Wednesday, June 26, 2019

GnuPG and PC/SC conflicts

GnuPG

" GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications. "

GnuPG provides support of smart card using the OpenPGP application in the card or token. See "How to use the Fellowship Smartcard" for more details.

PC/SC

PC/SC (defined by the PC/SC workgroup) is the "standard" way to access smart cards and smart card readers.

pcsc-lite is a Free Software implementation of the PC/SC standard often used in Unix systems.
pcscd is a daemon, part of pcsc-lite, accessing the smart card readers.

The problem

By default GnuPG has its own way to access smart cards with the help of the scdaemon helper process.

If you use GnuPG and also PC/SC on the same system you may have problems.

scdaemon get access

If scdaemon is started before pcscd then the smart card reader will not be available at the PC/SC level.
In pcscd logs you get the error:
ccid_usb.c:653:OpenUSBByName() Can't claim interface 1/12: LIBUSB_ERROR_BUSY

pcscd get access

If pcscd is started before scdaemon then the smart card will not be available at the GnuPG level.
You get the error:
$ gpg --card-status 
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

It is becoming a FAQ (Debian bug #925312, github issue) so I decided to document possible solutions.

The solutions

Remove pcscd from your system

The obvious solution to avoid the conflict is to remove one of the two participants.
If you use your smart card only with GnuPG then you can remove pcscd entirely.

But if you have pcscd installed it may be for a good reason. You may want/need to use PC/SC for other applications.

Tell GnuPG to use PC/SC

Another solution is to make GnuPG and pcscd collaborate to work together.
Luckily it is possible to do that using the scdaemon option --disable-ccid

From the documentation:
--disable-ccid


Disable the integrated support for CCID compliant readers. This allows falling back to one of the other drivers even if the internal CCID driver can handle the reader. Note, that CCID support is only available if libusb was available at build time.

With this option scdaemon will use PC/SC to talk to the smart card and the conflict is solved.

It is possible to tell scdaemon to always use this option by editing the scdaemon configuration file. By default it is ~/.gnupg/scdaemon.conf and it should contain the line:
disable-ccid

If you try to make it work be sure to kill any running scdaemon process so that it is restarted with the new option.

Conclusion

I don't know if the problem comes from pcscd or from GnuPG.

The good news is that there is a solution.