Gpg: selecting card failed: Service is not running

TornaxO7 · May 6, 2024, 1:02pm

If I’m trying to execute gpg --card-status then I’m getting

gpg: selecting card failed: Service is not running
gpg: OpenPGP card not available: Service is not running

I’ve tried the following:

gpgconf -K gpg-agent
gpg --card-status

pkill gpg-agent
gpg --card-status

sudo systemctl restart pcscd.service
gpg --card-status

but all of them result to the same error message.
May I ask if you have an idea what I’m doing wrong?
I have services.pcscd.enable = true set in my config.

TLATER · May 6, 2024, 1:29pm

Not necessarily the issue, but there’s another option for enabling some udev rules: NixOS Search

This is my yubikey module, for reference, though the only technically important things are those two options: dotfiles/nixos-config/yubikey.nix at 3cc8dee514f61eba7e7269a7b03d7347aeb17693 · TLATER/dotfiles · GitHub

Anything in the pcscd or gpg logs? journalctl --boot --unit pcscd and journalctl --user --unit gpg-agent might help.

rgoulter · May 6, 2024, 1:44pm

My smartcard is a yubikey. In case this helps, my ~/.gnupg/scdaemon.conf has:

reader-port Yubico Yubi

disable-ccid

per

EDIT: Perhaps the Troubleshooting Issues with GPG may help, which links to that page about CCID conflicts.

Not sure where I got the reader-port from. Arch Wiki page on the Yubikey mentions that.

(My NixOS code for using Yubikey is pretty much same as TLATER’s).

TornaxO7 · May 6, 2024, 1:44pm

gives me:

Gives me:

Mai 06 15:41:00 pc systemd[7030]: Started GnuPG cryptographic agent and passphrase cache.
Mai 06 15:41:00 pc gpg-agent[9182]: gpg-agent[9182]: WARNING: "--supervised" is a deprecated option
Mai 06 15:41:00 pc gpg-agent[9182]: gpg-agent (GnuPG) 2.4.5 starting in supervised mode.
Mai 06 15:41:00 pc gpg-agent[9182]: using fd 3 for std socket (/run/user/1000/gnupg/S.gpg-agent)
Mai 06 15:41:00 pc gpg-agent[9182]: listening on: std=3 extra=-1 browser=-1 ssh=-1
Mai 06 15:41:00 pc gpg-agent[9184]: scdaemon[9184]: pcsc_establish_context failed: internal error (0x80100001)
Mai 06 15:41:26 pc gpg-agent[9184]: scdaemon[9184]: pcsc_establish_context failed: internal error (0x80100001)
Mai 06 15:43:10 pc gpg-agent[9184]: scdaemon[9184]: pcsc_establish_context failed: internal error (0x80100001)

TornaxO7 · May 6, 2024, 1:45pm

This is in my ~/.gnupg/scdaemon.conf:

disable-ccid
reader-port Yubico Yubi

so it looks like the same

TornaxO7 · May 6, 2024, 1:52pm

well… it looks like that this is an error from scdaemon itself, I guess… yay…
For anyone who’s curious about the version which I’m using, here’s the output of pcscd --version:

pcsc-lite version 2.1.0.
Copyright (C) 1999-2002 by David Corcoran <corcoran@musclecard.com>.
Copyright (C) 2001-2022 by Ludovic Rousseau <ludovic.rousseau@free.fr>.
Copyright (C) 2003-2004 by Damien Sauveron <sauveron@labri.fr>.
Report bugs to <pcsclite-muscle@lists.infradead.org>.
Enabled features: Linux x86_64-pc-linux-gnu libsystemd serial usb libudev polkit usbdropdir=/var/lib/pcsc/drivers ipcdir=/run/pcscd filter configdir=/etc
MAX_READERNAME: 128, PCSCLITE_MAX_READERS_CONTEXTS: 16

TLATER · May 6, 2024, 2:23pm

Can you add -x to see if the service even attempts to start? Also systemctl status pcscd.socket.

I don’t think pcscd is giving you an error, I think it’s just not running and somehow the socket isn’t starting it.

TornaxO7 · May 6, 2024, 2:36pm

if the service even attempts to start? Also systemctl status pcscd.socket.

● pcscd.socket - PC/SC Smart Card Daemon Activation Socket
     Loaded: loaded (/etc/systemd/system/pcscd.socket; enabled; preset: enabled)
    Drop-In: /nix/store/f4xkg56f9hjr8j86is1zpdmmrgpbbqcp-system-units/pcscd.socket.d
             └─overrides.conf
     Active: active (listening) since Mon 2024-05-06 15:36:18 CEST; 59min ago
   Triggers: ● pcscd.service
     Listen: /run/pcscd/pcscd.comm (Stream)
     CGroup: /system.slice/pcscd.socket

Mai 06 15:36:18 pc systemd[1]: Listening on PC/SC Smart Card Daemon Activation Socket.

and

journalctl --boot --unit pcscd -x

-- No entries --

TLATER · May 6, 2024, 3:14pm

Yeah, pcscd is not starting. That probably means gpg isn’t phoning the socket correctly. ccid is a good guess, but you’ve already checked that.

Could be a permission issue, or maybe some other config is broken?

Does it magically start working if you manually start the pcscd service?

TornaxO7 · May 6, 2024, 3:19pm

I took a look into my config again:

    gpg = {
      enable = true;

      scdaemonSettings = {
        disable-ccid = true;
        reader-port = "Yubico Yubi";
      };
    };

does that look like a culprit to you?
I changed it to

    gpg = {
      enable = true;

      # scdaemonSettings = {
      #   disable-ccid = true;
      #   reader-port = "Yubico Yubi";
      # };
    };

and executed sudo nixos-rebuild switch --flake . but gpg --card-status still gives me an error.

TornaxO7 · May 6, 2024, 3:19pm

Do you mean executing this?

sudo systemctl restart pcscd.service
gpg --card-status

sadly it doesn’t fix this.

TLATER · May 6, 2024, 3:27pm

Anything in the logs for that service now?

No, that looks fine. My only suspicion is that you might not have enabled the udev rules, and if you have maybe you haven’t rebooted since, so your yubikey isn’t being picked up by anything because its rules aren’t installed to make non-root users see it.

Doesn’t really explain why pcscd doesn’t start, though.

yshui · May 7, 2024, 12:59am

Root cause is scdaemon not being able to find libpcsclite_real.so.1.

As a hotfix you can edit your gpg-agent.service to add a LD_LIBRARY_PATH pointing to pcsclite

Edit: Should be fixed in next staging-next: pcsclite: fix loading of libpcsclite_real.so.1 by NickCao · Pull Request #308884 · NixOS/nixpkgs · GitHub

TornaxO7 · May 7, 2024, 11:55pm

ah nice, thank you for the information!

foolnotion · May 9, 2024, 11:16am

Sure, the fix is relatively straightforward but I still find it kinda bad that the update was merged into master without sufficient testing, completely breaking yubikeys again.

YaroKasear · May 9, 2024, 1:59pm

Can you elaborate on this? I tried doing what you said but it didn’t work, I still get the error that libpcsclite_real.so.1 is not found. I made the change in my home-manager config and I confirmed it did make the change to the unit file that was loaded.

[Service]
Environment=GNUPGHOME=/home/yaro/.gnupg
Environment=LD_LIBRARY_PATH=/nix/store/8pccc2ykzckn393r700ixzzlnzykqgs6-pcsclite-with-polkit-2.1.0-lib/lib
ExecReload=/nix/store/qfmx03ki4r7nq2qwjfvsq602ra2wcyxb-gnupg-2.4.5/bin/gpgconf --reload gpg-agent
ExecStart=/nix/store/qfmx03ki4r7nq2qwjfvsq602ra2wcyxb-gnupg-2.4.5/bin/gpg-agent --supervised

[Unit]
After=gpg-agent.socket
Description=GnuPG cryptographic agent and passphrase cache
Documentation=man:gpg-agent(1)
RefuseManualStart=true
Requires=gpg-agent.socket

TornaxO7 · May 10, 2024, 9:22am

I’m on nixos-unstable and just updated my system but I’m still having this issue. Isn’t the staging-next already released?

foolnotion · May 10, 2024, 12:31pm

You can override the gpg package, here’s an excerpt from my home.nix:

    programs.gpg = {
      enable = true;
      package = pkgs.gnupg.override {
        pcsclite = pkgs.pcsclite.overrideAttrs (old: {
          postPatch = old.postPatch + (lib.optionalString (!(lib.strings.hasInfix ''--replace-fail "libpcsclite_real.so.1"'' old.postPatch)) ''
            substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
              --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
          '');
        });
      };
    };

YaroKasear · May 10, 2024, 1:09pm

That worked! Thank you.