GPG, OpenPGP card, ACS ACR30U card reader
Further to my mails earlier this month, I've been trying to get GPG working with my card reader and PC/SC. pcscd recognises my card reader and the card that is inserted into it. GnuPG returns the expected output from the --card-status command. I have been able to set the language on the card, following the instructions on the HOWTO. However, whenever I try to set my name on the card, GnuPG exits with an error and pcscd segfaults. $ gpg --disable-ccid --debug-all -vv --card-edit Command> admin Admin commands are allowed Command> name Cardholder's surname: Whitmore Cardholder's given name: Antony gpg: DBG: send apdu: c=00 i=CA p0=00 p1=C4 lc=-1 le=256 gpg: DBG: PCSC_data: 00 CA 00 C4 00 gpg: DBG: response: sw=9000 datalen=7 gpg: DBG: dump: 00 FE FE FE 03 03 03 gpg: 3 Admin PIN attempts remaining before card is permanently locked Admin PIN gpg: DBG: send apdu: c=00 i=20 p0=00 p1=83 lc=8 le=-1 gpg: DBG: PCSC_data: 00 20 00 83 08 31 32 33 34 35 36 37 38 gpg: DBG: response: sw=9000 datalen=0 gpg: DBG: dump: gpg: DBG: send apdu: c=00 i=DA p0=00 p1=5B lc=16 le=-1 gpg: DBG: PCSC_data: 00 DA 00 5B 10 57 68 69 74 6D 6F 72 65 3C 3C 41 6E 74 6F 6E 79 gpg: pcsc_transmit failed: comm error (0x80100013) gpg: apdu_send_simple(0) failed: card I/O error gpg: failed to set `DISP-NAME': general error gpg: error setting Name: general error pcscd produces this (output from after enter is hit after entering the admin PIN): APDU: 00 20 00 83 08 31 32 33 34 35 36 37 38 T=1 -> 0 20 0 83 8 31 32 33 34 35 36 37 38 T=1 <- 90 0 SW: 90 00 APDU: 00 DA 00 5B 10 57 68 69 74 6D 6F 72 65 3C 3C 41 6E 74 6F 6E 79 T=1 -> 0 da 0 5b 10 57 68 69 74 6d 6f 72 65 3c 3c 41 6e 74 6f 6e 79 Segmentation fault I'd appreciate any advice as to where to look next. As I see it, this could either be a bug in GnuPG, a bug in pcscd or a bug in the driver for my card reader. But I'm not experienced enough to know where to look to find out more. Thanks in advance, Tony P.S. As per Jonathan Rockway's e-mail, the output of pcsc_scan on my system (with pcscd running and the card inserted) is: $ pcsc_scan PC/SC device scanner V 1.4.1 (c) 2001-2004, Ludovic Rousseau <[EMAIL PROTECTED]> Compiled with PC/SC lite version: 1.2.9-beta7 Scanning present readers 0: ACS ACR 30u 00 00 Sun Jul 30 18:22:15 2006 Reader 0 (ACS ACR 30u 00 00) Card state: Card inserted, ATR: 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 ATR: 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 + TS = 3B --> Direct Convention + T0 = FA, Y(1): , K: 10 (historical bytes) TA(1) = 13 --> Fi=372, Di=4, 93.000 cycles/ETU TB(1) = 00 --> Programming Param P: 0 Volts, I: 0 milli-Ampres TC(1) = FF --> Extra guard time: 255 TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 - TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 - TA(3) = 80 --> IFSC: 128 TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5 + Historical bytes: 00 31 C1 73 C0 01 00 00 90 00 B1 Possibly identified card (using /usr/lib/pcsc/smartcard_list.txt): 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 OpenPGP signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Driving licence as identification and accepting signed keys without exchanging encrypted data
On Tue, Jul 25, 2006 at 02:29:23AM -0400, Atom Smasher wrote: > no matter what anyone tells you is or isn't adequate, you have to decide > for yourself. this may help you figure it out - > http://www.linuxsecurity.com/content/view/121645/49/ Thanks Atom, that article was linked to from the thread suggested yesterday. It covers some interesting etiquette points, and certainly doesn't mention using a encrypted block of random data to further verify identity: "If required, they may take this opportunity to present each other with formal identification. After enjoying each others' company, they each return home, verify each others' key information to be correct (between the papers they exchanged and the keys they are about to sign), and sign each others' keys. They may then exchange signed keys." Yet it's already been suggested in this thread that this represents insufficient verification. As I mentioned yesterday, I understand that it's my decision whether to trust any particular piece of identification. I thought it would be worth finding out whether there are any actual arguments for or against accepting such ID which would help inform my decision. Cheers, Tony signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Driving licence as identification and accepting signed keys without exchanging encrypted data
David Shaw wrote: > On Mon, Jul 24, 2006 at 09:50:22PM +0100, Tony Whitmore wrote: >> First: Is a photo driving licence considered adequate identification? >> I'm in the UK so we have UK / EU photo driving licences. I have >> previously only used passports as ID, but some people were presenting >> driving licences instead. > > It depends on what *you* think. Some people do accept driver licences > as adequate identification. Some don't. I do, for what it's worth. I understand there is a personal decision to be made here, and that I have responsibility to be satisfied with the ID, but I don't know whether there are good arguments for/against accepting photo driving licences. >> Second: I've already had back some e-mails, encrypted with my public >> key, with signatures attached ready for me to upload to a keyserver. I >> usually use the procedure described at [1], which requires the >> additional verification of the encryption, exchange and decryption of a >> random amount of text before signatures are sent. Obviously I have to be >> able to decrypt the e-mail successfully to access the signature they >> have sent me, but is this considered a safe and appropriate way to sign >> keys? > > No, it's not. Some people do it, though. :( I suppose I have the option of not uploading their signature to a public keyserver, but presumably these people are damaging the web of trust in signing keys in this way? > Note that there is a difference between what page at > http://www.hantslug.org.uk/cgi-bin/wiki.pl?LinuxHints/KeySigning says > and what you say above. The page (correctly) notes that all that is > necessary is that the person *sign* the challenge before sending it > back to you. The page makes clear ("encrypted, if you like") that > encryption is optional here, and adds little to what you are trying to > prove. It doesn't matter if other people can read the signed > challenge or not. Of course, it doesn't hurt to encrypt, so long as > it is understood that it doesn't really help either. Yes, I realise I didn't phrase my explanation very well. The procedure I use is as described on the referenced web page. What should have been a separate comment was in regard to the encrypted e-mails *I* have been sent with signatures attached. In order to access the attached signature file, I have to be able to decrypt the e-mail, meaning I have to have access to my private key. If I don't have the private key, I can't decrypt the e-mail and can't access the signature to upload it. This seems to provide some sort of checking that the e-mail address ties up with the public and private keys, but again I'd like to hear what other people think. > Take a look at the thread starting at > http://lists.gnupg.org/pipermail/gnupg-users/2006-July/028949.html Thank you, I will do so. Tony signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Driving licence as identification and accepting signed keys without exchanging encrypted data
I'm still working on getting my card reader to work, but in the meantime, I have a couple of questions regarding key-signing ettiquette following a session at LUG Radio Live last weekend. I hope the questions are not OT, I've checked the HOWTOs & FAQs, but there's some ambiguity in them. First: Is a photo driving licence considered adequate identification? I'm in the UK so we have UK / EU photo driving licences. I have previously only used passports as ID, but some people were presenting driving licences instead. Second: I've already had back some e-mails, encrypted with my public key, with signatures attached ready for me to upload to a keyserver. I usually use the procedure described at [1], which requires the additional verification of the encryption, exchange and decryption of a random amount of text before signatures are sent. Obviously I have to be able to decrypt the e-mail successfully to access the signature they have sent me, but is this considered a safe and appropriate way to sign keys? The e-mails I received were identical apart from the sender's name, so I suspect they are using a script. I wasn't able to find anything definitive on Google so can't be sure which script they are using, but the text ran like: ---quote--- Hi, please find attached the user id Antony Paul Whitmore <[EMAIL PROTECTED]> of your key 7920DB2171B98B64 signed by me. If you have multiple user ids, I sent the signature for each user id separately to that user id's associated email address. You can import the signatures by running each through `gpg --import`. Note that I did not upload your key to any keyservers. If you want this new signature to be available to others, please upload it yourself. With GnuPG this can be done using gpg --keyserver subkeys.pgp.net --send-key 7920DB2171B98B64 If you have any questions, don't hesitate to ask. ---end quote--- I'd value the opinions of the list, as I want to ensure correct procedure is followed to ensure the integrity of the web of trust. Tony [1] http://www.hantslug.org.uk/cgi-bin/wiki.pl?LinuxHints/KeySigning signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card readers supported by GPG's internal drivers
On Wed, Jul 12, 2006 at 05:15:34AM -0500, Jonathan Rockway wrote: >> Two possible options: >> First, if you're using CCID, does your user have proper write permission >> to the /dev/usb node? (Maybe try sudo gpg --card-status?) Yes, I've been manually changing the permissions on the device nodes to give the scard group (of which my user account is a member) read-write access. But this hasn't changed anything. (Running using sudo has the same output with the addition of a line warning about ownership of ~/.gnupg/gpg.conf. >> Secondly, have you tried pcscd? Install that, start the daemon, then >> run a tool like pcsc_scan (comes with debian's pcscd package, IIRC). >> Between pcsc_scan's output and pcscd's logfile, you might have much >> better luck debugging. For my card reader (built-in to my Dell laptop), >> I had to configure pcscd to "use buggy drivers" since apparently my card >> reader was untested. It works fine, and now I use my OpenPGP card for >> signing mail and logging into machines via ssh. Yes, I've tried pcscd. Sadly the licence of the driver for my smartcard reader is unclear (the LICENCE file is missing from the download .zip file). The card was certainly detected by pcscd but I had problems completing very basic steps - pcscd segfaulted when I tried to set my name on the card. So I wanted to see if I could get the gpg internal system working as (potentially) the easiest route! Thanks, Tony signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card readers supported by GPG's internal drivers
On Wed, Jul 12, 2006 at 12:02:12PM +0100, Mark Brown wrote: > On Tue, Jul 11, 2006 at 10:03:20PM +0100, Tony Whitmore wrote: > > > I'm running Ubuntu Dapper. Am I right in thinking the entries in > > /proc/bus/usb/XXX/XXX should be modified to match the rules (i.e. group > > scard, mode 644)? Because they don't seem to be: > > Current systems with udev should use somewhere obviously named in /dev > by default, with libusb preferring them. It's those that get their > permissions changed. There are unresolvable races with using /proc. Thanks for confirming this Mark. It's what I had suspected from the strace output [1]. gpg is certainly looking at entires in /dev/bus/usb when it runs, and doesn't seem to reference /proc at all. Having changed the permissions on the relevant device node, it hasn't changed the situation. Thanks, Tony [1] http://lists.gnupg.org/pipermail/gnupg-users/2006-July/028983.html signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card readers supported by GPG's internal drivers
On Wed, Jul 12, 2006 at 09:05:58AM +0200, Werner Koch wrote: > On Tue, 11 Jul 2006 20:16, Tony Whitmore said: > > > Is there a compatibility list of drivers supported by GPG's internal > > card reader driver, other than the relevant part of the HOWTO? Do > > No there is no such list. This is becuase the driver implements the > CCID specification with a few limitations (only T-1, auto-negoations > required). It only a matter of the reader. Ah OK. It's not entirely clear from the spec of my reader whether it supports the CCID specification, although it does say it supports the T=1 protocol. > > $ gpg --card-status > > gpg: pcsc_establish_context failed: no service (0x8010001d) > > gpg: card reader not available > > gpg: OpenPGP card not available: general error > > Using --debug-ccid-driver will give more information. Not all that much more, I'm afraid. :) $ gpg --debug-ccid-driver --card-status gpg: DBG: ccid-driver: no CCID reader with number 0 gpg: pcsc_establish_context failed: no service (0x8010001d) gpg: card reader not available gpg: OpenPGP card not available: general error Running the command through an strace shows gpg trying to access device nodes directly (e.g. /dev/bus/usb/002/022) rather than entries in /proc/bus/usb as the HOWTO talks about. The device nodes are, by default, writeable only by root. But even with tweaked permissions and group ownership on the device node, the same error occurs. The difference is that instead of reporting "Permission denied" on the device node, strace shows: open("/dev/bus/usb/002/022", O_RDWR)= 3 ioctl(3, USBDEVFS_IOCTL, 0xbfe8ad20)= -1 ENOTTY (Inappropriate ioctl for device) If there are any more suggestions of what I can try, I'm all ears. :) Thanks, Tony signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card readers supported by GPG's internal drivers
Matthias Kirschner wrote: > * Tony Whitmore <[EMAIL PROTECTED]> [2006-07-11 19:16:02 +0100]: > >> $ gpg --card-status >> gpg: pcsc_establish_context failed: no service (0x8010001d) >> gpg: card reader not available >> gpg: OpenPGP card not available: general error > > Sorry, wrong link in my last e-mail. Please try this: > http://lists.gnupg.org/pipermail/gnupg-devel/2006-July/023000.html Thanks Matze. I've removed the udev rules/script I had previously setup as per the HOWTO and substituted the rules you gave. I've symlinked them into /etc/udev/rules.d too and restarted udev, but get the same result. I'm running Ubuntu Dapper. Am I right in thinking the entries in /proc/bus/usb/XXX/XXX should be modified to match the rules (i.e. group scard, mode 644)? Because they don't seem to be: # ls -l /proc/bus/usb/002/021 -rw-r--r-- 1 root root 43 2006-07-11 21:58 /proc/bus/usb/002/021 I get the same failure as reported before even if I manually change the group and permissions on the device node. And yes, my user is in the scard group. :) FWIW, lsusb for the device reports: Bus 002 Device 021: ID 072f:0001 Advanced Card Systems, Ltd AC1030-based SmartCard Reader What can I try next? Thanks, Tony signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Card readers supported by GPG's internal drivers
Hi all, I've been playing around with an OpenGPG smartcard and card reader for the last few days, and have a few questions. Is there a compatibility list of drivers supported by GPG's internal card reader driver, other than the relevant part of the HOWTO? Do readers have to support a certain standard to be supported by GPG directly, or is support for each reader implemented individually? I have an ACS ACR30U reader[1] and have followed the HOWTOs instructions on setting up with udev. However, it doesn't seem to work with GPG directly: $ gpg --card-status gpg: pcsc_establish_context failed: no service (0x8010001d) gpg: card reader not available gpg: OpenPGP card not available: general error The reader does support PC/SC though, so I plan to try using PC/SC to access the card. BTW, the link to the gnupg-ccid file (NOT gnupg-ccid.rules) on the HOWTO links back to the HOWTO, not the file: http://www.gnupg.org/(en)/howtos/card-howto/en/smartcard-howto-single.html#id2501406 Thanks in advance for any help, Tony Whitmore [1] http://www.acs.com.hk/Product_Readers.asp?productID=53&PCate=Products_PC_Linked_SmartCard_Readers signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users