
Add support to scdaemon for shared access mode (required when using both S/MIME and OpenPGP with smartcard)
Reported by steve | December 1st, 2016 @ 05:17 PM | in 2.2.0 (closed)
Solution
2017-07-11 Fixed as expert option in MacGPG
add "shared-access" to ~/.gnupg/scdaemon.conf
mouse008 used additional commands:
- Switching from S/MIME emails to OpenPGP emails - usually one needs to do nothing, just use OpenPGP mode. But if automatic switch hasn't happened - typing in a Terminal window gpg --card-status should do the job.
- Switching from OpenPGP back to S/MIME often (always so far?) does not happen automatically. To manually switch the Yubikey token from OpenPGP applet to PIV applet, just type in the terminal window yubico-piv-tool -a status. That's enough to bring the token back to PIV mode.
2017-07-10 filed GnuPG #3267 Werner says, behaves as expected, wontfix
Copy of initial user feature request from below linked discussion
My hardware token (YubiKey NEO) has several applets, including PIV and OpenPGP. Needless to say, I need and use both of them.
On Mac OS X, tokend connects to the token immediately upon its insertion, which is necessary to present the token as a (PIV) keychain in the Keychain Access, and make its keys/certificates otherwise available to the Mac OS X applications.
However, when I try to use gpg, or any component of GPGTools that needs access to this token (to its OpenPGP applet), this tool detects that the token is already being used - and refuses to connect to it, with the following messages in the /tmp/scdaemon.log:
2016-09-06 21:09:24 scdaemon[67807] PC/SC OPEN failed: sharing
violation (0x8010000b)
2016-09-06 21:09:24 scdaemon[67807] PC/SC OPEN failed: sharing
violation (0x8010000b)
2016-09-06 21:09:33 scdaemon[67807] PC/SC OPEN failed: sharing
violation (0x8010000b)
Expected
I would expect and like sharing - especially since they share the “token” but not the “applet”: PIV applications cannot use OpenPGP interface, and vs. versa (I think).
I know about the design ideology (security concerns), but this kills usability, particularly with Apple Mail, where I need to process both PGP-protected and S/MIME-protected emails (obviously from different crowds, but that is not relevant).
Same applies to Thunderbird, except there is no tokend involved - just inability of GPG suite to share the token with PIV suite. I’d like it remedied.
Additional info
There is a workaround - but it is ugly: insert the token, start Apple Mail, process all the S/MIME emails. Quit Mail, kill OpenSC.tokend. Run “gpg2 —card-status” (assuming it connects and provides expected result). Start Mail, process PGP/MIME emails. Quit Mail, remove the token, re-insert it - now PIV and S/MIME are functioning again.
Ugly as a mule. Can you please either remove this restriction, or better yet - add a configuration parameter that would allow token sharing?
Comments and changes to this ticket
-
-
Support June 1st, 2017 @ 04:01 PM
- Tag changed from to #tag id: 460388, name:
Assigned to Tender discussion #51463.
-
steve June 21st, 2017 @ 02:07 PM
- Title changed from Add support to scdaemon for shared access mode to Add support to scdaemon for shared access mode (required when using both S/MIME and OpenPGP with smartcard)
- Tag cleared.
-
steve July 10th, 2017 @ 03:25 PM
- State changed from new to waiting
-
steve July 11th, 2017 @ 04:05 PM
- State changed from waiting to fixed
- Assigned user set to Mento
- Milestone set to 2.2.0
-
-
steve July 17th, 2017 @ 12:12 PM
- State changed from fixed to verified
-
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป