T0
2021-10-26 17:27:40 scdaemon[41206] slot 0: ATR=3B 00
2021-10-26 17:27:40 scdaemon[41206] DBG: pcsc_get_status_change:  changed present excl
2021-10-26 17:27:40 scdaemon[41206] DBG: leave: apdu_connect => sw=0x0
2021-10-26 17:27:40 scdaemon[41206] DBG: send apdu: c=00 i=A4 p1=00 p2=0C lc=2 le=-1 em=0
2021-10-26 17:27:40 scdaemon[41206] DBG:   PCSC_data: 00 A4 00 0C 02 3F 00
2021-10-26 17:27:40 scdaemon[41206] DBG:  response: sw=9000  datalen=0
...

Ledger Nano X GPG App 1.4.4

2021-10-26 17:26:09 scdaemon[38976] listening on socket '/Users/juan/.gnupg/S.scdaemon'
2021-10-26 17:26:09 scdaemon[38976] handler for fd -1 started
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 <- GETINFO socket_name
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> D /Users/juan/.gnupg/S.scdaemon
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> OK
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 <- OPTION event-signal=31
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> OK
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 <- GETINFO version
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> D 2.2.27
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> OK
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 <- SERIALNO
2021-10-26 17:26:09 scdaemon[38976] DBG: enter: apdu_open_reader: portstr=(null)
2021-10-26 17:26:09 scdaemon[38976] detected reader 'Ledger Nano X'
2021-10-26 17:26:09 scdaemon[38976] detected reader ''
2021-10-26 17:26:09 scdaemon[38976] reader slot 0: not connected
2021-10-26 17:26:09 scdaemon[38976] DBG: leave: apdu_open_reader => slot=0 [pc/sc]
2021-10-26 17:26:09 scdaemon[38976] DBG: enter: apdu_connect: slot=0
2021-10-26 17:26:09 scdaemon[38976] reader slot 0: not connected
2021-10-26 17:26:09 scdaemon[38976] DBG: leave: apdu_connect => sw=0x10008
2021-10-26 17:26:09 scdaemon[38976] DBG: enter: apdu_close_reader: slot=0
2021-10-26 17:26:09 scdaemon[38976] DBG: enter: apdu_disconnect: slot=0
2021-10-26 17:26:09 scdaemon[38976] DBG: leave: apdu_disconnect => sw=0x0
2021-10-26 17:26:09 scdaemon[38976] DBG: leave: apdu_close_reader => 0x0 (close_reader)
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> ERR 100696144 Operation not supported by device <SCD>
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 <- RESTART
2021-10-26 17:26:09 scdaemon[38976] DBG: chan_7 -> OK
2021-10-26 17:26:51 scdaemon[38976] DBG: chan_7 <- killscd
2021-10-26 17:26:51 scdaemon[38976] DBG: chan_7 -> OK closing connection

This is my scdaemon.conf

$ cat scdaemon.conf
allow-admin
disable-ccid
log-file /Users/juan/tmp/scdeamon.log
debug-level guru
debug-all

I don't think the problem comes from Mac OS, because this morning was working fine, it is just after the firmware upgrade that it stop working.

Any ideas? CC @cslashm

bereska commented 3 years ago

my Nano X App 1.4.4 stopped working on Ubuntu 20.04 after firmware 2.0.2 upgrade

afh commented 2 years ago

Quick update that the Ledger Nano S (Firmware Version 2.1.0) with openpgp-card-app(OpenPGP.XL 1.4.40) is now detected by GnuPG using macOS Monterey (12.2.1 21D62), GnuPG 2.3.4 (libgcrypt 1.9.4) and CCID 1.4.3. 🎉

bereska commented 2 years ago

@afh same here with Nano X. Are you able to encrypt/decrypt with your Nano S?

afh commented 2 years ago

Thanks for asking @bereska and making sure I double check the functionality; I assumed "it just works"™ and it seems there are more obstacles to overcome.

TL;DR: Moving the encryption subkey to the card does not create a shadowed private key, i.e. key is on the card, but also still available on disk. Any help in keeping the key on the card, but "removing" it, that is making it a shadowed private key, is greatly appreciated!

:warning: NOTA BENE: I'm currently using a dedicated Ledger Nano S and the OpenPGP.XL application on it ONLY for testing purposes. In case you follow any of my steps or commands you are at risk of irreversibly losing your private key and access to any data that may have been encrypted with it!

Here is what I've done:

Reset the default Slot (1) of the OpenPGP.XL version on the Ledger Nano S: OpenPGP.XL » Settings » Reset Slot » Yes
Setup a separate GnuPG home directory for testing: % mkdir -p -m 0700 ~/tmp/ledger-nano-s-gnupg; export GNUPGHOME=~/tmp/ledger-nano-s-gnupg
Restart the gpg-agent: % gpgconf --kill all; gpgconf --launch gpg-agent
Generate a temporary passphrase: % PASS=$(pwgen -By 24 1)
Generate a primary key: % gpg --batch --passphrase $PASS --quick-gen-key "Ledger Nano_S (Test) <mail@example.net>" ed25519 cert 4w
Store the key id in an environment variable for use in later commands below: % export KEYID=$(gpg --list-options show-only-fpr-mbox --list-secret-keys | awk '{print $1}')
Generate a subkey for encryption gpg --batch --pinentry-mode=loopback --passphrase $PASS --quick-add-key $KEYID cv25519 encrypt 4w

The keyring now looks as follows:

% gpg --list-secret-key | sed -e "s#$HOME#\$HOME#" -e "s#$KEYID#\$KEYID#"
$HOME/tmp/ledger-nano-s-gnupg/pubring.kbx
----------------------------------------------
sec   ed25519 2022-02-18 [C] [expires: 2022-03-18]
    $KEYID
uid           [ultimate] Ledger Nano_S (Test) <mail@example.net>
ssb   cv25519 2022-02-18 [E] [expires: 2022-03-18]

Store the subkey id and fingerprint and the public key id in environment variables for use in later commands below
```
% export SUBKEYID=$(gpg --list-keys --with-colons | awk -F: '/^sub/{print $5}')
% export SUBKEYFPR=$(gpg --list-keys --with-colons | awk -F: '/^sub/{getline; print $10}')
% export PUBKEYID=$(gpg --list-keys --with-colons | awk -F: '/^pub/{print $5}')
```
- With the Ledger Nano S connected and unlocked and the OpenPGP.XL application open and the default slot (1) connected: (try to) move the key to the card:
```
% print "key $SUBKEYID\nkeytocard\n2\nsave\n" | gpg --command-fd 0 --edit-key $KEYID
gpg (GnuPG) 2.3.4; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
```
Secret key is available.

sec ed25519/14F496EF98C2F7B1 created: 2022-02-18 expires: 2022-03-18 usage: C trust: ultimate validity: ultimate ssb cv25519/D4CA58C1093A46BA created: 2022-02-18 expires: 2022-03-18 usage: E [ultimate] (1). Ledger Nano_S (Test) mail@example.net

sec ed25519/14F496EF98C2F7B1 created: 2022-02-18 expires: 2022-03-18 usage: C trust: ultimate validity: ultimate ssb* cv25519/D4CA58C1093A46BA created: 2022-02-18 expires: 2022-03-18 usage: E [ultimate] (1). Ledger Nano_S (Test) mail@example.net

Please select where to store the key: (2) Encryption key

sec ed25519/14F496EF98C2F7B1 created: 2022-02-18 expires: 2022-03-18 usage: C trust: ultimate validity: ultimate ssb* cv25519/D4CA58C1093A46BA created: 2022-02-18 expires: 2022-03-18 usage: E [ultimate] (1). Ledger Nano_S (Test) mail@example.net

Verify that the key is stored on the smartcard:

gpg --card-status | sed -e "s#$KEYID#\$KEYID#g" -e "s#$PUBKEYID#\$PUBKEYID#g" -e "s#$SUBKEYID#\$SUBKEYID#g" -e 's#^\(Serial.*:\).*#\1 $SERIAL#' -e 's#^\(Encryption.*:\).*#\1 $SUBKEYFPR#'
Reader ...........: Ledger Nano S
Application ID ...: D2760001240103032C972D671E230000
Application type .: OpenPGP
Version ..........: 3.3
Manufacturer .....: unknown
Serial number ....: $SERIAL
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 cv25519 rsa2048
Max. PIN lengths .: 12 12 12
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: $SUBKEYFPR
    created ....: 2022-02-18 09:43:15
Authentication key: [none]
General key info..: sub  cv25519/$SUBKEYID 2022-02-18 Ledger Nano_S (Test) <mail@example.net>
sec   ed25519/$PUBKEYID  created: 2022-02-18  expires: 2022-03-18
ssb   cv25519/$SUBKEYID  created: 2022-02-18  expires: 2022-03-18

Listing the secret keys

% gpg --list-secret-key | sed -e "s#$HOME#\$HOME#" -e "s#$KEYID#\$KEYID#"
$HOME/tmp/ledger-nano-s-gnupg/pubring.kbx
----------------------------------------------
sec   ed25519 2022-02-18 [C] [expires: 2022-03-18]
    $KEYID
uid           [ultimate] Ledger Nano_S (Test) <mail@example.net>
ssb   cv25519 2022-02-18 [E] [expires: 2022-03-18]

NOTA BENE: how the subkey listing on the last line is missing the > after the ssb tag to indicate that the key is stored on a smartcard. This does not seem right. Surely encrypting and decrypting data works, but regardless of whether the Ledger Nano S is connected or not.

@cslashm any ideas of what might be going wrong and how to possibly fix this?

bereska commented 2 years ago

@afh i wish i could help but I am just not as knowledgable as you are with GnuPG. But I hope you can help me with my problem. The card is detected and I can edit the card and the keys but I can't encrypt/decrypt: MacBook-Air-DG-4007:~ bereska$ gpg --card-status Reader ...........: Ledger Nano X Application ID ...: D2760001240103032C97A0CC32160000 Application type .: OpenPGP Version ..........: 3.3 Manufacturer .....: unknown Serial number ....: A0CC3216 Name of cardholder: Dmitry Gudkov Language prefs ...: [not set] Salutation .......: Mr. URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: ed25519 cv25519 ed25519 Max. PIN lengths .: 12 12 12 PIN retry counter : 3 0 3 Signature counter : 0 Signature key ....: 1E86 6FB2 8C4D 9016 F779 4905 9498 E11F 82E6 5E2B created ....: 2020-08-11 22:15:59 Encryption key....: 643B 4EAF 8ED7 9899 8593 DA73 4EA4 0FF7 1348 31D0 created ....: 2020-08-11 22:15:59 Authentication key: 0279 99A2 0605 DBFD AF15 5063 3D38 98D1 D1D2 0F38 created ....: 2020-08-11 22:15:59 General key info..: pub ed25519/9498E11F82E65E2B 2020-08-11 Dmitry Gudkov admin@parustrans.ru sec# ed25519/9498E11F82E65E2B created: 2020-08-11 expires: never
ssb# ed25519/3D3898D1D1D20F38 created: 2020-08-11 expires: never
ssb# cv25519/4EA40FF7134831D0 created: 2020-08-11 expires: never
MacBook-Air-DG-4007:~ bereska$ gpg --list-secret-keys admin@parustrans gpg: error reading key: No secret key

afh commented 2 years ago

@bereska It seems that the secret keys on the smartcard are not in your GnuPG keyring. The # after the key tags (sec, ssb) indicates that the keys are "offline", which means "that secret key or subkey is currently not usable" — gpg(1)

This can happen when the smartcard is used on a different computer or with different user account that hasn't been setup with the secret keys from the smartcard.

In order to use keys on a smartcard on a different computer or with another user account, use the original computer or user account that was used to create the secret keys or move them to the smartcard. From there run gpg --export-secret-subkeys --output exported-subkeys or if you also need / want to include the primary key use gpg --export-keys --output exported-keys, then on the computer or the user account where you also want to use the keys on the smart card do: gpg --import exported-subkeys or gpg --import exported-keys, then check if gpg -K lists the secret (sub)keys and you are able to decrypt your data. For good measure be sure to remove the exported keys rm -f exported-subkeys exported-keys when you're done.

bereska commented 2 years ago

@afh thank you very much. I tried to import exported-secret-keys but no dice. Strangely I noticed that decryption also fails on the original machine: bereska@ubuntuVM:~$ gpg -esa -r admin@parustrans test_nanox File 'test_nanox.asc' exists. Overwrite? (y/N) y bereska@ubuntuVM:~$ gpg -d test_nanox.asc gpg: encrypted with 256-bit ECDH key, ID 4EA40FF7134831D0, created 2020-08-11 "Dmitry Gudkov admin@parustrans.ru" gpg: public key decryption failed: Card error gpg: decryption failed: No secret key bereska@ubuntuVM:~$ gpg --card-status Reader ...........: Ledger Token [Nano X] (0001) 00 00 Application ID ...: D2760001240103032C97A0CC32160000 Application type .: OpenPGP Version ..........: 3.3 Manufacturer .....: unknown Serial number ....: A0CC3216 Name of cardholder: Dmitry Gudkov Language prefs ...: [not set] Salutation .......: Mr. URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: ed25519 cv25519 ed25519 Max. PIN lengths .: 12 12 12 PIN retry counter : 3 0 3 Signature counter : 0 Signature key ....: 1E86 6FB2 8C4D 9016 F779 4905 9498 E11F 82E6 5E2B created ....: 2020-08-11 22:15:59 Encryption key....: 643B 4EAF 8ED7 9899 8593 DA73 4EA4 0FF7 1348 31D0 created ....: 2020-08-11 22:15:59 Authentication key: 0279 99A2 0605 DBFD AF15 5063 3D38 98D1 D1D2 0F38 created ....: 2020-08-11 22:15:59 General key info..: pub ed25519/9498E11F82E65E2B 2020-08-11 Dmitry Gudkov admin@parustrans.ru sec> ed25519/9498E11F82E65E2B created: 2020-08-11 expires: never
card-no: 2C97 A0CC3216 ssb> ed25519/3D3898D1D1D20F38 created: 2020-08-11 expires: never
card-no: 2C97 A0CC3216 ssb> cv25519/4EA40FF7134831D0 created: 2020-08-11 expires: never
card-no: 2C97 A0CC3216

juan-sebastian commented 2 years ago

Following on this issue and I also written in here too #71

I just updated the CCID driver to the last version 1.5.0. Sadly the results are the same I am pretty confident to say that the problem is not in the ledger firmware or the OpenPGP.XL app any longer but on the python tool. That by the way the last commit is from 2 years ago (15 January 2020). Here below you will find the steps I took:

First I took my ledger nano S with firmware 1.6.1 and OpenPGP.XL app 1.4.3. and perform a backup of my keys

$ python3 -m gpgcard.gpgcli --backup --pinpad --backup-keys --file gpg-key.pickle

GPG Ledger Admin Tool v0.1.
Copyright 2018 Cedric Mesnil <cslashm@gmail.com>, Ledger SAS

Connect to card pcsc:Ledger...OK
Verfify PINs...OK
Select slot 1...OK
Get card info...OK
Backup application...OK

Then I took my ledger nano X with firmware 2.0.2 and OpenPGP.XL app 1.4.4 and try to restore the keys there

$ python3 -m gpgcard.gpgcli --restore --pinpad --file gpg-key.pickle

GPG Ledger Admin Tool v0.1.
Copyright 2018 Cedric Mesnil <cslashm@gmail.com>, Ledger SAS

Connect to card pcsc:Ledger...OK
Verfify PINs...OK
Select slot 1...OK
Get card info...OK
Restore application...Error:
  (b'0000ff88', '6f42')

I think is not much to be done to make it work. Sadly I don't have any knowledge of GPG protocols to take this into my hands and also because cslashm is not woking with Ledger anymore. I have no idea to whom we should address this issue.

PS: my keys are ed25519 cv25519 ed25519

monperrus commented 1 year ago

FTR, cannot connect to Ledger Nano SP on Debian/Linux

  Bus 001 Device 036: ID 2c97:0005 Ledger Nano SP
  idVendor           0x2c97 Ledger
  iManufacturer           1 Ledger

Tried hard with pcscd and pcsc_scan but failed.

$ pcscd --version
pcsc-lite version 1.9.5.

Seems related to low-level CCID issues.

cedelavergne-ledger commented 8 months ago

Hi, The app has been refactored and updated to v2, still in develop branch. Please note also a change in the USB IDs (meaning need to change the ids used by CCID) Please check the App and the documentation. No issue on my side to detect the ledger devices.

LedgerHQ / app-openpgp

Ledger Nano S not detected by GnuPG #59