Unable to use gnuk usb smartcard token on GuixSD

  • Done
  • quality assurance status badge
Details
5 participants
  • Brice Waegeneire
  • Chris Marusich
  • Nils Gillmann
  • Ludovic Courtès
  • Vagrant Cascadian
Owner
unassigned
Submitted by
Vagrant Cascadian
Severity
normal
V
V
Vagrant Cascadian wrote on 2 May 2018 00:29
(address . bug-guix@gnu.org)
87r2mvui1b.fsf@aikidev.net
I've been unable to use my gnuk usb smartcard token with gnupg on
GuixSD, and it appears this is because scdaemon is built without libusb
support:

$ gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

Attached is a patch that gets scdaemon working for me and a gnuk...

Unfortunately, enabling libusb causes one of the tets to hang
indefinitely:

PASS: tests/openpgp/decrypt-session-key.scm
Checking unwrapping the encryption.
> encsig-2-keys-3 encsig-2-keys-4 <
PASS: tests/openpgp/decrypt-unwrap-verify.scm
Checking signing with the default hash algorithm
>

So far, I've only been able to get it to work by disabling the
tests... so it's obviously not a good idea to enable without further
troubleshooting.

Another option might be to use pcsc-lite and ccid, but I had even less
luck getting that to work.


live well,
vagrant


Toggle diff (38 lines)
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index f397482ab..0e9e72784 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -39,6 +39,7 @@
#:use-module (gnu packages curl)
#:use-module (gnu packages crypto)
#:use-module (gnu packages emacs)
+ #:use-module (gnu packages libusb)
#:use-module (gnu packages openldap)
#:use-module (gnu packages perl)
#:use-module (gnu packages perl-check)
@@ -232,6 +233,7 @@ compatible to GNU Pth.")
("libgcrypt" ,libgcrypt)
("libgpg-error" ,libgpg-error)
("libksba" ,libksba)
+ ("libusb" ,libusb)
("npth" ,npth)
("openldap" ,openldap)
("pcsc-lite" ,pcsc-lite)
@@ -246,12 +248,17 @@ compatible to GNU Pth.")
"--enable-all-tests")
#:phases
(modify-phases %standard-phases
+ ;; (delete 'check)
(add-before 'configure 'patch-paths
(lambda* (#:key inputs #:allow-other-keys)
(substitute* "scd/scdaemon.c"
(("\"(libpcsclite\\.so[^\"]*)\"" _ name)
(string-append "\"" (assoc-ref inputs "pcsc-lite")
"/lib/" name "\"")))
+ (substitute* "configure"
+ (("/usr/include/libusb-1.0")
+ (string-append (assoc-ref inputs "libusb")
+ "/include/libusb-1.0")))
#t))
(add-after 'build 'patch-scheme-tests
(lambda _
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEcDardHbDotegGFCHt4uC1IFLkbYFAlro6jAACgkQt4uC1IFL
kbYVgQ/+JinOMHnfeUUUIy3nyjMsikXQ6FpcM9oM4aOL4OsemP6RENrZA4Pg7pUF
bWCfxI6F6rkYasaUjRY7uqfnrhhRi+UOCUSVWnGZ5uO6ohw4MlofQdon1pbDAf9T
Sqt+z3yaoHPHdAjTaYL1LVQYx0vK1+eB1Dd3fWBDSLioedZMFZqlPO0WH4PwcG3W
Bm2m1XCHFM+xPwYYdb7JutZIctkYy2EDwFohN5NmTsTJtyqiUBGSz/tdY2mOiE3e
cB0nPCo8rAHW7/VP7UtMhdA40Q3MtbqUDXbEhneE6aFNn1k/3eyYDGD+rxwb9htc
Azab1+MGPHNiV7sABlWL4a7JEyVrlV7YRGfpzwAzY02YelUSxBqYv/lDPCGS84hk
nQHq28gU1n+PU1uwxTJyuF3DxXkpHyP6bU4K/dOeWArnbc7J1RyeSU+9F6HzYp9X
VWp6yGR8oATCnRjtUUnXP9sPcI6VnJ4Z60zO+kRcqMCbsqWKIKD5vx2eV4XD2JyW
SjYoILqEIumqcAMrPa3CkkQUR0s4FYx4Y5p+DoPNqHwasa+YEnKW6zBH69u5hypY
RpO3eJ2tFNCXJIvqTim9+2kVpqaXsLppWshDXSGZnnBLcKlVNGJ48TVrhYySFWNe
z0i2bFqKe/Ohh5VIccphN64DjrFYcl27Cct6Cl0Smjm7+8LmekY=
=flRI
-----END PGP SIGNATURE-----

N
N
Nils Gillmann wrote on 2 May 2018 07:57
(name . Vagrant Cascadian)(address . vagrant@debian.org)(address . 31337@debbugs.gnu.org)
20180502055707.5c7cpbrnykso6h2h@abyayala
Vagrant Cascadian transcribed 3.3K bytes:
Toggle quote (20 lines)
> I've been unable to use my gnuk usb smartcard token with gnupg on
> GuixSD, and it appears this is because scdaemon is built without libusb
> support:
>
> $ gpg --card-status
> gpg: selecting openpgp failed: No such device
> gpg: OpenPGP card not available: No such device
>
> Attached is a patch that gets scdaemon working for me and a gnuk...
>
> Unfortunately, enabling libusb causes one of the tets to hang
> indefinitely:
>
> PASS: tests/openpgp/decrypt-session-key.scm
> Checking unwrapping the encryption.
> > encsig-2-keys-3 encsig-2-keys-4 <
> PASS: tests/openpgp/decrypt-unwrap-verify.scm
> Checking signing with the default hash algorithm
> >

There should be a test-suite.log in some location in the build chroot,
have you checked that? You might need to build with -K.

Toggle quote (50 lines)
> So far, I've only been able to get it to work by disabling the
> tests... so it's obviously not a good idea to enable without further
> troubleshooting.
>
> Another option might be to use pcsc-lite and ccid, but I had even less
> luck getting that to work.
>
>
> live well,
> vagrant
>
>
> diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
> index f397482ab..0e9e72784 100644
> --- a/gnu/packages/gnupg.scm
> +++ b/gnu/packages/gnupg.scm
> @@ -39,6 +39,7 @@
> #:use-module (gnu packages curl)
> #:use-module (gnu packages crypto)
> #:use-module (gnu packages emacs)
> + #:use-module (gnu packages libusb)
> #:use-module (gnu packages openldap)
> #:use-module (gnu packages perl)
> #:use-module (gnu packages perl-check)
> @@ -232,6 +233,7 @@ compatible to GNU Pth.")
> ("libgcrypt" ,libgcrypt)
> ("libgpg-error" ,libgpg-error)
> ("libksba" ,libksba)
> + ("libusb" ,libusb)
> ("npth" ,npth)
> ("openldap" ,openldap)
> ("pcsc-lite" ,pcsc-lite)
> @@ -246,12 +248,17 @@ compatible to GNU Pth.")
> "--enable-all-tests")
> #:phases
> (modify-phases %standard-phases
> + ;; (delete 'check)
> (add-before 'configure 'patch-paths
> (lambda* (#:key inputs #:allow-other-keys)
> (substitute* "scd/scdaemon.c"
> (("\"(libpcsclite\\.so[^\"]*)\"" _ name)
> (string-append "\"" (assoc-ref inputs "pcsc-lite")
> "/lib/" name "\"")))
> + (substitute* "configure"
> + (("/usr/include/libusb-1.0")
> + (string-append (assoc-ref inputs "libusb")
> + "/include/libusb-1.0")))
> #t))
> (add-after 'build 'patch-scheme-tests
> (lambda _
L
L
Ludovic Courtès wrote on 7 May 2018 12:04
(name . Vagrant Cascadian)(address . vagrant@debian.org)(address . 31337@debbugs.gnu.org)
87zi1b93y7.fsf@gnu.org
Hi Vagrant,

Vagrant Cascadian <vagrant@debian.org> skribis:

Toggle quote (24 lines)
> I've been unable to use my gnuk usb smartcard token with gnupg on
> GuixSD, and it appears this is because scdaemon is built without libusb
> support:
>
> $ gpg --card-status
> gpg: selecting openpgp failed: No such device
> gpg: OpenPGP card not available: No such device
>
> Attached is a patch that gets scdaemon working for me and a gnuk...
>
> Unfortunately, enabling libusb causes one of the tets to hang
> indefinitely:
>
> PASS: tests/openpgp/decrypt-session-key.scm
> Checking unwrapping the encryption.
> > encsig-2-keys-3 encsig-2-keys-4 <
> PASS: tests/openpgp/decrypt-unwrap-verify.scm
> Checking signing with the default hash algorithm
> >
>
> So far, I've only been able to get it to work by disabling the
> tests... so it's obviously not a good idea to enable without further
> troubleshooting.

Did you try attaching strace or gdb to the faulty test to see what’s
going on?

It may be that this test depends on the availability of special hardware
or something like that, in which case we should arrange to skip just
this test.

Thanks for looking into it!

Ludo’.
C
C
Chris Marusich wrote on 8 May 2018 07:53
(name . Vagrant Cascadian)(address . vagrant@debian.org)(address . 31337@debbugs.gnu.org)
87efimpuam.fsf@gmail.com
Vagrant Cascadian <vagrant@debian.org> writes:

Toggle quote (3 lines)
> Another option might be to use pcsc-lite and ccid, but I had even less
> luck getting that to work.

When you tried that, did you enable the USB drivers by creating a
symlink as described here?


--
Chris
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlrxO2EACgkQ3UCaFdgi
Rp1BeRAAy+sw9DWCo1XUomp85/X22WRyTFUmpK6GtoYhJrP3qMvDb49/9tX9XeFY
cIk/HKb3oMu4jam53L7nem0CqWFxkAlHasyciaHGhvCpFfknSzzyiOZAtpWG6h/d
4jRCtSpOORKQ7RPeGCJhOhzPzt7i5+huvNqxsSSOsa52AAmHR7z56hhLCVxg5YUm
gXNjNTJRfybimgSXi4k0bVZy7p+mFQPkzRtC0g9tDam8IVEnTi1tx2hcls9x5v0c
2SQkqsXo8RDupMBezo7HOuXmK1d4lo/bJMhXSmzoGTEgs/8KRdFERj00zKQrj27W
blcN6QmlytGGEK+FCxwdHT4o/i3VU0ko5tLkx7WG9wZblvKiJzB3I8m/XIPklDvX
raO+p9WLOD4iqy/EoAr1Rnd2P3soNoL4JKKnG9icWh3ZuUcOlUBw4Z/REbjKQhaR
1hwLFK+1YEX9aleN7A+9LCsQfcqMMJVazhRtrTPmYq00f55f5DL0J0uIUhgNqUVR
OG7CHVxBxodJhii9ZSTXAK22QxaWHJXNxHsQVb/4lTV55QWnRce3WLjC5uYmRZN+
59zmkkFqxWxXOCdetFSOVNLz9/a+3acfqfDJpvLHF9dPheRVi2SxAY6AS2Gq4B55
luGkyjVNky5H4SXsGMIU677UIcS6QPebtf3JCNOfX9QzTzYdv6E=
=z8Xb
-----END PGP SIGNATURE-----

V
V
Vagrant Cascadian wrote on 2 Jun 2018 23:33
(name . Chris Marusich)(address . cmmarusich@gmail.com)(address . 31337@debbugs.gnu.org)
877engrhzr.fsf@aikidev.net
On 2018-05-07, Chris Marusich wrote:
Toggle quote (10 lines)
> Vagrant Cascadian <vagrant@debian.org> writes:
>
>> Another option might be to use pcsc-lite and ccid, but I had even less
>> luck getting that to work.
>
> When you tried that, did you enable the USB drivers by creating a
> symlink as described here?
>
> https://lists.gnu.org/archive/html/guix-devel/2016-10/msg01433.html

With the symlink:

lrwxrwxrwx 1 root root 41 Jun 2 06:31 /var/lib/pcsc/drivers -> /home/vagrant/.guix-profile/pcsc/drivers/

Then I tried to run:

pcscd --debug --foreground
00000000 pcscdaemon.c:347:main() pcscd set to foreground with debug send to stdout
00000077 pcscdaemon.c:623:main() cannot create /var/run/pcscd: Permission denied

Running as root appears to have worked:

sudo -E --debug --foreground pcscd

Then as a user, "gpg --card-status" works. Haven't tried any other
functionality yet, but that's a good start.


So this seems like a somewhat complicated workaround, and making a
proper pcscd service would reduce the complication significantly. It
would obviously be slightly preferable to me for gnupg to support
smartcards out of the box. :)


live well,
vagrant
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEcDardHbDotegGFCHt4uC1IFLkbYFAlsTDSgACgkQt4uC1IFL
kbb1gA//YVdiKmjIMvA8AyUvkNW+E7ZCIHAdctOZtJ5dVCWRLMxYrDfBbDCEnb0h
VUKluYcX7+FIdPyddhw1G99zPclPkrXmeGKM9MH3gHydskULmTAMVsfoTbE+4MYk
nCEhkRoXi+IPg4YPuULx0lk6rqxKrO9L6a2vmWmIcbE5So4x+aJwssFQuTawZvNS
BFlWDU4iipPkZDKlkOmmu6bK18rhz0g0N3g91ipeUEut/MbzRz0mBtcytdsGPv40
w1XqgnyUiy/Ux+20zG5jQNPVrVN8I3YAdsSU1S83fDS+VxjQscT/6q00EDEuT6N5
hpyXI7u/hR0q/bCAuiWGXVvGyPsjkROHq6pcBCvd+p+SQl4qTH7GaSvxO/MnvXPp
ffRlcA6hFUA/+euF8mPkJ6AoceUVqkC+qJcqXJU8I+W/Jm7ZJmjHaM59tiKLV8x2
hGlo4pE0k9qVwnwOOpnG1pi9IX/swecbpq+0tt6vLFv0kGbBODBmCjNbXZjIuo8b
0Snp3M41WUHOK658xWwIfsvLOvFg/+rcBpQe56/9+peHmCUQZyqoGRvBxWz3ZF22
YtdyyFOL2vk6kI6Q5hFG6Dee0I6pRXdzdGhjiSHn02lxs3jw6Qaf4UOO4PqWQu9c
o04eObHjvgzsWYP6QoZ6ZMWLcNCeF13cIt64H/Ce+VUxD2JGrj0=
=8PRS
-----END PGP SIGNATURE-----

B
B
Brice Waegeneire wrote on 13 Jun 2021 10:04
(name . Vagrant Cascadian)(address . vagrant@debian.org)
874ke2fax4.fsf@waegenei.re
Hello Vagrant,

Vagrant Cascadian <vagrant@debian.org> writes:

Toggle quote (5 lines)
> So this seems like a somewhat complicated workaround, and making a
> proper pcscd service would reduce the complication significantly. It
> would obviously be slightly preferable to me for gnupg to support
> smartcards out of the box. :)

There is a pcscd service in Guix now. Do you still have issue with using
smartcard in Guix or can we close this one?

Cheers,
- Brice
B
B
Brice Waegeneire wrote on 4 Jul 2021 13:01
(name . Vagrant Cascadian)(address . vagrant@debian.org)
87zgv2s5qp.fsf@waegenei.re
Brice Waegeneire <brice@waegenei.re> writes:

Closing this issue since it's should be solved. Feel free to reopen it
if it's not the case.
?