Conversation

Jarkko Sakkinen

Edited 5 months ago

#teardown and #bootstrap gpg-agent, pcscd to have a working configuration:

#!/usr/bin/env sh
# Copyright (c) Jarkko Sakkinen 2024
# Bootstrap gpg-agent and pcscd for Yubikey use.

GPG_AGENT_SOCKETS=(gpg-agent-ssh.socket
                   gpg-agent-browser.socket
                   gpg-agent-extra.socket
                   gpg-agent-ssh.socket
		   gpg-agent.socket)
systemctl --user disable --now "${GPG_AGENT_SOCKETS[@]}"
gpgconf --kill gpg-agent
sudo systemctl disable --now pcscd.socket

systemctl --user enable --now gpg-agent.socket gpg-agent-ssh.socket
sudo systemctl enable --now pcscd.socket

#yubikey

2
0
1

Jarkko Sakkinen

Edited 5 months ago

For gpg-agent I have the following entries in ~/.gnupg:

gpg-agent.conf
gpg-agent.conf.darwin
gpg-agent.conf.linux-gnu

In a new installation the correct configuration can be deployed as follows:

cp ~/.gnupg/gpg-agent.conf.$OSTYPE ~/.gnupg/gpg-agent.conf
1
0
0

At least in Fedora, also shared a access configuration needs to be defined in ~/.gnupg/scdaemon.conf:

# See for further information:
# https://github.com/OpenSC/OpenSC/wiki/GnuPG-and-OpenSC
card-timeout 5
disable-ccid
pcsc-shared

Otherwise, the earlier script needs to be run separately for each boot as a workaround. In OpenSUSE, I guess the defaults are different, given that everything just works without this extra configuration.

1
0
0
@jarkko wait, I never got gpg and pcscd (for yubi auth) working reliably together (in opensuse) so did things get finally fixed?
1
0
0
@vbabka I've tested these myself in OpenSUSE and Fedora. I'd try both #1 and #3 from previous. In Fedora after boot it was not otherwise working right off the bat.
1
0
1
@jarkko hm so, gpg --card-status wouldn't work unless I add the scdaemon.conf stuff, as I'd expect given past attempts. Now the question is, will it work reliably, my previous experience is it starts working but then fails. Note I have uptodate openSUSE Tumbleweed.

BTW, you mention also gpg-agent.conf, anything special there?

On the yubikey side, yubioath 5.1 (the latest packaged) doesn't work regardless of pcscd running. That's weird, it used to. 7.0 downloaded manually seems to work (and stops once I stop pcscd so it does use it still), so it's hopefully just a matter of packaging. Wonder if there's a command line variant for the OTP's...
2
0
0
@jarkko yeah and after a while of running, back to the usual

> gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

sigh
2
0
1
@vbabka @jarkko lol so glad I won't ever have to deal with this. Will I?
2
0
1

@vbabka @jarkko same experience I had on a bunch of distributions and on macOS: after some arcane setup it works for a while but then starts failing after the nth signature and/or after some time. luckily replugging the yubikey and restarting gpg-agent usually fixed those issues 😔

1
0
1
@sven @jarkko you mean also with pcscd service running? Without it, it's pretty stable for me.
1
0
1

@vbabka @jarkko oh, I didn’t read the full context. yeah, even without pcscd running it sometimes just stops working when using gpg‘s ssh-agent socket to use my authentication subkeys

1
0
0
@ljs @jarkko you'll likely need just gpg and that's ok for me. It's only a problem when pcscd is used, i.e. for the TOTP support. I gave up and just use the android app for that, luckily not needed so often
0
0
1
@sven @jarkko I've noticed after using u2f on the key, the first gpg will ask for pin again, so maybe there's some reset involved
1
0
1

@vbabka @jarkko I wonder if that’s what triggers the failure for me and I just thought it happened after N signatures instead of after a u2f interaction that I did inbetween

1
0
1
@vbabka So you can check from here: https://gitlab.com/jarkkojs/skeleton/-/tree/main/.gnupg?ref_type=heads

And also here: https://gitlab.com/jarkkojs/skeleton/-/blob/main/.local/bin/linux-reset-gpg-agent?ref_type=heads

Maybe noteworthy in the script is that there are two sockets that need to be enabled:

- ssh-agent.socket
- ssh-agent-ssh.socket

I've sometimes forgot to enable latter.
1
0
1

@vbabka For reference:

default-cache-ttl 3600
default-cache-ttl-ssh 3600
max-cache-ttl 7200
max-cache-ttl-ssh 7200
enable-ssh-support
0
0
1
@ljs @vbabka Well, I like it and it works without issues for most of the time.

In Fedora installation I did not have sockets correctly configured so I wrote a script, and also in Fedora I had to first time create scdaemon.conf.

So I expect this to work better than before :-)

Maybe I should make this a contribution to PGP maintainers guide with more verbose explanations?

Especially the part which sockets need to be on would be good to be there because it is not easy to know beforehand the correct configuration e.g. if you've never used gpg-agent.
1
0
2
@jarkko @ljs sounds like a great idea!
0
0
3

@jarkko
gpg-agent-ssh.socket in there twice.

Are the agents something you have to manually setup, or is that part of the normal gpg-agent stuff? I've never messed around with any more granularity. Think I just use ssh-agent (no gpg)

1
0
0
@Netux I ended up to the script because I tested it in Fedora, OpenSUSE and Arch Linux so I'd expect it to have some glitches ;-) But it does the job...
0
0
1