Yubico / yubikey-manager-qt

Cross-platform application for configuring any YubiKey over all USB interfaces.
https://developers.yubico.com/yubikey-manager-qt/
BSD 2-Clause "Simplified" License
237 stars 29 forks source link

YubiKey Manager doesn't recognise YubiKey(s) #320

Open apburgess opened 2 years ago

apburgess commented 2 years ago

Steps to reproduce

Launch the app.

Expected result

Being able to interact with software to configure the keys.

Actual results

After launching the app, it just displays the "Insert your YubiKey" screen and doesn't recognise either of the keys.

Other info

ykman (CLI) 4.0.8 installed from MacPorts can see the keys and work with them. I can see this in the console app (but don't know if it's relevant): default 15:15:46.456978+0100 kernel AMFI: constraint violation /private/var/folders/tr/jlgtdj9x2x5_72n5dlfx1h_r0000gn/T/AppTranslocation/6A5D5AC5-D643-4178-918D-933D108CEDD2/d/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.9/lib/python3.9/lib-dynload/_blake2.cpython-39-darwin.so has entitlements but is not a main binary

fdennis commented 2 years ago

Hey, Could you launch through the terminal with the --log-level DEBUG flag at the end? It should give more information.

apburgess commented 2 years ago

Launched with /Applications/YubiKey\ Manager.app/Contents/MacOS/ykman-gui --log-level DEBUG and got

qt.qpa.fonts: Populating font family aliases took 91 ms. Replace uses of missing font family "Roboto" with one that exists to avoid this cost.
qml: Cannot import module: yubikey (Traceback (most recent call last):

  File "qrc:///py/yubikey.py", line 17, in <module>
    import ykman.logging_setup

  File "/Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/ykman/logging_setup.py", line 29, in <module>
    from ykman.util import get_windows_version

  File "/Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/ykman/util.py", line 29, in <module>
    from cryptography.hazmat.primitives import serialization

  File "/Users/adrian/Library/Python/3.9/lib/python/site-packages/cryptography/hazmat/primitives/serialization/__init__.py", line 15, in <module>
    from cryptography.hazmat.primitives.serialization.base import (

  File "/Users/adrian/Library/Python/3.9/lib/python/site-packages/cryptography/hazmat/primitives/serialization/base.py", line 9, in <module>
    from cryptography.hazmat.primitives.asymmetric.types import (

  File "/Users/adrian/Library/Python/3.9/lib/python/site-packages/cryptography/hazmat/primitives/asymmetric/types.py", line 7, in <module>
    from cryptography.hazmat.primitives.asymmetric import (

  File "/Users/adrian/Library/Python/3.9/lib/python/site-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 10, in <module>
    from cryptography.hazmat.primitives.asymmetric import (

  File "/Users/adrian/Library/Python/3.9/lib/python/site-packages/cryptography/hazmat/primitives/asymmetric/utils.py", line 6, in <module>
    from cryptography.hazmat.bindings._rust import asn1

ImportError: dlopen(/Users/adrian/Library/Python/3.9/lib/python/site-packages/cryptography/hazmat/bindings/_rust.abi3.so, 0x0002): tried: '/Users/adrian/Library/Python/3.9/lib/python/site-packages/cryptography/hazmat/bindings/_rust.abi3.so' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64'))
)
qml: Function not found: 'yubikey.init_with_logging' (Traceback (most recent call last):

  File "<string>", line 1, in <module>

NameError: name 'yubikey' is not defined

It continues after that, but looked like repetition.

fdennis commented 2 years ago

I see. I tried on a Mac with Apple Silicon and it works. In your case it looks like YubiKey Manager is using your local installation of Python when looking up the cryptography package, for example: File "/Users/adrian/Library/Python/3.9/lib/python/site-packages/cryptography/(...)" seems to do just that. Perhaps you can try updating your local cryptography package. Another solution might be to set the PYTHONHOME or PYTHONPATH variables, to make sure the correct Python is used. You want the Python in the YubiKey Manager.app

apburgess commented 2 years ago

I'm not sure updating the local cryptography package will work as it will remain the same arch (I think that's the problem it's having with the cryptography package it's picking up?). I'll try though.

I've noticed another issue where it seemed it was picking up the wrong python installation -- is it worth having the software warn about this?

(Also, would having an Apple Silicon native version of the software help? Albeit it would still presumably be picking up external python packages.)

apburgess commented 2 years ago

Ok, I've tried the path thing, I'm not sure if I set the variables correctly but it keeps reaching out to the system installation for cryptography -- is it possible this is because there isn't a copy included in the app bundle (that I can see -- not a python expert).

Screenshot 2022-04-29 at 11 49 28

I was trying

PYTHONHOME=/Applications/YubiKey\ Manager.app/Contents/Frameworks/Python.framework/Versions/3.9

fdennis commented 2 years ago

You need to check under site-packages, which is in the directory you took that screenshot.

fdennis commented 2 years ago

Could you try setting PYTHONPATH? Try pointing it to site-packages. Most likely it will be something like this /Applications/YubiKey\ Manager.app/Contents/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages. If that does not work, try playing around a bit with that path. Maybe it should be shorter.

apburgess commented 2 years ago

Thanks, that seems to have fixed it. Could the app be updated so it doesn't let the system installation interfere?

fdennis commented 2 years ago

It should be possible. We can look into it for the next release(s). Thanks for the suggestion!

PriceHiller commented 2 years ago

Just ran into this as well, would be awesome to see this fixed, maybe utilizing a virtual environment going forward or just exporting the variables as needed for that invocation?

Until then, I'll share a little helper function I use to extract the correct python variables and run YubiKey Manager:

#######################################
# Launch yubikey with the current python environment variables set for the
# application.
#######################################
yubikey-manage() {
    local yubikey_mngr_base_path=/Applications/YubiKey\ Manager.app/Contents
    local python_base_path="${yubikey_mngr_base_path}"/Frameworks/Python.framework/Versions

    local python_version
    # Find where the current symlink points to for yubikey's env
    python_version="$(readlink -f "${python_base_path}"/Current)"
    # Get the version number off the end of the path for python
    python_version="${python_version##*/}"

    PYTHONHOME="${python_base_path}/Current" \
        PYTHONPATH="${python_base_path}/Current/lib/python${python_version}/site-packages" \
        "${yubikey_mngr_base_path}/MacOS/ykman-gui" --log-level DEBUG
}

Expects bash or zsh.

IPlayZed commented 2 years ago

Same as #328 , I have added my logs there.

nckroy commented 1 year ago

This just happened to me with a brand new YubiKey 5Ci on MacOS 13.1, MacBook Pro M1 Max. I ended up "fixing" it with the PYTHONPATH trick. Would be good to get this resolved in the app.

nckroy commented 1 year ago

FYI I created a tiny wrapper script to automate launching the YubiKey manager on MacOS with the correct environment: https://github.com/nckroy/yubiman-wrapper

psxx commented 1 year ago

@treatybreaker solution works, huge thumbs up him for that, but.

8 months later and bug is still there. Is it time to fix it, Yubico folks? It's payed security product btw.

fdennis commented 1 year ago

Hey! 1.2.5 has just been released, and contains some fixes related to this. Please test it out and see if it resolves your issue.

DonutHands commented 1 year ago

1.2.5 macOS 13.3.1 (intel)

Same issue.

csacelaris commented 1 year ago

I have the same issue with 1.25 on Windows 10 and with the app image version on Kubuntu 22.10. Will try to fix it via the suggestions in this post.

manualdidact commented 7 months ago

Experiencing the same thing, app built from source on Fedora 39 according to instructions in doc/development.adoc. (minor detail -- it calls for a prereq package qt5-devel which does not exist.) The program builds successfully and I can run it from the source tree (ykman-gui/ykman-gui), but it just sits there waiting for me to insert my key. It doesn't detect either one I've tried.

According to all other indications, keys are detected and functioning normally -- I can log in to websites via webauthn, I can use the Yubico demo pages, playground site, etc. I can see the key in lsusb and I can see insertions and removals in the syslog. As far as I can tell, it's only the Manager application that can't see my keys.

JohnAZoidberg commented 7 months ago

It's not showing my key either on Fedora 40Beta. Installed with sudo dnf install yubikey-manager-qt. It's version 1.2.5 The CLI is working:

> ykman list
YubiKey FIPS (4.4.5) [OTP+FIDO+CCID] Serial: 12864557
[I] [11:24:54] zoid  ~ 0 
> ykman-gui --log-level DEBUG
kf.i18n: KLocalizedString: Using an empty domain, fix the code. msgid: "&Yes" msgid_plural: "" msgctxt: "@action:button"
kf.i18n: KLocalizedString: Using an empty domain, fix the code. msgid: "&No" msgid_plural: "" msgctxt: "@action:button"
qrc:/qml/main.qml:96:5: QML Shortcut: Shortcut: Only binding to one of multiple key bindings associated with 4. Use 'sequences: [ <key> ]' to bind to all of them.
Fenrihr commented 7 months ago

I have the same issue that @manualdidact and @JohnAZoidberg in Fedora (installed from the Fedora repos)

Same issue reported in #357

orjawell commented 6 months ago

Same error here with arch :

orjawell@archX13 ~> ykman-gui --log-level DEBUG
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.
"PyOtherSide error: No module named 'yubikey'"
qml: Cannot import module: yubikey (No module named 'yubikey')
"PyOtherSide error: Traceback (most recent call last):\n\n  File \"<string>\", line 1, in <module>\n\nNameError: name 'yubikey' is not defined\n"
qml: Function not found: 'yubikey.init_with_logging' (Traceback (most recent call last):

  File "<string>", line 1, in <module>

NameError: name 'yubikey' is not defined
)
"PyOtherSide error: Traceback (most recent call last):\n\n  File \"<string>\", line 1, in <module>\n\nNameError: name 'yubikey' is not defined\n"
qml: Function not found: 'yubikey.controller.refresh' (Traceback (most recent call last):

  File "<string>", line 1, in <module>

NameError: name 'yubikey' is not defined
)
h-2 commented 5 months ago

After upgrading from Ubuntu 23.10 to 24.04, I have the same problem. THIS IS REALLY BAD as I need the authenticator app to access crucial services.

How can this be fixed?

dainnilsson commented 5 months ago

@h-2 Are you commenting in the correct repo? YubiKey Manager GUI is not an authenticator app, maybe you want https://github.com/Yubico/yubioath-flutter instead?

h-2 commented 5 months ago

It affects ykman-gui, as well, but I just saw that it is also being tracked downstream: https://bugs.launchpad.net/ubuntu/+source/yubioath-desktop/+bug/2067197

dainnilsson commented 5 months ago

Unfortunately the package for yubioath-desktop is VERY outdated (5.x). The latest version of Yubico Authenticator is 7.0, and we recommend you download it directly from here: https://github.com/Yubico/yubioath-flutter/releases

As for YubiKey Manager GUI, we also recommend that you instead use Yubico Authenticator 7 which is a much newer and more capable tool.

h-2 commented 5 months ago

Thanks for pointing this out. The new version works. I guess Ubuntu is just outdated :(

rmdes commented 5 months ago

Unfortunately the package for yubioath-desktop is VERY outdated (5.x). The latest version of Yubico Authenticator is 7.0, and we recommend you download it directly from here: https://github.com/Yubico/yubioath-flutter/releases

As for YubiKey Manager GUI, we also recommend that you instead use Yubico Authenticator 7 which is a much newer and more capable tool.

Thanks for this information, I was trying to get yubikey-manager-qt working on fedora 40 and hitting the same bug