OpenPGP Smartcards and GNOME

The combination of GnuPG and a OpenPGP smartcard has been implemented and working for almost a decade. I recall starting to use it when I received a FSFE Fellowship card in 2006. Today I’m using a YubiKey NEO. Sadly there has been some regressions when using them under GNOME recently. I reinstalled my laptop with Debian Jessie (beta2) recently, and now took the time to work through the issue and write down a workaround.

To work with GnuPG and smartcards you install GnuPG agent, scdaemon, pscsd and pcsc-tools. On Debian you can do it like this:

apt-get install gnupg-agent scdaemon pcscd pcsc-tools

Use the pcsc_scan command line tool to make sure pcscd recognize the smartcard before continuing, if that doesn’t recognize the smartcard nothing beyond this point will work. The next step is to make sure you have the following line in ~/.gnupg/gpg.conf:

use-agent

Logging out and into GNOME should start gpg-agent for you, through the /etc/X11/Xsession.d/90gpg-agent script. In theory, this should be all that is required. However, when you start a terminal and attempt to use the smartcard through GnuPG you would get an error like this:

jas@latte:~$ gpg --card-status
gpg: selecting openpgp failed: unknown command
gpg: OpenPGP card not available: general error
jas@latte:~$

The reason is that the GNOME Keyring hijacks the GnuPG agent’s environment variables and effectively replaces gpg-agent with gnome-keyring-daemon which does not support smartcard commands (Debian bug #773304). GnuPG uses the environment variable GPG_AGENT_INFO to find the location of the agent socket, and when the GNOME Keyring is active it will typically look like this:

jas@latte:~$ echo $GPG_AGENT_INFO 
/run/user/1000/keyring/gpg:0:1
jas@latte:~$ 

If you use GnuPG with a smartcard, I recommend to disable GNOME Keyring’s GnuPG and SSH agent emulation code. This used to be easy to achieve in older GNOME releases (e.g., the one included in Debian Wheezy), through the gnome-session-properties GUI. Sadly there is no longer any GUI for disabling this functionality (Debian bug #760102). The GNOME Keyring GnuPG/SSH agent replacement functionality is invoked through the XDG autostart mechanism, and the documented way to disable system-wide services for a normal user account is to invoke the following commands.

jas@latte:~$ mkdir ~/.config/autostart
jas@latte:~$ cp /etc/xdg/autostart/gnome-keyring-gpg.desktop ~/.config/autostart/
jas@latte:~$ echo 'Hidden=true' >> ~/.config/autostart/gnome-keyring-gpg.desktop 
jas@latte:~$ cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/
jas@latte:~$ echo 'Hidden=true' >> ~/.config/autostart/gnome-keyring-ssh.desktop 
jas@latte:~$ 

You now need to logout and login again. When you start a terminal, you can look at the GPG_AGENT_INFO environment variable again and everything should be working again.

jas@latte:~$ echo $GPG_AGENT_INFO 
/tmp/gpg-dqR4L7/S.gpg-agent:1890:1
jas@latte:~$ echo $SSH_AUTH_SOCK 
/tmp/gpg-54VfLs/S.gpg-agent.ssh
jas@latte:~$ gpg --card-status
Application ID ...: D2760001240102000060000000420000
...
jas@latte:~$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFP+UOTZJ+OXydpmbKmdGOVoJJz8se7lMs139T+TNLryk3EEWF+GqbB4VgzxzrGjwAMSjeQkAMb7Sbn+VpbJf1JDPFBHoYJQmg6CX4kFRaGZT6DHbYjgia59WkdkEYTtB7KPkbFWleo/RZT2u3f8eTedrP7dhSX0azN0lDuu/wBrwedzSV+AiPr10rQaCTp1V8sKbhz5ryOXHQW0Gcps6JraRzMW+ooKFX3lPq0pZa7qL9F6sE4sDFvtOdbRJoZS1b88aZrENGx8KSrcMzARq9UBn1plsEG4/3BRv/BgHHaF+d97by52R0VVyIXpLlkdp1Uk4D9cQptgaH4UAyI1vr cardno:006000000042
jas@latte:~$ 

That’s it. Resolving this properly involves 1) adding smartcard code to the GNOME Keyring, 2) disabling the GnuPG/SSH replacement code in GNOME Keyring completely, 3) reorder the startup so that gpg-agent supersedes gnome-keyring-daemon instead of vice versa, so that people who installed the gpg-agent really gets it instead of the GNOME default, or 4) something else. I don’t have a strong opinion on how to solve this, but 3) sounds like a simple way forward.

14 Replies to “OpenPGP Smartcards and GNOME”

  1. option 3 is bad because the installation of gpg agent comes from the administrator but the choice of the gnome suite comes from the user. 1 is good but hard, 2 is bad.

    • I agree that installation of the gpg-agent comes from the administrator, but in my view, USE of gpg-agent is optional and only happens if the user put ‘use-agent’ in ~/.gnupg/gpg.conf. If you don’t have that line, gpg-agent won’t be started. So gpg-agent is truly a user choice, since it requires active actions from the user to enable.

      Re 2), what purpose does the GnuPG/SSH replacement code in GNOME Keyring really serve that gpg-agent doesn’t fulfil?

  2. I am trying to install my PGP key into a (actually, into five) yubikey neo’s. I run Linux Mint 17.1. The instructions above did not work, in that, when I typed:

    gpg –card-status

    at the end, I still got the error. Any ideas?

    • I noticed that for Ubuntu 15.04 it works out of the box to just deselect the GPG agent and SSH agent from the startup programs[1] (or hower it’s called in English) without the things Simon did on his system. I tried it Simon’s way but it did also not solved my issue to get the smartcard function alive.
      After further investigation i stumbled upon this bugreport[2] and checked for the version of the gnome-keyring running on my system and THEN noticed that I was able to uncheck the two parts of gnome-keyring in the startup GUI.

      [1]http://imgur.com/rGwlaMV
      [2]https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1387303

      • PS: Further disabling the gnome-keyring did not create issues with passwords stored in Chrome (they still show up in seahorse), WiFi passwords or ssh keys for accessing other computers. But maybe that’s just normal. I wasn’t sure what I would maybe break by disabling the gnome-keyring startup stuff.

  3. Pingback: SSH Host Certificates with YubiKey NEO | Simon Josefsson's blog

  4. Very useful post !
    Also you should enable ssh support on gpg-agent if you want to use CCID to authenticate on SSH servers:
    [code language=”bash”]
    grep -q ^enable-ssh-support || echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf
    [/code]

    • Thank you — I forgot to mention this. It is indeed required to get SSH client support working.

      /Simon

  5. Pingback: Yubico Yubikey 4: PGP, U2F and other things | David North

  6. Pingback: Securing SSH with GnuPG – The Consultron blog

  7. I ended up having to tweak this slightly as they renamed the gnome-keyring-gpg to gnome-keyring-pkcs11 in newer versions.

    Assuming you already have a secure GPG config like the ones provided by Dr. Duh on GitHub, this disables the Gnome keyring and kills any lingering gpg/ssh agents so you can run `gpg –card-status` and `gpg-connect-agent updatestartuptty /bye` to get your environment updated and use `ssh-add -L` to verify you see the public key of your card available for connecting to remote hosts or git cloning.

    #!/bin/bash -x
    set -o pipefail
    XDG_AUTOSTART_DIR=”/etc/xdg/autostart/”
    USER_AUTOSTART_DIR=”$HOME/.config/autostart/”
    mkdir -p $USER_AUTOSTART_DIR
    GNOME_KEYRING_FILES=(gnome-keyring-gpg gnome-keyring-ssh gnome-keyring-pkcs11) # gnome-keyring-secrets # the secrets might affect unlocking the keyring for Chrome/other utilities
    for config in “${GNOME_KEYRING_FILES[@]}”; do
    CONFIG_FILE=${config}.desktop
    [ -f “${XDG_AUTOSTART_DIR}${CONFIG_FILE}” ] && { cp ${XDG_AUTOSTART_DIR}${CONFIG_FILE} ${USER_AUTOSTART_DIR}${CONFIG_FILE}; echo ‘Hidden=true’ >> ${USER_AUTOSTART_DIR}${CONFIG_FILE}; }
    done
    killall -q -9 gpg-agent ssh-agent

  8. Pingback: OpenPGP smartcard under GNOME on Debian 10 Buster – Simon Josefsson's blog

  9. Pingback: OpenPGP smartcard with GNOME on Debian 11 Bullseye – Simon Josefsson's blog

Leave a Reply

Your email address will not be published. Required fields are marked *

*