Re: Card only available to root user
Hi Olav! Am 30.11.2011 05:06, schrieb Olav Seyfarth: > Hi anonymous "Crypto Stick" and OpenPGP card users on Linux, > >> You need an appropriate UDEV rule. On Debian you can install... > > Thanks for that link! > Will the package find its way to the official debian repositories? I hope so. I submitted a bug report and am waiting for the packet maintainer to integrate it. See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648332 Regards, Jan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Wed, 30 Nov 2011 22:27, o...@enigmail.net said: > And: I can access --card-status as root, just not as user ... Set up your udev rules or whatever is used on your system to setup correct permissions for the USB device. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hi Werner, > Omnikey based devices don't work with the v2 card on nin-Unix platforms. that should be mentioned in the SmartCard HowTo then. And: I can access --card-status as root, just not as user ... Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Dies ist eine elektronische Signatur - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJO1p+tAAoJEKGX32tq4e9WQ0kMAJQmqN3ouPpBXZXbwkUjI3Bb MK7A7DdJ+0ldsWEyTfC2iVFi292+vgtPFrwOdFA5IxaA1x3yz2k8WKEflc1W/NEv yK6lGFCT9Wn1NMK3978Ocvn2oLlROlkHrFegRSFGxn0EjdavgsBv9lEznVA8fBhw ccimNw06WNLiL8JLoBx7V6PsI9PZ7NidfEp+P8DGoCiXhRqtL3lWCV2xCG+Koelr zzcko31/HiHR5TROtfi3NIo+v39kc/P2ZZoj4jtbVgOeQ5eOFaFYDEwLzxPDNGY8 5k8gm7uGBK9qZvRtkmaXuycaybA9L04Wzl+5Fi8sZ8yUcv5RvnWvJ8jjNFfkAfHf YtW8kd+bDdSm0QHDRbpCGdAE4Bal3GC2KrYKipNR4MHhyLKBCU2kymHGpgAaJL5o dtjA4Yew7x67U1lzd//4yMUoQ6XFaQ6O5PMqo59SsPdNhkhHrCmf2UYjDuOyURdy NG64RwjT1fn+ePeSEdyvplHYn+KfuEFaZS5hTTvEyw== =DtGk -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Tue, 29 Nov 2011 22:06, o...@enigmail.net said: > events. However, my PCMCIA based reader Omnikey CardMan 4040 (linked as > supported device on http://www.gnupg.org/howtos/card-howto/en/ch02s02.html) Omnikey based devices don't work with the v2 card on nin-Unix platforms. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Tue, Nov 29, 2011 at 10:06:45PM +0100, Olav Seyfarth wrote: > It seems the above files don't solve my problem since they all trigger on USB > events. However, my PCMCIA based reader Omnikey CardMan 4040 (linked as > supported device on http://www.gnupg.org/howtos/card-howto/en/ch02s02.html) > seems to be PCI based: > > lsusb doesn't list it, lspci lists > | 02:04.0 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev b6) > and lspcmcia yields > | Socket 0 Bridge:[yenta_cardbus] (bus ID: :02:04.0) > | Socket 0 Device 0: [cm4040_cs] (bus ID: 0.0) > > And I don't know where to look how to compile my own rules for cm4040_cs. > Any help appreciated. I haven't used this reader for years. But back then this udev rule worked for me: ACTION=="add", SUBSYSTEM=="cardman_4040", GROUP="scard", MODE="0660" IIRC the cs4040 created its own device entry /dev/cmx (or something similar) Michel signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hi anonymous "Crypto Stick" and OpenPGP card users on Linux, > You need an appropriate UDEV rule. On Debian you can install... Thanks for that link! Will the package find its way to the official debian repositories? // Historical side note: Once Linux was famous to auto-detect all necessary // drivers automatically while DOS/Windows did not. Today, it seems, // situation has switched. > Alternatively / on other systems you might copy the following UDEV rule... Oh, I did not know of that, too, thanks. I also have a CryptoStick but prefer to use my Card since it may remain while transporting the laptop. (No, I am not concerned that anyone could steal it since I'd know it immediately and revoke.) After using debian (and sometimes Ubuntu) I thought I'd give Fedora 16 a try. I was thrilled to see that the fingerprint sensor was supported automatically but still using OpenPGP SmartCard requires quite some manual tweaking :-( I looked on the GnuPG homepage first but the HowTo at http://www.gnupg.org/howtos/card-howto/en/ch02s03.html#id2519429 has broken/missing links for the two files gnupg-ccid.rules and gnupg-ccid. I finally found the FSFE HowTo and tried the files from there https://wiki.fsfe.org/Card_howtos/Card_reader_setup_(udev) My user is member of the scard group. Yet I still have the same issue as Luis - access as root OK but not als user: | $ gpg --card-status | gpg: pcsc_establish_context failed: no service (0x8010001d) | gpg: Kartenleser ist nicht vorhanden | gpg: OpenPGP Karte ist nicht vorhanden: Allgemeiner Fehler | | # gpg --card-status | Application ID ...: D2760001240102050222 | Version ..: 2.0 | Manufacturer .: ZeitControl | [...] It seems the above files don't solve my problem since they all trigger on USB events. However, my PCMCIA based reader Omnikey CardMan 4040 (linked as supported device on http://www.gnupg.org/howtos/card-howto/en/ch02s02.html) seems to be PCI based: lsusb doesn't list it, lspci lists | 02:04.0 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev b6) and lspcmcia yields | Socket 0 Bridge: [yenta_cardbus] (bus ID: :02:04.0) | Socket 0 Device 0:[cm4040_cs] (bus ID: 0.0) And I don't know where to look how to compile my own rules for cm4040_cs. Any help appreciated. Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Dies ist eine elektronische Signatur - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJO1UlfAAoJEKGX32tq4e9WlOAL/AhAXqsR1jF89ikpnv1ztt+T R3/I94fBb0RFlVbJkila4gNDGdN+a1jDxghuYOT687LFMiIK2vRMOSeluh/OT8hQ qhhRBioEoCqQrvmw5er+/cyhDRg93ukIYk8VCxlJRNx0av4+CxWN0GhpBkTCTAet AvZhEIOZy4bQlBaOW3ZlEgjx8FVqQiZ1CWagDFRwtH1YBleR8sVyMMtVWbdNNqe2 uabqvdaD1Hf36hXnTzhs5boVGdKcJoLEK2Do7Un3nvd6G7aMYPCSM3aIxD0V5JW4 vsZ1kgGkEv2ysYd9LqNHTALA1PLufNbzZfFjH8q0ua09Ig7Z7hlIu7wDKwMRzUhs EBGJ2qw+VlkBuMx3z/7X8ajRdUwsmiXHypPfAxF0dRxS80V2h0G/n8I0hXtrQj5Z paZYv8ap3u92A29TrabBNQE2eNYWWNK/eTIzl/CjB00/i4PB0Jj5mLL7xIrfUtV8 ToWPgk7xq+33vMz8vgVEzU/xbaUVOmnPoBZRtXxGxw== =1Lm1 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
Hi Luis, sorry for the late reply. You need an appropriate UDEV rule. On Debian you can install the following package: https://www.assembla.com/spaces/cryptostick/documents/ds_EMCisGr4k7QeJe5cbCb/download/ds_EMCisGr4k7QeJe5cbCb Alternatively and on other systems you might copy the following UDEV rule to the directory /etc/udev/rules.d https://www.privacyfoundation.de/wiki/CryptoStickSoftware?action=AttachFile&do=view&target=40-cryptostick.rules Am 05.08.2011 05:49, schrieb Luis de Bethencourt: > On Thu, Aug 04, 2011 at 11:25:36PM +0200, Luis de Bethencourt wrote: >> Hi everybody and thanks for the help. >> >> I recently upgraded my GnuPG setup with a Smart Card (GnuPG Card v2). >> >> I can get/set the information of the card through the root user, but this is >> not good for everyday use. I think I have pinpointed the problem, scdaemon >> iny my machine doesn't like anybody but root. >> >> Here is a paste of a few commands to show the problem: >> >> luisbg@atlas ~ $ gpg --card-status >> gpg: selecting openpgp failed: Unsupported certificate >> gpg: OpenPGP card not available: Unsupported certificate >> >> luisbg@atlas ~ $ sudo gpg --card-status >> scdaemon[31077]: reading public key failed: Missing item in object >> scdaemon[31077]: reading public key failed: Missing item in object >> Application ID ...: D2760001240102050CC9 >> Version ..: 2.0 >> Manufacturer .: ZeitControl >> Serial number : 0CC9 >> Name of cardholder: Luis de Bethencourt >> Language prefs ...: en >> Sex ..: male >> URL of public key : http://people.collabora.com/~luisbg/gpg_pub_key_873B518D >> Login data ...: luisbg >> Signature PIN : not forced >> Key attributes ...: 2048R 2048R 2048R >> Max. PIN lengths .: 32 32 32 >> PIN retry counter : 3 0 3 >> Signature counter : 2 >> Signature key : 3F4A 28A6 568A CD30 480A F9EB 6BBF 9F19 873B 518D >> created : 2011-07-26 12:22:00 >> Encryption key: [none] >> Authentication key: [none] >> General key info..: [none] >> scdaemon[31077]: updating slot 0 status: 0x->0x0007 (0->1) >> >> luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent >> OK Pleased to meet you >> SCD LEARN >> S SERIALNO D2760001240102050CC9 0 >> INQUIRE KNOWNCARDP D2760001240102050CC9 0 >> scdaemon[31088]: updating slot 0 status: 0x->0x0007 (0->1) >> >> >> Notice how I can check the status as root, and do SCD Learn as my user. But >> not >> check the status as my user (or sign my mails, which is the main problem). >> Also >> pcsc_scan works with my user, it shows the Serial number of the card. >> >> If it helps, I'm running gentoo with: >> gpg (GnuPG) 2.0.17 >> scdaemon (GnuPG) 2.0.17 >> pcsc-lite version 1.7.2 >> gpg-agent (GnuPG) 2.0.17 >> >> luisbg@atlas ~ $ gpgconf >> gpg:GPG for OpenPGP:/usr/bin/gpg2 >> gpg-agent:GPG Agent:/usr/bin/gpg-agent >> scdaemon:Smartcard Daemon:/usr/bin/scdaemon >> gpgsm:GPG for S/MIME:/usr/bin/gpgsm >> dirmngr:Directory Manager:/usr/bin/dirmngr >> >> >> Thanks a million for the help, >> Luis > > > By the way, I should mention I have replicated this issue in my two > gentoo-based > machines. > > But then got the card and reader working very easily in an other machine which > runs debian. So the hardware is OK. Unforunately for this case, my laptop is > one of the gentoo machines, and that is the machine I will make more use of > the > card. > > Thanks, > Luis > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problems with gnome-keyring et al. (was: Card only available to root user)
On Wed, Aug 10, 2011 at 01:29:04PM +0200, Luis de Bethencourt wrote: > So I found a solution \o/ > > If I do: > unset GPG_AGENT_INFO > > then the card works for my user, unfortunately it only does work in terminals. > It does launch pinentry-gtk-2 when I sign an email with mutt, and so that > covers my usecase :) > > Thanks to all! > Luis So the way of having this fixed system wide is: for just all terminals, include the unset GPG_AGENT_INFO in ~/.bashrc If running GNOME, launch gnome-session-properties, look for "GPG Password Agent" (which uses GNOME Keyring) and deactivate it. Thanks, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problems with gnome-keyring et al. (was: Card only available to root user)
So I found a solution \o/ If I do: unset GPG_AGENT_INFO then the card works for my user, unfortunately it only does work in terminals. It does launch pinentry-gtk-2 when I sign an email with mutt, and so that covers my usecase :) Thanks to all! Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Problems with gnome-keyring et al. (was: Card only available to root user)
On Tue, 9 Aug 2011 02:44, l...@debethencourt.com said:
> So it looks like GNOME's ssh-agent is interfering. How can I avoid this?
Tell them that they should not interfere with GnuPG.
If you put a line
use-standard-socket
into ~/.gnupg/gpg-agent.conf and stop starting gpg-agent in the xsession
etc., all tools requiring gpg-agent will start gpg-agent on the fly.
There is even no more need for the GPG_AGENT_INFO envvar; I even
explicitly unset this variable in my profile. Thus the only envvar you
need is GPG_TTY.
If you want to use gpg-agent as ssh-agent you should also put a line
enable-ssh-support
into ~/.gnupg/gpg-agent.conf and put into your profile
unset SSH_AGENT_PID
SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"
export SSH_AUTH_SOCK
Now you only need to make sure that gpg-agent is started before you use
ssh. This is because ssh has no way to start gpg-agent on the fly; I do
this with a simple
gpg-connect-agent /bye
If you want to check whether gpg-agent is _configured_ to use the
standard socket, you may call
gpg-agent --use-standard-socket-p
This is actually what all GnuPG tools do to see whether they may start
gpg-agent on the fly.
The standard socket makes things easier and hopefully harder for
gnome-keyring to interfere with it.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Mon, Aug 08, 2011 at 07:57:44PM +0200, Werner Koch wrote: > On Mon, 8 Aug 2011 18:05, l...@debethencourt.com said: > > > this is very strange, that shows it as 2.0.17, but it still says that > > 'getinfo version' is not implemented. > > One if these GNOME tools is intercepting the connection and acts as a > MITM between gpg-connect-agent and gpg-agent. > > Check the owner of the socket decribed by $GPG_AGENT_INFO and if used > the socket ~/.gnupg/S.gpg-agent . > So it looks like GNOME's ssh-agent is interfering. How can I avoid this? Thanks, Luis > > Shalom-Salam, > >Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Mon, 8 Aug 2011 18:05, l...@debethencourt.com said: > this is very strange, that shows it as 2.0.17, but it still says that > 'getinfo version' is not implemented. One if these GNOME tools is intercepting the connection and acts as a MITM between gpg-connect-agent and gpg-agent. Check the owner of the socket decribed by $GPG_AGENT_INFO and if used the socket ~/.gnupg/S.gpg-agent . Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Mon, Aug 08, 2011 at 09:38:49AM +0200, Werner Koch wrote: > On Sat, 6 Aug 2011 19:46, l...@debethencourt.com said: > > > gpg-connect-agent 'getinfo version' /bye > > ERR 100 not implemented > > You are running a *very* old version of gpg-agent (< 2.0.5) - or > something hijacked the connection to gpg-agent (seehorse? > gnome-keyring?) > > > Shalom-Salam, > >Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > luisbg@atlas ~ $ gpg-connect-agent --version gpg-connect-agent (GnuPG) 2.0.17 this is very strange, that shows it as 2.0.17, but it still says that 'getinfo version' is not implemented. :S Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Sat, 6 Aug 2011 19:46, l...@debethencourt.com said: > gpg-connect-agent 'getinfo version' /bye > ERR 100 not implemented You are running a *very* old version of gpg-agent (< 2.0.5) - or something hijacked the connection to gpg-agent (seehorse? gnome-keyring?) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On 06/08/11 19:50, Luis de Bethencourt wrote:
> Thanks for that information! I agree with you that if could also have a
> similar
> ACL in my gentoo machine it would work. Where is this set?
Unfortunately, I don't know much, hardly anything, about ConsoleKit and friends.
I suppose it is related to the following snippets out of the following files:
/lib/udev/rules.d/60-gnupg.rules:
ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1",\
ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
/lib/udev/rules.d/70-acl.rules:
# smart-card readers
ENV{ID_SMARTCARD_READER}=="*?", TAG+="udev-acl"
[...]
# apply ACL for all locally logged in users
TAG=="udev-acl", TEST=="/var/run/ConsoleKit/database", \
RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"
Here I picked a somewhat random vendor/product-id that is matched in the first
file. You might need a lot more configuration to get it working, I don't know.
By the way, I added the \ in the snippet from the first file, but not in the
second; that one was already there.
Good luck,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 10:59:28AM +0200, Peter Lebbing wrote: > On 05/08/11 03:02, Luis de Bethencourt wrote: > > device in debian: > > crw-rw-r--+ 1 root root 189, 516 2011-08-05 00:46 /dev/bus/usb/005/005 > > > > device in gentoo: > > crw-rw-r-- 1 root pcscd 189, 395 Aug 5 02:56 /dev/bus/usb/004/012 > > > > my user is part of the pcscd group. I just checked. > > Look closely at the permissions for Debian. It has a plus-sign. This means > there > is an ACL. Probably ConsoleKit is adding you to the ACL when you log in. > > You can get the ACL with getfacl. Here is the output from my box: > > peter@tweek:~$ getfacl /dev/bus/usb/008/004 > getfacl: Removing leading '/' from absolute path names > # file: dev/bus/usb/008/004 > # owner: root > # group: pcscd > user::rw- > user:peter:rw- > group::rw- > mask::rw- > other::r-- > > Note how user peter has read/write as well. > > However, I've been fighting with access rights to the cardreader as well, so > please don't take this as correct. In fact, the whole pcscd group business > stopped working for me at some point, oddly enough. Some Debian update > conflicted with my own tinkering in udev. > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt Thanks for that information! I agree with you that if could also have a similar ACL in my gentoo machine it would work. Where is this set? Unfortunately I don't have access to the debian machine until next week, I'm at the Desktop Summit in Berlin. Ohh... if anyone is around I would be happy to meet them and sign their key :) Thanks, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 11:00:26AM +0200, Werner Koch wrote: > On Fri, 5 Aug 2011 10:31, l...@debethencourt.com said: > > > Missed this question the first time around... > > It is a SCM Microsystems SCR 335 > > Well that one works. It even works fine with the scdaemon internal > driver, thus try after stopping pcscd. > > >> When I do it as you say I get: > >> gpg-connect-agent 'scd learn --force' /bye > >> ERR 103 unknown command > >> > >> I always get that 'unknown command' error in all the variatons you > >> explained. > > Please run > > gpg-connect-agent 'getinfo version' /bye > gpg-connect-agent 'getinfo version' /bye ERR 100 not implemented > and > > gpg-connect-agent 'scd getinfo version' /bye > gpg-connect-agent 'scd getinfo version' /bye ERR 103 unknown command :S > > I've created this conf file both in my home and root's. > > Well under ~/.gnupg/ of course. > > > When I run gpg --card-status as my user, there is no file created. > > Is this really gpg2 (check using gpg --version). > gpg --version gpg (GnuPG) 2.0.17 > > But when I run it in root it does create this file. > > That smells like a file permission problem. > Both the user and root have access to where the log file should be dropped. By the way, since I'm not using a ccid script in /dev/ for the reader, where are the permissions of the device set? I see that the device is owned by root and group pcscd. Where could I change this? Thanks, Luis > > Is this confirmation that when running as root scdaemon is being spawned > > but when running as user it can't use scdaemon? > > No. > > > I can paste the content of that log file if you want it. Asking before doing > > so since it's a bit lengthy. > > Please send by private mail. Note that this may reveal PINs if you > entered one. > > > Shalom-Salam, > >Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Card only available to root user
Hi everybody and thanks for the help. I recently upgraded my GnuPG setup with a Smart Card (GnuPG Card v2). I can get/set the information of the card through the root user, but this is not good for everyday use. I think I have pinpointed the problem, scdaemon iny my machine doesn't like anybody but root. Here is a paste of a few commands to show the problem: luisbg@atlas ~ $ gpg --card-status gpg: selecting openpgp failed: Unsupported certificate gpg: OpenPGP card not available: Unsupported certificate luisbg@atlas ~ $ sudo gpg --card-status scdaemon[31077]: reading public key failed: Missing item in object scdaemon[31077]: reading public key failed: Missing item in object Application ID ...: D2760001240102050CC9 Version ..: 2.0 Manufacturer .: ZeitControl Serial number : 0CC9 Name of cardholder: Luis de Bethencourt Language prefs ...: en Sex ..: male URL of public key : http://people.collabora.com/~luisbg/gpg_pub_key_873B518D Login data ...: luisbg Signature PIN : not forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 2 Signature key : 3F4A 28A6 568A CD30 480A F9EB 6BBF 9F19 873B 518D created : 2011-07-26 12:22:00 Encryption key: [none] Authentication key: [none] General key info..: [none] scdaemon[31077]: updating slot 0 status: 0x->0x0007 (0->1) luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent OK Pleased to meet you SCD LEARN S SERIALNO D2760001240102050CC9 0 INQUIRE KNOWNCARDP D2760001240102050CC9 0 scdaemon[31088]: updating slot 0 status: 0x->0x0007 (0->1) Notice how I can check the status as root, and do SCD Learn as my user. But not check the status as my user (or sign my mails, which is the main problem). Also pcsc_scan works with my user, it shows the Serial number of the card. If it helps, I'm running gentoo with: gpg (GnuPG) 2.0.17 scdaemon (GnuPG) 2.0.17 pcsc-lite version 1.7.2 gpg-agent (GnuPG) 2.0.17 luisbg@atlas ~ $ gpgconf gpg:GPG for OpenPGP:/usr/bin/gpg2 gpg-agent:GPG Agent:/usr/bin/gpg-agent scdaemon:Smartcard Daemon:/usr/bin/scdaemon gpgsm:GPG for S/MIME:/usr/bin/gpgsm dirmngr:Directory Manager:/usr/bin/dirmngr Thanks a million for the help, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Thu, Aug 04, 2011 at 11:25:36PM +0200, Luis de Bethencourt wrote: > Hi everybody and thanks for the help. > > I recently upgraded my GnuPG setup with a Smart Card (GnuPG Card v2). > > I can get/set the information of the card through the root user, but this is > not good for everyday use. I think I have pinpointed the problem, scdaemon > iny my machine doesn't like anybody but root. > > Here is a paste of a few commands to show the problem: > > luisbg@atlas ~ $ gpg --card-status > gpg: selecting openpgp failed: Unsupported certificate > gpg: OpenPGP card not available: Unsupported certificate > > luisbg@atlas ~ $ sudo gpg --card-status > scdaemon[31077]: reading public key failed: Missing item in object > scdaemon[31077]: reading public key failed: Missing item in object > Application ID ...: D2760001240102050CC9 > Version ..: 2.0 > Manufacturer .: ZeitControl > Serial number : 0CC9 > Name of cardholder: Luis de Bethencourt > Language prefs ...: en > Sex ..: male > URL of public key : http://people.collabora.com/~luisbg/gpg_pub_key_873B518D > Login data ...: luisbg > Signature PIN : not forced > Key attributes ...: 2048R 2048R 2048R > Max. PIN lengths .: 32 32 32 > PIN retry counter : 3 0 3 > Signature counter : 2 > Signature key : 3F4A 28A6 568A CD30 480A F9EB 6BBF 9F19 873B 518D > created : 2011-07-26 12:22:00 > Encryption key: [none] > Authentication key: [none] > General key info..: [none] > scdaemon[31077]: updating slot 0 status: 0x->0x0007 (0->1) > > luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent > OK Pleased to meet you > SCD LEARN > S SERIALNO D2760001240102050CC9 0 > INQUIRE KNOWNCARDP D2760001240102050CC9 0 > scdaemon[31088]: updating slot 0 status: 0x->0x0007 (0->1) > > > Notice how I can check the status as root, and do SCD Learn as my user. But > not > check the status as my user (or sign my mails, which is the main problem). > Also > pcsc_scan works with my user, it shows the Serial number of the card. > > If it helps, I'm running gentoo with: > gpg (GnuPG) 2.0.17 > scdaemon (GnuPG) 2.0.17 > pcsc-lite version 1.7.2 > gpg-agent (GnuPG) 2.0.17 > > luisbg@atlas ~ $ gpgconf > gpg:GPG for OpenPGP:/usr/bin/gpg2 > gpg-agent:GPG Agent:/usr/bin/gpg-agent > scdaemon:Smartcard Daemon:/usr/bin/scdaemon > gpgsm:GPG for S/MIME:/usr/bin/gpgsm > dirmngr:Directory Manager:/usr/bin/dirmngr > > > Thanks a million for the help, > Luis By the way, I should mention I have replicated this issue in my two gentoo-based machines. But then got the card and reader working very easily in an other machine which runs debian. So the hardware is OK. Unforunately for this case, my laptop is one of the gentoo machines, and that is the machine I will make more use of the card. Thanks, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, 5 Aug 2011 10:31, l...@debethencourt.com said: > Missed this question the first time around... > It is a SCM Microsystems SCR 335 Well that one works. It even works fine with the scdaemon internal driver, thus try after stopping pcscd. >> When I do it as you say I get: >> gpg-connect-agent 'scd learn --force' /bye >> ERR 103 unknown command >> >> I always get that 'unknown command' error in all the variatons you explained. Please run gpg-connect-agent 'getinfo version' /bye and gpg-connect-agent 'scd getinfo version' /bye > I've created this conf file both in my home and root's. Well under ~/.gnupg/ of course. > When I run gpg --card-status as my user, there is no file created. Is this really gpg2 (check using gpg --version). > But when I run it in root it does create this file. That smells like a file permission problem. > Is this confirmation that when running as root scdaemon is being spawned > but when running as user it can't use scdaemon? No. > I can paste the content of that log file if you want it. Asking before doing > so since it's a bit lengthy. Please send by private mail. Note that this may reveal PINs if you entered one. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On 05/08/11 03:02, Luis de Bethencourt wrote: > device in debian: > crw-rw-r--+ 1 root root 189, 516 2011-08-05 00:46 /dev/bus/usb/005/005 > > device in gentoo: > crw-rw-r-- 1 root pcscd 189, 395 Aug 5 02:56 /dev/bus/usb/004/012 > > my user is part of the pcscd group. I just checked. Look closely at the permissions for Debian. It has a plus-sign. This means there is an ACL. Probably ConsoleKit is adding you to the ACL when you log in. You can get the ACL with getfacl. Here is the output from my box: peter@tweek:~$ getfacl /dev/bus/usb/008/004 getfacl: Removing leading '/' from absolute path names # file: dev/bus/usb/008/004 # owner: root # group: pcscd user::rw- user:peter:rw- group::rw- mask::rw- other::r-- Note how user peter has read/write as well. However, I've been fighting with access rights to the cardreader as well, so please don't take this as correct. In fact, the whole pcscd group business stopped working for me at some point, oddly enough. Some Debian update conflicted with my own tinkering in udev. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 10:25:33AM +0200, Luis de Bethencourt wrote: > On Fri, Aug 05, 2011 at 09:32:35AM +0200, Werner Koch wrote: > > On Fri, 5 Aug 2011 01:49, l...@debethencourt.com said: > > > > > > luisbg@atlas ~ $ gpg --card-status > > > gpg: selecting openpgp failed: Unsupported certificate > > > > What kind of reader are you using? Missed this question the first time around... It is a SCM Microsystems SCR 335 > > > > > luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent > > > > Now that is a strange command. The "gpg-connect-agent" argument is > > simply ignored. What you do is sto start a new gpg-agent in --server > > mode, that is without it listening on a socket but connected to the tty. > > > > You should first start gpg-agent after checking that no other one is > > running. For testing I do it this way > > > > $ gpg-agent --daemon sh > > > > This creates a new shell and if you terminate this shell (exit) the > > gpg-agent will terminate as well after a few seconds. Then use > > > > $ gpg-connect-agent > > SCD SERIALNO > > BYE > > > > or > > > > $ gpg-connect-agent 'SCD SERIALNO' /bye > > > > or to get all info from the card > > > > $ gpg-connect-agent 'scd learn --force' /bye > > > > When I do it as you say I get: > gpg-connect-agent 'scd learn --force' /bye > ERR 103 unknown command > > I always get that 'unknown command' error in all the variatons you explained. > > But it works when I do it through gpg-agent --server. > > > > > My guess at your problem is that there is another gpg-agent running > > which has the scdaemon open. The one you started under root? > > > > It looks like everytime I do gpg --card-status it spawns a new scdaemon. After > the card information you can see the following line: > > scdaemon[7684]: scdaemon (GnuPG) 2.0.17 stopped > > and ps doesn't show any scdaemon running after that. > > > To debug this you should put these lines into scdaemon.conf > > > > log-file /foo/bar/scd.log > > debug 2049 > > debug-ccid-driver > > verbose > > I've created this conf file both in my home and root's. When I run gpg --card-status as my user, there is no file created. But when I run it in root it does create this file. Is this confirmation that when running as root scdaemon is being spawned but when running as user it can't use scdaemon? I can paste the content of that log file if you want it. Asking before doing so since it's a bit lengthy. Thanks for all the help, Luis > > > > Salam-Shalom, > > > >Werner > > > > > > -- > > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > > > Thanks for the help, > Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 09:32:35AM +0200, Werner Koch wrote: > On Fri, 5 Aug 2011 01:49, l...@debethencourt.com said: > > > > luisbg@atlas ~ $ gpg --card-status > > gpg: selecting openpgp failed: Unsupported certificate > > What kind of reader are you using? > > > luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent > > Now that is a strange command. The "gpg-connect-agent" argument is > simply ignored. What you do is sto start a new gpg-agent in --server > mode, that is without it listening on a socket but connected to the tty. > > You should first start gpg-agent after checking that no other one is > running. For testing I do it this way > > $ gpg-agent --daemon sh > > This creates a new shell and if you terminate this shell (exit) the > gpg-agent will terminate as well after a few seconds. Then use > > $ gpg-connect-agent > SCD SERIALNO > BYE > > or > > $ gpg-connect-agent 'SCD SERIALNO' /bye > > or to get all info from the card > > $ gpg-connect-agent 'scd learn --force' /bye > When I do it as you say I get: gpg-connect-agent 'scd learn --force' /bye ERR 103 unknown command I always get that 'unknown command' error in all the variatons you explained. But it works when I do it through gpg-agent --server. > > My guess at your problem is that there is another gpg-agent running > which has the scdaemon open. The one you started under root? > It looks like everytime I do gpg --card-status it spawns a new scdaemon. After the card information you can see the following line: scdaemon[7684]: scdaemon (GnuPG) 2.0.17 stopped and ps doesn't show any scdaemon running after that. > To debug this you should put these lines into scdaemon.conf > > log-file /foo/bar/scd.log > debug 2049 > debug-ccid-driver > verbose > > > Salam-Shalom, > >Werner > > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > Thanks for the help, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, 5 Aug 2011 01:49, l...@debethencourt.com said: > > luisbg@atlas ~ $ gpg --card-status > gpg: selecting openpgp failed: Unsupported certificate What kind of reader are you using? > luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent Now that is a strange command. The "gpg-connect-agent" argument is simply ignored. What you do is sto start a new gpg-agent in --server mode, that is without it listening on a socket but connected to the tty. You should first start gpg-agent after checking that no other one is running. For testing I do it this way $ gpg-agent --daemon sh This creates a new shell and if you terminate this shell (exit) the gpg-agent will terminate as well after a few seconds. Then use $ gpg-connect-agent SCD SERIALNO BYE or $ gpg-connect-agent 'SCD SERIALNO' /bye or to get all info from the card $ gpg-connect-agent 'scd learn --force' /bye My guess at your problem is that there is another gpg-agent running which has the scdaemon open. The one you started under root? To debug this you should put these lines into scdaemon.conf log-file /foo/bar/scd.log debug 2049 debug-ccid-driver verbose Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 01:07:19AM +0200, Hauke Laging wrote: > Am Freitag, 5. August 2011, 03:02:07 schrieb Luis de Bethencourt: > > device in debian: > > crw-rw-r--+ 1 root root 189, 516 2011-08-05 00:46 /dev/bus/usb/005/005 > > > > device in gentoo: > > crw-rw-r-- 1 root pcscd 189, 395 Aug 5 02:56 /dev/bus/usb/004/012 > > > > my user is part of the pcscd group. I just checked. > > I have no certain problem in mind. My general advice is to check with strace > what's going on. Often the problem can easily be seen shortly before the > program abort. If not you may compare the outputs of the root and user calls. > I run strace both running gpg --card-status as user and root, but without the card reader plugged in to make it simpler and I noticed that it diverts right before at the end. Pasting where it diverts: user: read(3, "ERR 103 unknown command\n", 1002) = 24 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa69e8ad000 write(2, "gpg: selecting openpgp failed: U"..., 55gpg: selecting openpgp failed: Unsupported certificate ) = 55 write(2, "gpg: OpenPGP card not available:"..., 57gpg: OpenPGP card not available: Unsupported certificate ) = 57 munmap(0x7fa69e8af000, 32768) = 0 exit_group(2) = ? root: read(3, scdaemon[6104]: PC/SC OPEN failed: unknown PC/SC error code "ERR 100663404 Card error \n", 1002) = 31 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa70a56f000 write(2, "gpg: selecting openpgp failed: C"..., 42gpg: selecting openpgp failed: Card error ) = 42 write(2, "gpg: OpenPGP card not available:"..., 44gpg: OpenPGP card not available: Card error ) = 44 munmap(0x7fa70a571000, 32768) = 0 exit_group(2) = ? this are the few lines before the diversion: write(6, "OPTION allow-pinentry-notify", 28) = 28 write(6, "\n", 1) = 1 read(3, "OK\n", 1002) = 3 write(6, "SCD SERIALNO openpgp", 20)= 20 write(6, "\n", 1) = 1 not sure if this helps, or if anybody can read any problem here. I certainly can't :P Thanks, Luis > > CU > > Hauke > -- > PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
Am Freitag, 5. August 2011, 03:02:07 schrieb Luis de Bethencourt: > device in debian: > crw-rw-r--+ 1 root root 189, 516 2011-08-05 00:46 /dev/bus/usb/005/005 > > device in gentoo: > crw-rw-r-- 1 root pcscd 189, 395 Aug 5 02:56 /dev/bus/usb/004/012 > > my user is part of the pcscd group. I just checked. I have no certain problem in mind. My general advice is to check with strace what's going on. Often the problem can easily be seen shortly before the program abort. If not you may compare the outputs of the root and user calls. CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 12:14:47AM +0200, Hauke Laging wrote: > Am Freitag, 5. August 2011, 01:49:21 schrieb Luis de Bethencourt: > > > I can get/set the information of the card through the root user > > > Notice how I can check the status as root, and do SCD Learn as my user. > > But= not > > check the status as my user (or sign my mails, which is the main problem). > > = Also > > pcsc_scan works with my user, it shows the Serial number of the card. > > Is this an access rights problem with the card reader device file? Different > defaults with Gentoo and Debian maybe? > device in debian: crw-rw-r--+ 1 root root 189, 516 2011-08-05 00:46 /dev/bus/usb/005/005 device in gentoo: crw-rw-r-- 1 root pcscd 189, 395 Aug 5 02:56 /dev/bus/usb/004/012 my user is part of the pcscd group. I just checked. > Of course, this explanation does not make sense if pcsc_scan can access the > device. Is pcsc_scan installed with SUID or SGID? > -rwxr-xr-x 1 root root 15K Aug 4 22:47 /usr/bin/pcsc_scan no suid/guid as far as I can see. > > CU > > Hauke > -- > PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 Thanks for thinking about this :) Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
Am Freitag, 5. August 2011, 01:49:21 schrieb Luis de Bethencourt: > I can get/set the information of the card through the root user > Notice how I can check the status as root, and do SCD Learn as my user. > But= not > check the status as my user (or sign my mails, which is the main problem). > = Also > pcsc_scan works with my user, it shows the Serial number of the card. Is this an access rights problem with the card reader device file? Different defaults with Gentoo and Debian maybe? Of course, this explanation does not make sense if pcsc_scan can access the device. Is pcsc_scan installed with SUID or SGID? CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, Aug 05, 2011 at 01:49:21AM +0200, Luis de Bethencourt wrote: > Hi everybody and thanks for the help. > > I recently upgraded my GnuPG setup with a Smart Card (GnuPG Card v2). > > I can get/set the information of the card through the root user, but this is > not good for everyday use. I think I have pinpointed the problem, scdaemon > iny my machine doesn't like anybody but root. > > Here is a paste of a few commands to show the problem: > > luisbg@atlas ~ $ gpg --card-status > gpg: selecting openpgp failed: Unsupported certificate > gpg: OpenPGP card not available: Unsupported certificate > > luisbg@atlas ~ $ sudo gpg --card-status > scdaemon[31077]: reading public key failed: Missing item in object > scdaemon[31077]: reading public key failed: Missing item in object > Application ID ...: D2760001240102050CC9 > Version ..: 2.0 > Manufacturer .: ZeitControl > Serial number : 0CC9 > Name of cardholder: Luis de Bethencourt > Language prefs ...: en > Sex ..: male > URL of public key : http://people.collabora.com/~luisbg/gpg_pub_key_873B518D > Login data ...: luisbg > Signature PIN : not forced > Key attributes ...: 2048R 2048R 2048R > Max. PIN lengths .: 32 32 32 > PIN retry counter : 3 0 3 > Signature counter : 2 > Signature key : 3F4A 28A6 568A CD30 480A F9EB 6BBF 9F19 873B 518D > created : 2011-07-26 12:22:00 > Encryption key: [none] > Authentication key: [none] > General key info..: [none] > scdaemon[31077]: updating slot 0 status: 0x->0x0007 (0->1) > > luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent > OK Pleased to meet you > SCD LEARN > S SERIALNO D2760001240102050CC9 0 > INQUIRE KNOWNCARDP D2760001240102050CC9 0 > scdaemon[31088]: updating slot 0 status: 0x->0x0007 (0->1) > > > Notice how I can check the status as root, and do SCD Learn as my user. But= > not > check the status as my user (or sign my mails, which is the main problem). = > Also > pcsc_scan works with my user, it shows the Serial number of the card. > > If it helps, I'm running gentoo with: > gpg (GnuPG) 2.0.17 > scdaemon (GnuPG) 2.0.17 > pcsc-lite version 1.7.2 > gpg-agent (GnuPG) 2.0.17 > > luisbg@atlas ~ $ gpgconf=20 > gpg:GPG for OpenPGP:/usr/bin/gpg2 > gpg-agent:GPG Agent:/usr/bin/gpg-agent > scdaemon:Smartcard Daemon:/usr/bin/scdaemon > gpgsm:GPG for S/MIME:/usr/bin/gpgsm > dirmngr:Directory Manager:/usr/bin/dirmngr > > Thanks a million for the help, > Luis By the way, I should mention I have replicated this issue in my two gentoo-based machines. But then got the card and reader working very easily in an other machine which runs debian. So the hardware is OK. Unforunately for this case, my laptop is one of the gentoo machines, and that is the machine I will make more use of the card. Thanks, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Card only available to root user
Hi everybody and thanks for the help. I recently upgraded my GnuPG setup with a Smart Card (GnuPG Card v2). I can get/set the information of the card through the root user, but this is not good for everyday use. I think I have pinpointed the problem, scdaemon iny my machine doesn't like anybody but root. Here is a paste of a few commands to show the problem: luisbg@atlas ~ $ gpg --card-status gpg: selecting openpgp failed: Unsupported certificate gpg: OpenPGP card not available: Unsupported certificate luisbg@atlas ~ $ sudo gpg --card-status scdaemon[31077]: reading public key failed: Missing item in object scdaemon[31077]: reading public key failed: Missing item in object Application ID ...: D2760001240102050CC9 Version ..: 2.0 Manufacturer .: ZeitControl Serial number : 0CC9 Name of cardholder: Luis de Bethencourt Language prefs ...: en Sex ..: male URL of public key : http://people.collabora.com/~luisbg/gpg_pub_key_873B518D Login data ...: luisbg Signature PIN : not forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 2 Signature key : 3F4A 28A6 568A CD30 480A F9EB 6BBF 9F19 873B 518D created : 2011-07-26 12:22:00 Encryption key: [none] Authentication key: [none] General key info..: [none] scdaemon[31077]: updating slot 0 status: 0x->0x0007 (0->1) luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent OK Pleased to meet you SCD LEARN S SERIALNO D2760001240102050CC9 0 INQUIRE KNOWNCARDP D2760001240102050CC9 0 scdaemon[31088]: updating slot 0 status: 0x->0x0007 (0->1) Notice how I can check the status as root, and do SCD Learn as my user. But= not check the status as my user (or sign my mails, which is the main problem). = Also pcsc_scan works with my user, it shows the Serial number of the card. If it helps, I'm running gentoo with: gpg (GnuPG) 2.0.17 scdaemon (GnuPG) 2.0.17 pcsc-lite version 1.7.2 gpg-agent (GnuPG) 2.0.17 luisbg@atlas ~ $ gpgconf=20 gpg:GPG for OpenPGP:/usr/bin/gpg2 gpg-agent:GPG Agent:/usr/bin/gpg-agent scdaemon:Smartcard Daemon:/usr/bin/scdaemon gpgsm:GPG for S/MIME:/usr/bin/gpgsm dirmngr:Directory Manager:/usr/bin/dirmngr Thanks a million for the help, Luis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
