NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.06k stars 14.11k forks source link

PGP is broken for yubikey #233638

Closed makuru-dd closed 2 days ago

makuru-dd commented 1 year ago

Describe the bug

I use my yubikey and gpg --card-status cant read it, because pkgs.iccs is broken and cant be read, see error log.

Steps To Reproduce

Steps to reproduce the behavior: programs.gnupg.agent = { enable = true; enableSSHSupport = true; };

  1. rebuild ....
  2. Profit

Expected behavior

# gpg --card-status            
Reader ...........:  [REDACTED]
Application ID ...: [REDACTED]
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....:  [REDACTED]
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

May 23 17:19:05 nixos systemd[3299]: Started GnuPG cryptographic agent and passphrase cache.
May 23 17:19:05 nixos gpg-agent[5080]: gpg-agent[5080]: WARNING: "--supervised" is a deprecated option
May 23 17:19:05 nixos gpg-agent[5080]: gpg-agent (GnuPG) 2.3.7 starting in supervised mode.
May 23 17:19:05 nixos gpg-agent[5080]: using fd 3 for std socket (/run/user/1000/gnupg/S.gpg-agent)
May 23 17:19:05 nixos gpg-agent[5080]: listening on: std=3 extra=-1 browser=-1 ssh=-1
May 23 17:19:05 nixos gpg-agent[5082]: scdaemon[5082]: ccid open error: skip
May 23 17:19:14 nixos gpg-agent[5082]: scdaemon[5082]: ccid open error: skip

Notify maintainers

Metadata

 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.112, NixOS, 22.11 (Raccoon), 22.11.4303.b0671cbf1e5`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.11.1`
 - channels(root): `"nixos-22.11"`
 - channels(testuser): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
colemickens commented 1 year ago

My current gpg setup uses pcscd and I have disableCcid set for programs.gpg.scdaemonSettings. This, I think, became necessary in gpg 2.3.

makuru-dd commented 1 year ago

what solved it for me is changing the ccid driver too yubikey neo with the services.pcscd.plugins = [ pkgs.libykneomgr ]; setting

SuperSandro2000 commented 1 year ago

see #238474

Frontear commented 6 days ago

Is this still reproducible? gpg w/ yubikey works ootb for me