#690 ✓released
steve

Add support to scdaemon for shared access mode (required when using both S/MIME and OpenPGP with smartcard)

Reported by steve | December 1st, 2016 @ 05:17 PM | in 2.2.0 (closed)

Solution

2017-07-11 Fixed as expert option in MacGPG
add "shared-access" to ~/.gnupg/scdaemon.conf

mouse008 used additional commands:

  • Switching from S/MIME emails to OpenPGP emails - usually one needs to do nothing, just use OpenPGP mode. But if automatic switch hasn't happened - typing in a Terminal window gpg --card-status should do the job.
  • Switching from OpenPGP back to S/MIME often (always so far?) does not happen automatically. To manually switch the Yubikey token from OpenPGP applet to PIV applet, just type in the terminal window yubico-piv-tool -a status. That's enough to bring the token back to PIV mode.

2017-07-10 filed GnuPG #3267 Werner says, behaves as expected, wontfix


Copy of initial user feature request from below linked discussion

My hardware token (YubiKey NEO) has several applets, including PIV and OpenPGP. Needless to say, I need and use both of them.

On Mac OS X, tokend connects to the token immediately upon its insertion, which is necessary to present the token as a (PIV) keychain in the Keychain Access, and make its keys/certificates otherwise available to the Mac OS X applications.

However, when I try to use gpg, or any component of GPGTools that needs access to this token (to its OpenPGP applet), this tool detects that the token is already being used - and refuses to connect to it, with the following messages in the /tmp/scdaemon.log:

2016-09-06 21:09:24 scdaemon[67807] PC/SC OPEN failed: sharing violation (0x8010000b)
2016-09-06 21:09:24 scdaemon[67807] PC/SC OPEN failed: sharing violation (0x8010000b)
2016-09-06 21:09:33 scdaemon[67807] PC/SC OPEN failed: sharing violation (0x8010000b)

Expected

I would expect and like sharing - especially since they share the “token” but not the “applet”: PIV applications cannot use OpenPGP interface, and vs. versa (I think).

I know about the design ideology (security concerns), but this kills usability, particularly with Apple Mail, where I need to process both PGP-protected and S/MIME-protected emails (obviously from different crowds, but that is not relevant).

Same applies to Thunderbird, except there is no tokend involved - just inability of GPG suite to share the token with PIV suite. I’d like it remedied.

Additional info

There is a workaround - but it is ugly: insert the token, start Apple Mail, process all the S/MIME emails. Quit Mail, kill OpenSC.tokend. Run “gpg2 —card-status” (assuming it connects and provides expected result). Start Mail, process PGP/MIME emails. Quit Mail, remove the token, re-insert it - now PIV and S/MIME are functioning again.

Ugly as a mule. Can you please either remove this restriction, or better yet - add a configuration parameter that would allow token sharing?

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Shared Ticket Bins

Pages