search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.94k stars 13.96k forks source link

Yubikey not recognised by gpg #349249

Open itepastra opened 5 days ago

itepastra commented 5 days ago

Describe the bug

I keep getting the "insert smart-card with id ..." popup even though the smartcard is inserted when I try to sign a git commit.

Steps To Reproduce

Steps to reproduce the behavior:

  1. have a system on commit 4601c63145f2 or later with git signing enabled
  2. try to make a commit
  3. the popup keeps coming with "insert card with id"

Expected behavior

The inserted smartcard is recognised and can be used to sign the commit.

Additional context

I've bisected the error to start on commit 4601c63145f2. I don't know what changed in ccid, but it broke somthing

Notify maintainers

@anthonyroussel

Metadata

> nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.11.3, NixOS, 24.11 (Vicuna), 24.11.20241016.4601c63`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.24.9`
 - channels(root): `"nixos-23.11"`
 - nixpkgs: `/nix/store/cz0kv05l66k9af2facij0gfk1zy3lnyy-source`

Add a :+1: reaction to issues you find important.

foolnotion commented 4 days ago

I had the same issue and the solution was to remove the disable-ccid configuration option for scdaemon.

NovaViper commented 4 days ago

@foolnotion Oddly enough, I had to completely delete the scdaemon.conf file off my system (managed via home-manager), and I had the following options set for it

  programs.gpg.scdaemonSettings = {
    reader-port = "Yubico Yubi";
    disable-ccid = true;
  };
foolnotion commented 4 days ago

@foolnotion Oddly enough, I had to completely delete the scdaemon.conf file off my system (managed via home-manager), and I had the following options set for it

  programs.gpg.scdaemonSettings = {
    reader-port = "Yubico Yubi";
    disable-ccid = true;
  };

I also manage it via home-manager and scdaemon.conf is now just an empty file. But I think this solution breaks other things - for instance linux login.

xokdvium commented 2 days ago

I've run into the same issue. Removing the scdaemonSettings has worked around the issue and all seems well. Diff between system closures when I started seeing this:

   • The input derivation named `pcscd-plugins` differs
        - /nix/store/14j12xd7sdwrf9506q16gp1x74p6r5im-pcscd-plugins.drv:{out}
        + /nix/store/3fz2c9qj993326v4ix2cx6dy2jd1gxsb-pcscd-plugins.drv:{out}
        • The set of input derivation names do not match:
            - ccid-1.5.5
            + ccid-1.6.1
        • The environments do not match:
            pkgs=''
            [{"paths":["/nix/store/4ycv20fvy5gpd47fcm0gqscddln9iadd-ccid-1.5.5/pcsc/drivers"],"priority":5}][{"paths":["/nix/store/nnjwyzgf337zsb2gawqi8hdf0qpq1gxn-ccid-1.6.1/pcsc/drivers"],"priority":5}]

Looks like this update https://github.com/NixOS/nixpkgs/pull/347900 has something to do with this. I'm not sure if this is a regression even? IIRC settings disable-ccid was itself a workaround for some gpg update.

9p4 commented 2 days ago

Downgrading CCID to 1.5.5 fixes the issue.

oluceps commented 2 days ago

Yubikey PIV also seems affected. Works after downgrading.

colemickens commented 2 days ago

Well, this was sure disappointing after just having switched back to using pcscd + disable-ccid.

I opened an issue on CCID to try to get to the bottom of this, because, the workaround is easy, but I'd like to at least be able to pretend I understand what's going on: https://github.com/LudovicRousseau/CCID/issues/146

FliegendeWurst commented 1 day ago

Hey everyone, please check out PR #350153 for a potential fix.

YaroKasear commented 1 day ago

For gpg I was able to fix this by forcing gpg to use pscsd explicitly:

scdaemonSettings = {
      # disable-ccid = true;
      log-file = "/tmp/scdaemon-yaro.log";
      pcsc-driver = "${pkgs.ccid}/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so";
};

For ykman/Authenticator, oath is still broken. I was able to catch this by running pcscd directly in debug mode (Emphasis added:

00000000 ../src/debuglog.c:392:DebugLogSetLevel() debug level=debug
00000026 ../src/utils.c:82:GetDaemonPid() Can't open /run/pcscd/pcscd.pid: No such file or directory
00000085 ../src/configfile.l:365:DBGetReaderList() Parsing conf file: /etc/reader.conf.d
00000007 ../src/pcscdaemon.c:669:main() pcsc-lite 2.2.3 daemon ready.
00000055 ../src/pcscdaemon.c:752:main() Using drivers directory: /var/lib/pcsc/drivers
00005775 ../src/hotplug_libudev.c:122:HPReadBundleValues() Cannot open PC/SC drivers directory: /var/lib/pcsc/drivers
00000008 ../src/hotplug_libudev.c:123:HPReadBundleValues() Disabling USB support for pcscd.
00000003 ../src/hotplug_libudev.c:725:HPRegisterForHotplugEvents() No bundle files in pcsc drivers directory: /var/lib/pcsc/drivers
00000004 ../src/hotplug_libudev.c:727:HPRegisterForHotplugEvents() Disabling USB support for pcscd
13973982 ../src/winscard_msg_srv.c:253:ProcessEventsServer() Common channel packet arrival
00000026 ../src/winscard_msg_srv.c:264:ProcessEventsServer() ProcessCommonChannelRequest detects: 6
00000004 ../src/pcscdaemon.c:130:SVCServiceRunLoop() A new context thread creation is requested: 6
00010433 ../src/winscard_svc.c:360:ContextThread() Authorized PC/SC client
00000007 ../src/winscard_svc.c:363:ContextThread() Thread is started: dwClientID=6, threadContext @0x1e734a70
00000008 ../src/winscard_svc.c:381:ContextThread() Received command: CMD_VERSION from client 6
00000005 ../src/winscard_svc.c:393:ContextThread() Client is protocol version 4:4
00000002 ../src/winscard_svc.c:416:ContextThread() CMD_VERSION for client 6, rv=SCARD_S_SUCCESS
00000044 ../src/winscard_svc.c:381:ContextThread() Received command: ESTABLISH_CONTEXT from client 6
00000009 ../src/winscard.c:210:SCardEstablishContext() Establishing Context: 0x51E04136
00000004 ../src/winscard_svc.c:485:ContextThread() ESTABLISH_CONTEXT for client 6, rv=SCARD_S_SUCCESS
00000086 ../src/winscard_svc.c:381:ContextThread() Received command: CMD_GET_READERS_STATE from client 6
00105021 ../src/winscard_svc.c:381:ContextThread() Received command: CMD_GET_READERS_STATE from client 6
00026818 ../src/winscard_svc.c:374:ContextThread() Client die: 6
00000028 ../src/winscard.c:224:SCardReleaseContext() Releasing Context: 0x51E04136
00000005 ../src/winscard_svc.c:1096:MSGCleanupClient() Thread is stopping: dwClientID=6, threadContext @0x1e734a70
00000003 ../src/winscard_svc.c:1104:MSGCleanupClient() Freeing SCONTEXT @0x1e734a70
99999999 ../src/pcscdaemon.c:190:signal_thread() Received signal: 2
00000013 ../src/pcscdaemon.c:224:signal_thread() Preparing for suicide
01001032 ../src/winscard_svc.c:157:ContextsDeinitialize() remaining threads: 0
00000010 ../src/readerfactory.c:1376:RFCleanupReaders() entering cleaning function
00000005 ../src/pcscdaemon.c:807:at_exit() cleaning /run/pcscd

It looks like it's looking for a driver in a path that doesn't exist, fails, then disables its USB support, which might be why it's stopped working properly. I hope this helps.

ShadowRZ commented 1 day ago

@YaroKasear pcscd in NixOS, when run properly, doesn't use the PC/SC drivers in /var/lib/pcsc/drivers, instead the NixOS module specified a Nix store path for pcscd to discover drivers:

https://github.com/NixOS/nixpkgs/blob/4a5e52829b6af98db554581170524095844daa35/nixos/modules/services/hardware/pcscd.nix#L61

This path can be found at the file /etc/systemd/system/pcscd.service.d/overrides.conf in NixOS (in environment PCSCLITE_HP_DROPDIR). In my case however that path is empty. Normally it should contain CCID driver for pcscd. That issue is #350129

The reason that disable-ccid would be removed is that, per the manual, disable-ccid would ask GnuPG to use PC/SC driver, instead of builtin CCID driver. Due to the above issue that CCID drivers for pcscd is lacking pkgs.ccid, it won't work currently.