indygreg
commented
1 year ago No worries about the GitHub issues... it happens.
Thanks for the bug report. I can easily see how 2 concurrent operations would fail.
At the end of the day, each client needs to have some form of exclusive access to the hardware to perform signing, as a signing operation consists of multiple packets sent to the hardware and the protocol is stateful.
I'm far from an expert on the PCSC interface and how yubikey.rs interfaces with it. This may require some cooperation with the yubikey.rs maintainers on best ways to proceed.
I wouldn't be surprised if we to implement our own locking using a file-based lock or something. From my perspective, ideally any locking would be implemented in yubikey.rs. But I can relate with them if they want to defer that complexity to downstream customers!
wrl
I am using
rcodesignin a on-premises CI server, with the smartcard functionality backed by a Yubikey 5 token.When two (or more) jobs attempt to sign executables simultaneously, at least one (sometimes all) of them will begin exiting unsuccessfully with the pcsc-rust error
Error::ResetCard, which has the description "The smart card has been reset, so any shared state information is invalid".It's unclear to me where this error is being raised (i.e. when first connecting to the token, or when the signing operation is attempted), but it seems like pcsc-rust resets the
Cardwhen dropped (https://github.com/bluetech/pcsc-rust/blob/master/pcsc/src/lib.rs#L1670-L1684) and yubikey-rs doesn't change this or attempt to reconnect to the card on reset, though it does specify that the card should reset on reconnect (https://github.com/iqlusioninc/yubikey.rs/blob/main/src/yubikey.rs#L220-L224) and it seems like the card should perhaps reconnect if there's an error when starting a transaction (https://github.com/iqlusioninc/yubikey.rs/blob/main/src/yubikey.rs#L241-L245).I am unfamiliar with PCSC and smartcards as a whole, so I'm not sure what the best practices for all of this are.