OpenPGP Smartcards and GNOME

The combination of GnuPG and a OpenPGP smartcard (such as the YubiKey NEO) has been implemented and working well for around a decade. I recall starting to use it when I received a FSFE Fellowship card long time ago. Sadly there has been some regressions when using them under GNOME recently. I reinstalled my laptop with Debian Jessie (beta2) recently, and now took the time to work through the issue and write down a workaround.

To work with GnuPG and smartcards you install GnuPG agent, scdaemon, pscsd and pcsc-tools. On Debian you can do it like this:

apt-get install gnupg-agent scdaemon pcscd pcsc-tools

Use the pcsc_scan command line tool to make sure pcscd recognize the smartcard before continuing, if that doesn’t recognize the smartcard nothing beyond this point will work. The next step is to make sure you have the following line in ~/.gnupg/gpg.conf:

use-agent

Logging out and into GNOME should start gpg-agent for you, through the /etc/X11/Xsession.d/90gpg-agent script. In theory, this should be all that is required. However, when you start a terminal and attempt to use the smartcard through GnuPG you would get an error like this:

jas@latte:~$ gpg --card-status
gpg: selecting openpgp failed: unknown command
gpg: OpenPGP card not available: general error
jas@latte:~$

The reason is that the GNOME Keyring hijacks the GnuPG agent’s environment variables and effectively replaces gpg-agent with gnome-keyring-daemon which does not support smartcard commands (Debian bug #773304). GnuPG uses the environment variable GPG_AGENT_INFO to find the location of the agent socket, and when the GNOME Keyring is active it will typically look like this:

jas@latte:~$ echo $GPG_AGENT_INFO 
/run/user/1000/keyring/gpg:0:1
jas@latte:~$ 

If you use GnuPG with a smartcard, I recommend to disable GNOME Keyring’s GnuPG and SSH agent emulation code. This used to be easy to achieve in older GNOME releases (e.g., the one included in Debian Wheezy), through the gnome-session-properties GUI. Sadly there is no longer any GUI for disabling this functionality (Debian bug #760102). The GNOME Keyring GnuPG/SSH agent replacement functionality is invoked through the XDG autostart mechanism, and the documented way to disable system-wide services for a normal user account is to invoke the following commands.

jas@latte:~$ mkdir ~/.config/autostart
jas@latte:~$ cp /etc/xdg/autostart/gnome-keyring-gpg.desktop ~/.config/autostart/
jas@latte:~$ echo 'Hidden=true' >> ~/.config/autostart/gnome-keyring-gpg.desktop 
jas@latte:~$ cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/
jas@latte:~$ echo 'Hidden=true' >> ~/.config/autostart/gnome-keyring-ssh.desktop 
jas@latte:~$ 

You now need to logout and login again. When you start a terminal, you can look at the GPG_AGENT_INFO environment variable again and everything should be working again.

jas@latte:~$ echo $GPG_AGENT_INFO 
/tmp/gpg-dqR4L7/S.gpg-agent:1890:1
jas@latte:~$ echo $SSH_AUTH_SOCK 
/tmp/gpg-54VfLs/S.gpg-agent.ssh
jas@latte:~$ gpg --card-status
Application ID ...: D2760001240102000060000000420000
...
jas@latte:~$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFP+UOTZJ+OXydpmbKmdGOVoJJz8se7lMs139T+TNLryk3EEWF+GqbB4VgzxzrGjwAMSjeQkAMb7Sbn+VpbJf1JDPFBHoYJQmg6CX4kFRaGZT6DHbYjgia59WkdkEYTtB7KPkbFWleo/RZT2u3f8eTedrP7dhSX0azN0lDuu/wBrwedzSV+AiPr10rQaCTp1V8sKbhz5ryOXHQW0Gcps6JraRzMW+ooKFX3lPq0pZa7qL9F6sE4sDFvtOdbRJoZS1b88aZrENGx8KSrcMzARq9UBn1plsEG4/3BRv/BgHHaF+d97by52R0VVyIXpLlkdp1Uk4D9cQptgaH4UAyI1vr cardno:006000000042
jas@latte:~$ 

That’s it. Resolving this properly involves 1) adding smartcard code to the GNOME Keyring, 2) disabling the GnuPG/SSH replacement code in GNOME Keyring completely, 3) reorder the startup so that gpg-agent supersedes gnome-keyring-daemon instead of vice versa, so that people who installed the gpg-agent really gets it instead of the GNOME default, or 4) something else. I don’t have a strong opinion on how to solve this, but 3) sounds like a simple way forward.

11 thoughts on “OpenPGP Smartcards and GNOME

  1. option 3 is bad because the installation of gpg agent comes from the administrator but the choice of the gnome suite comes from the user. 1 is good but hard, 2 is bad.

    • I agree that installation of the gpg-agent comes from the administrator, but in my view, USE of gpg-agent is optional and only happens if the user put ‘use-agent’ in ~/.gnupg/gpg.conf. If you don’t have that line, gpg-agent won’t be started. So gpg-agent is truly a user choice, since it requires active actions from the user to enable.

      Re 2), what purpose does the GnuPG/SSH replacement code in GNOME Keyring really serve that gpg-agent doesn’t fulfil?

  2. I am trying to install my PGP key into a (actually, into five) yubikey neo’s. I run Linux Mint 17.1. The instructions above did not work, in that, when I typed:

    gpg –card-status

    at the end, I still got the error. Any ideas?

    • I noticed that for Ubuntu 15.04 it works out of the box to just deselect the GPG agent and SSH agent from the startup programs[1] (or hower it’s called in English) without the things Simon did on his system. I tried it Simon’s way but it did also not solved my issue to get the smartcard function alive.
      After further investigation i stumbled upon this bugreport[2] and checked for the version of the gnome-keyring running on my system and THEN noticed that I was able to uncheck the two parts of gnome-keyring in the startup GUI.

      [1]http://imgur.com/rGwlaMV
      [2]https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1387303

      • PS: Further disabling the gnome-keyring did not create issues with passwords stored in Chrome (they still show up in seahorse), WiFi passwords or ssh keys for accessing other computers. But maybe that’s just normal. I wasn’t sure what I would maybe break by disabling the gnome-keyring startup stuff.

  3. Pingback: SSH Host Certificates with YubiKey NEO | Simon Josefsson's blog

  4. Very useful post !
    Also you should enable ssh support on gpg-agent if you want to use CCID to authenticate on SSH servers:
    [code language=”bash”]
    grep -q ^enable-ssh-support || echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf
    [/code]

    • Thank you — I forgot to mention this. It is indeed required to get SSH client support working.

      /Simon

  5. Pingback: Yubico Yubikey 4: PGP, U2F and other things | David North

  6. Pingback: Securing SSH with GnuPG – The Consultron blog

Leave a Reply

Your email address will not be published. Required fields are marked *

*