pcscd NOT authorized for action: access_pcsc

YaroKasear commented 9 months ago

Describe the bug

Since updating nixpkgs-unstable this morning my Yubikey stopped working again with gpg.

Steps To Reproduce

Steps to reproduce the behavior:

Try to use anything using a smartcard with gpg (In my case a Yubikey.)

Expected behavior

Being asked for my PIN and unlocking things using pcscd gpg-agent stuff.

Additional context

It keeps asking me to insert my Yubikey despite being present.

Running gpg --card-status returns the following:

gpg: selecting card failed: Service is not running
gpg: OpenPGP card not available: Service is not running

Checking the status for pcscd gives me:

○ pcscd.service - PC/SC Smart Card Daemon
     Loaded: loaded (/etc/systemd/system/pcscd.service; linked; preset: enabled)
    Drop-In: /nix/store/6npwg6586svdyf1p4fdz8as91859kp34-system-units/pcscd.service.d
             └─overrides.conf
     Active: inactive (dead) since Fri 2024-02-23 10:31:13 CST; 27s ago
   Duration: 1min 16.442s
TriggeredBy: ● pcscd.socket
       Docs: man:pcscd(8)
    Process: 6102 ExecStart=/nix/store/pkw8q8vf74c2mlj3ir51aafqjmz5q7ia-pcsclite-with-polkit-2.0.1/bin/pcscd -f -x -c /nix/store/38wcpbh4yss3vh35vrazm1wbns0vld61-reader.conf (code=exited, status=0/SUCCESS)
   Main PID: 6102 (code=exited, status=0/SUCCESS)
         IP: 0B in, 0B out
        CPU: 71ms

Feb 23 10:29:57 loki systemd[1]: Started PC/SC Smart Card Daemon.
Feb 23 10:29:57 loki pcscd[6102]: 00000000 auth.c:143:IsClientAuthorized() Process 4574 (user: 1000) is NOT authorized for action: access_pcsc
Feb 23 10:29:57 loki pcscd[6102]: 00000081 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client
Feb 23 10:30:09 loki pcscd[6102]: 12486287 ccid_usb.c:1663:InterruptStop() libusb_cancel_transfer failed: LIBUSB_ERROR_NO_DEVICE
Feb 23 10:30:12 loki pcscd[6102]: 02394614 auth.c:143:IsClientAuthorized() Process 4574 (user: 1000) is NOT authorized for action: access_pcsc
Feb 23 10:30:12 loki pcscd[6102]: 00000057 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client
Feb 23 10:31:13 loki systemd[1]: pcscd.service: Deactivated successfully.

Most telling here is the "NOT authorized for action" part. This looks like an issue that might have been resolved in nixpkgs previously.

https://github.com/NixOS/nixpkgs/issues/280826

I didn't see anything about PolicyKit, though, so not sure this is the same issue.

Notify maintainers

@anthonyroussel

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 6.6.17, NixOS, 24.05 (Uakari), 24.05.20240222.98b00b6`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.1`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Add a :+1: reaction to issues you find important.

montchr commented 7 months ago

I just ran into this issue for the first time today after updating nixos-unstable. The last time I updated was a couple weeks ago, which is strange considering this issue was reported in February.

@YaroKasear did you ever end up finding a resolution or workaround for this?

Edit: For context, I am running GNOME Desktop.

Edit 2: Here's what I get when I try to sign a commit with pinentry-gnome3:

May 05 18:49:02 tuvok gpg-agent[8519]: failed to read the secret key
May 05 18:49:02 tuvok gpg-agent[8519]: command 'PKSIGN' failed: Operation cancelled <Pinentry>
May 05 18:49:06 tuvok gpg-agent[8521]: scdaemon[8521]: pcsc_establish_context failed: internal error (0x80100001)
May 05 18:49:06 tuvok syncthing[2068]: [NZ7H6] INFO: Sent usage report (version 3)
May 05 18:49:07 tuvok gpg-agent[8521]: scdaemon[8521]: pcsc_establish_context failed: internal error (0x80100001)
May 05 18:49:08 tuvok gpg-agent[8521]: scdaemon[8521]: pcsc_establish_context failed: internal error (0x80100001)
May 05 18:49:10 tuvok gpg-agent[8521]: scdaemon[8521]: pcsc_establish_context failed: internal error (0x80100001)
May 05 18:49:11 tuvok gpg-agent[8519]: failed to read the secret key
May 05 18:49:11 tuvok gpg-agent[8519]: command 'PKSIGN' failed: Operation cancelled <Pinentry>

korrat commented 7 months ago

After upgrading yesterday, I had the same issue as @montchr. I believe this is a different issue than @YaroKasear's.

Some symptoms:

gpg --card-status shows Service is not running. Afterwards, the journal has this error scdaemon[…]: scdaemon[3810]: pcsc_establish_context failed: internal error (0x80100001).
KeepassXC cannot find the hardware key
There are no mentions of polkit errors in the journal

Rolling back my flake updates fixed the issue. After checking my lock file, it seems that the issue has been introduced some time after commit 63c3a29ca82437c87573e4c6919b09a24ea61b0f.

noxxious commented 7 months ago

This should be fixed by #308884

FlorianFranzen commented 6 months ago

The fix is still in staging next, so if you can not wait that long and are willing to rebuild quite a few packages, this overlay should work:

final: prev: 

{
  pcsclite = prev.pcsclite.overrideAttrs (old: {
    postPatch = ''
      substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
        --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
    '';
  });
}

Izumemori commented 2 months ago

I was also running into the same problem with the latest unstable. It seems like there were no polkit rules for pcsc-lite at /run/current-system/sw/share/polkit-1/rules.d/. Adding these, albeit very liberal, rules resolved the issue for me.

security.polkit.extraConfig = ''
  polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card") {
      return polkit.Result.YES;
    }
  });

  polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc") {
      return polkit.Result.YES;
    }
  });
'';

fansari commented 3 days ago

I don't know whether this is related (I use Fedora) but today I wanted to use gpg with Yubikey and "gpg2 --card-status" did not find a smart card although the Yubikey was plugged and visible with "lsusb". A reboot of my PC did not fix it.

I found these lines with "systemctl status pcscd" and restarted the daemon. After this the card was found.

Nov 30 15:08:01 bat.localdomain systemd[1]: Started pcscd.service - PC/SC Smart Card Daemon.
Nov 30 15:08:01 bat.localdomain (pcscd)[2481]: pcscd.service: Referenced but unset environment variable evaluates to an empty string: PCSCD_ARGS
Nov 30 15:08:23 bat.localdomain pcscd[2481]: 00000000 ../src/auth.c:145:IsClientAuthorized() Process 2605 (user: 987) is NOT authorized for action: access_pcsc
Nov 30 15:08:23 bat.localdomain pcscd[2481]: 00000096 ../src/winscard_svc.c:357:ContextThread() Rejected unauthorized PC/SC client

This means I have to restart this daemon first before I can use gpg with Yubikey.

OS: Fedora 41 Silverblue version: pcsc-lite-2.3.0-1.fc41.x86_64

NixOS / nixpkgs