Can not read OpenPGP card as non-root

Asked by AlexGenaud on 2011-10-02

I have recently acquired an OpenPGP card and reader and can not properly read the card as a normal user. In the debug section of the udev instructions it says "If the card is found as 'sudo', then you need to tweak the udev rules so that your normal user also has access" but I do not know how to 'tweak the udev rules'.

Card is v2.0 g10code, BasicCard, ZeitControl
Reader v2.0 SCR3310 SCM Microsystems

I've followed udev directions here: http://wiki.fsfe.org/Card_howtos/Card_reader_setup_%28udev%29 and when that didn't work, hotplug directions: http://wiki.fsfe.org/Card_howtos/Card_reader_setup_%28hotplug%29 and then various links.

I've installed gnupg2 gnupg-agent pcscd libpcsclite1 gpgsm libccid opensc and perhaps a few other things in my attempt to read the card.

NO $ gpg --card-status
OK $ sudo gpg --card-status
OK $ opensc-tool -lv
OK $ pcsc_scan

$ gpg --card-status

gpg: selecting openpgp failed: unknown command
gpg: OpenPGP card not available: general error

$ sudo gpg --card-status

gpg: WARNING: unsafe ownership on configuration file `/home/alex/.gnupg/gpg.conf'
gpg: detected reader `SCM SCR 3310 [CCID Interface] 00 00'
Application ID ...: D276000124010200000500000D1F0000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 00000D1F
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

$ opensc-tool -lv

Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
...etc...
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Readers known about:
Nr. Driver Name
0 openct OpenCT reader (detached)
1 openct OpenCT reader (detached)
2 pcsc SCM SCR 3310 [CCID Interface] 00 00

$ pcsc_scan

PC/SC device scanner
V 1.4.17 (c) 2001-2009, Ludovic Rousseau <email address hidden>
Compiled with PC/SC lite version: 1.5.5
Scanning present readers...
0: SCM SCR 3310 [CCID Interface] 00 00

Sat Oct 1 22:54:33 2011
 Reader 0: SCM SCR 3310 [CCID Interface] 00 00
  Card state: Card inserted,
  ATR: 3B DA 18 ...etc... 90 00 0C

ATR: 3B DA 18 ...etc... 90 00 0C
+ TS = 3B --> Direct Convention
+ T0 = DA, Y(1): 1101, K: 10 (historical bytes)
  TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
    129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
  TC(1) = FF --> Extra guard time: 255 (special value)
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
  TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 75 --> Block Waiting Integer: 7 - Character Waiting Integer: 5
  TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
-----
  TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V
+ Historical bytes: 00 31 C5 ...etc... 00 90 00
  Category indicator byte: 00 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
      Card service data byte: C5
        - Application selection: by full DF name
        - Application selection: by partial DF name
        - EF.DIR and EF.ATR access services: by GET DATA command
        - Card without MF
    Tag: 7, len: 3 (card capabilities)
      Selection methods: C0
        - DF selection by full DF name
        - DF selection by partial DF name
      Data coding byte: 01
        - Behaviour of write functions: one-time write
        - Value 'FF' for the first byte of BER-TLV tag fields: invalid
        - Data unit in quartets: 2
      Command chaining, length fields and logical channels: 40
        - Extended Lc and Le fields
        - Logical channel number assignment: No logical channel
        - Maximum number of logical channels: 1
    Mandatory status indicator (3 last bytes)
      LCS (life card cycle): 00 (No information given)
      SW: 9000 (Normal processing.)
+ TCK = 0C (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B DA ...etc... 00 0C
 GnuPG card V2
^C

$

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu pcsc-lite Edit question
Assignee:
No assignee Edit question
Last query:
2011-10-02
Last reply:
2011-10-17
Seth (sysfu) said : #1

Can confirm the same issue on fresh install of 11.10 x64.

user@ubu:~$ gpg --card-status
gpg: selecting openpgp failed: unknown command
gpg: OpenPGP card not available: general error

user@ubu:~$ sudo gpg --card-status
gpg: WARNING: unsafe ownership on configuration file `/home/user/.gnupg/gpg.conf'
Application ID ...: D000000000000000000000000000000000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 00000000
Name of cardholder: user name
Language prefs ...: en
Sex ..............: male
URL of public key :
Login data .......: user
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 1024R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
etc...............

Launchpad Janitor (janitor) said : #2

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Benedikt (trefzer) said : #3

Had exactly the same issue.

If I use "gpg --no-use-agent --card-status" then it works as non root user.

Giacomo (poderi1980) said : #4

Had the same issue.

I edited .gnupg/gpg.conf and changed the option use-agent into no use:

no-use-agent
#use-agent

now gpg--card-status seem to work

cheers

Seth (sysfu) said : #5

commenting out use-agent from gpg.conf and inserting no-use-agent allows me to run gpg --card-status successfully as a non-root user. SSH key authentication using the smartkey key now appears to be disable as a result.

ssh-add -L yields "The agent has no identities."

a.kratzer (a-kratzer) said : #6

Excellently the same issue.

If i use the agent normal user operations throws an error.

$ gpg --card-status

gpg: selecting openpgp failed: unknown command
gpg: OpenPGP card not available: general error

without agent it works but SSH key authentication is broken.

tested witch ubuntu 12.04 and debian 7.0

a.kratzer (a-kratzer) said : #7

i found one thing with strace:

socket(PF_FILE, SOCK_STREAM, 0) = 3
connect(3, {sa_family=AF_FILE, path="/home/alex/.cache/keyring-VqDAgY/gpg"}, 38) = 0
...
write(3, "SCD SERIALNO openpgp", 20) = 20
write(3, "\n", 1) = 1
read(3, "ERR 103 unknown command\n", 1002) = 24
write(2, "gpg: ", 5gpg: ) = 5
write(2, "selecting openpgp failed: unknow"..., 42selecting openpgp failed: unknown command
....

a.kratzer (a-kratzer) said : #8

i found one solution:
rm /etc/xdg/autostart/gnome-keyring-gpg.desktop
and all works fine ;o)