Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#75276 - [gnupg] Reports 'card error' reading some Yubikeys in v2.2.36-1

Attached to Project: Arch Linux
Opened by Oliver Ford (OJFord) - Friday, 08 July 2022, 23:38 GMT
Last edited by Toolybird (Toolybird) - Wednesday, 27 July 2022, 08:46 GMT
Task Type Bug Report
Category Packages: Core
Status Assigned
Assigned To Lukas Fleischer (lfleischer)
David Runge (dvzrv)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 9
Private No

Details

Description:
Some, but not all, Yubikeys cannot be read by e.g. `gpg --card-status` (nor any operation using it) as of 2.2.36-1.

> gpg: OpenPGP card not available: Card error

* Yubikey 5C NFC is affected;
* Yubikey 4 Nano is not;
* The previous version, 2.2.35-2, works with both.

Steps to reproduce:
1. Insert key and observe light on (and FIDO/WebAuthn working, etc.)
2. $gpg --card-status
gpg: OpenPGP card not available: Card error
This task depends upon

Comment by Levente Polyak (anthraxx) - Friday, 08 July 2022, 23:50 GMT
You may want to report this issue upstream instead and potentially link back the issue to our tracker.
Comment by Oliver Ford (OJFord) - Saturday, 09 July 2022, 12:56 GMT Comment by Oliver Ford (OJFord) - Wednesday, 27 July 2022, 08:24 GMT
Fix expected to be released in 2.2.37 & 2.3.8.

Aside: why is Arch on 2.2.x? Happy for the answer to be RTFM if you can link the relevant M, I haven't been able to find anything except some (non-Arch-specific) background on why they both exist (https://www.mail-archive.com/gnupg-users@gnupg.org/msg40728.html) - which doesn't seem to suggest there's any reason a rolling release model would want to avoid the 'modern' 2.3 branch.
Comment by Oliver Ford (OJFord) - Thursday, 18 August 2022, 10:23 GMT
I think the above mentioned releases are stalled on other regressions - any chance of a pkgrel release to include the now maintainer-verified patch ( https://dev.gnupg.org/T6070#161295 ) in the meantime?
Comment by Oliver Ford (OJFord) - Wednesday, 24 August 2022, 15:42 GMT
2.2.37 with the fix has now been released upstream: https://dev.gnupg.org/T6105
Comment by David Runge (dvzrv) - Thursday, 25 August 2022, 11:41 GMT
Can you please verify that 2.2.37-1 in [testing] fixes this for you?
Comment by Alexander Epaneshnikov (alex19EP) - Thursday, 25 August 2022, 11:54 GMT
> Aside: why is Arch on 2.2.x? Happy for the answer to be RTFM if you can link the relevant M, I haven't been able to find anything except some (non-Arch-specific) background on why they

3.x gpg drops support for old and insecure hashes. unfortunately hour keyring contains signatures using this hashes.
We are working on updating our keyring. But this is unfortunately not a very fast process.
Comment by Oliver Ford (OJFord) - Thursday, 25 August 2022, 12:07 GMT
Works a treat, thanks!

```
#echo -e '[testing]\nInclude = /etc/pacman.d/mirrorlist' >> /etc/pacman.conf
#pacman -Sy archlinux-keyring
#pacman -S testing/gnupg
$gpg --version
gpg (GnuPG) 2.2.37
[...]
[unplug device]
$gpgconf --kill all
[re-plug device]
$gpg --card-status
[expected output]
```
Comment by David Runge (dvzrv) - Thursday, 25 August 2022, 12:56 GMT
@OJFord: For posterity could you add information on the firmware version in use on the two devices?
Comment by Oliver Ford (OJFord) - Thursday, 25 August 2022, 15:54 GMT
Sure, I don't have them to hand, but I reported `lsusb`'s `bcdDevice` upstream ( https://dev.gnupg.org/T6070#160040 ) as 5.43 on the broken device and 4.34 on the working one.

The maintainer implied it's 5.4x only that is affected.
Comment by Oliver Ford (OJFord) - Thursday, 25 August 2022, 16:01 GMT
@alex19EP Sorry I missed your reply earlier. Thanks for the explanation, makes sense, there's nothing particular I'm seeking from it - it just confused me slightly (not helped by the similarity of version numbers e.g. 2.2.36/2.3.6, whether coincidence or deliberate!) and I wasn't sure why it would be the case. Cheers.

Loading...