Re: about CCID USB readers (Re: setting GnuPG card to 'not forces' does not let sign)

2017-07-02 Thread Matthias Apitz 
El día jueves, junio 22, 2017 a las 08:28:57a. m. +0200, Matthias Apitz 
escribió:

> Some days ago I acquired this uTrust token. And surprise, surprise, it
> showed the same symptoms as the other one, the HID Global OMNIKEY 6121
> Smart Card Reader: My operating system does not always recognises the
> USB device, not even when plug'ed in before power-on. This smells
> somehow as a hardware issue in the Acer C720 or in the kernel of the
> FreeBSD (and I do run CURRENT on it, i.e. compiled directly from SVN).
> Here is the bug issue I filed against our beloved FreeBSD:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220127
> Only if someone has similar experiences.
> 
> ...

At the end of the day it turned out that this was an issue in the
FreeBSD' drivers and/or some raise conditions or electrical problem. I
removed some of the drivers which were searching the USB bus for devices
and now have only the XHCI driver in the kernel (disabled UHCI, OHCI and EHCI)
and with this, the detection of both cards (uTrust and Omnikey) is fine.

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

about CCID USB readers (Re: setting GnuPG card to 'not forces' does not let sign)

2017-06-22 Thread Matthias Apitz 
El día lunes, junio 12, 2017 a las 12:58:23p. m. +0200, Werner Koch escribió:

> On Mon, 12 Jun 2017 12:38, g...@unixarea.de said:
> 
> > Do you know of any other CCID reader for ID-000 size cards?
> 
> I have a sample of the Gemalto Shell Token here.  It has been around for
> quite some time and the kernelconcept folks that it works nicely.  See
> 
>   https://www.floss-shop.de/en/security-privacy/
> 
> On that page you also find the a bit more expensive uTrust token which
> would be my preferred choice. I used it for many years until it broke due
> to my fault.  In fact I recycled the case for my gnuk token.

Some days ago I acquired this uTrust token. And surprise, surprise, it
showed the same symptoms as the other one, the HID Global OMNIKEY 6121
Smart Card Reader: My operating system does not always recognises the
USB device, not even when plug'ed in before power-on. This smells
somehow as a hardware issue in the Acer C720 or in the kernel of the
FreeBSD (and I do run CURRENT on it, i.e. compiled directly from SVN).
Here is the bug issue I filed against our beloved FreeBSD:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220127
Only if someone has similar experiences.

I tested a lot with this issue and now have some trick which seems to
make it at least less often fail: I insert the uTrust token before
power-on, start the laptop but hold the boot in the moment when you can
modify certain boot options, i.e. the device is powered on but awaiting
a keyboard input to continue loading the kernel. Only a few seconds.
Then the booting kernel sees the device as:

ugen0.2:  at usbus0

Is there something in the cards firmware which needs some time to come
up?

matthias


-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: setting GnuPG card to 'not forces' does not let sign

2017-06-16 Thread Matthias Apitz 
El día lunes, junio 12, 2017 a las 12:58:23p. m. +0200, Werner Koch escribió:

> On Mon, 12 Jun 2017 12:38, g...@unixarea.de said:
> 
> > Do you know of any other CCID reader for ID-000 size cards?
> 
> I have a sample of the Gemalto Shell Token here.  It has been around for
> quite some time and the kernelconcept folks that it works nicely.  See
> 
>   https://www.floss-shop.de/en/security-privacy/
> 
> On that page you also find the a bit more expensive uTrust token which
> would be my preferred choice. I used it for many years until it broke due
> to my fault.  In fact I recycled the case for my gnuk token.

I bought the uTrust token in the above mentioned FLOSS-shop and it arrived 
today.
It shows in my netbook the same problem as the other one from Omnikey:
it is not always detected at power-on boot:

In the boot at 14:17:02 it is seen, while later it takes three boot to be
seen by the kernel:

Jun 16 14:17:02 c720-r314251 syslogd: kernel boot file is /boot/kernel/kernel
Jun 16 14:17:02 c720-r314251 kernel: ugen0.2:  at usbus0

Jun 16 20:20:48 c720-r314251 syslogd: kernel boot file is /boot/kernel/kernel

Jun 16 20:23:28 c720-r314251 syslogd: kernel boot file is /boot/kernel/kernel

Jun 16 20:25:49 c720-r314251 syslogd: kernel boot file is /boot/kernel/kernel
Jun 16 20:25:49 c720-r314251 kernel: ugen0.4:  at usbus0

Perhaps, it is more a netbook's (Acer C720) or FreeBSD issue.

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: setting GnuPG card to 'not forces' does not let sign

2017-06-12 Thread Werner Koch 
On Mon, 12 Jun 2017 12:38, g...@unixarea.de said:

> Do you know of any other CCID reader for ID-000 size cards?

I have a sample of the Gemalto Shell Token here.  It has been around for
quite some time and the kernelconcept folks that it works nicely.  See

  https://www.floss-shop.de/en/security-privacy/

On that page you also find the a bit more expensive uTrust token which
would be my preferred choice. I used it for many years until it broke due
to my fault.  In fact I recycled the case for my gnuk token.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgppoxqma_HMx.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: setting GnuPG card to 'not forces' does not let sign

2017-06-12 Thread Matthias Apitz 
El día domingo, junio 11, 2017 a las 08:59:37p. m. +0200, Werner Koch escribió:

> On Fri,  9 Jun 2017 08:39, g...@unixarea.de said:
> 
> > I know, this is not a GnuPG issue, but I wanted to mention it here to
> > ask if others has similar experiences, even on Linux or other OS, or if
> > it worth to get a new OMNIKEY device or even another device.
> 
> You better avoid everything with an Omnikey chip in it.  I had only
> trouble with it and they never responded to questions.  Well, it works
> on Windows because they fix their hardware with their Windows driver.

Do you know of any other CCID reader for ID-000 size cards?

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: setting GnuPG card to 'not forces' does not let sign

2017-06-11 Thread Werner Koch 
On Fri,  9 Jun 2017 08:39, g...@unixarea.de said:

> I know, this is not a GnuPG issue, but I wanted to mention it here to
> ask if others has similar experiences, even on Linux or other OS, or if
> it worth to get a new OMNIKEY device or even another device.

You better avoid everything with an Omnikey chip in it.  I had only
trouble with it and they never responded to questions.  Well, it works
on Windows because they fix their hardware with their Windows driver.


Shalom-Salam,

   Werner


p.s.
If someone from Omnikey reads this and likes to help getting Omnikey
devices working with current keys sizes under free software OSes, feel
free to contact me off-list.  I won't sign any NDAs, though.

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp5NCXpaB9vV.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: RE: setting GnuPG card to 'not forces' does not let sign

2017-06-11 Thread Werner Koch 
On Fri,  9 Jun 2017 08:23, g...@unixarea.de said:

> Thanks as well for the nice hint about X-message-flag: header line.
> The warning looks really nice in the crappy MS OutLook.

I learned that from Jens Link whom you may know.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpHpG5F4PtrH.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: setting GnuPG card to 'not forces' does not let sign

2017-06-09 Thread Matthias Apitz 
El día viernes, junio 09, 2017 a las 08:09:12a. m. +0200, Werner Koch escribió:

> 
> > The bad PIN counter in the card is not decremented. Switching the card
> > back to 'forced' makes signing with PIN working again.
> 
> Interesting.  Did you also try to reset the card (i.e. re-insert) whit
> non-forced set?

As I wrote in the last mail, it works now like it should and for signing
as for SSH I only have to enter the PIN once.

I have one last remaining issue with this GnuPG card and/or my USB
device HID Global OMNIKEY 6121 Smart Card Reader and/or FreeBSD, i.e.
its totally unclear at the moment what is causing it:

Sometimes (let's say in 50% of the cases) the USB device is not seen by
the FreeBSD kernel on power-on boot, even if the OMNIKEY is already inserted 
before
power-on. When it is not seen on boot, it is not seen on withdraw and
re-insert. When it is seen, it is always seen, i.e. one can re-insert as
much as you want, it always works. Sometimes not even a re-boot helps, it
takes 2-3 re-boots to get the OMNIKEY seen.

I know, this is not a GnuPG issue, but I wanted to mention it here to
ask if others has similar experiences, even on Linux or other OS, or if
it worth to get a new OMNIKEY device or even another device.

Comments?

Thanks

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: RE: setting GnuPG card to 'not forces' does not let sign

2017-06-09 Thread Matthias Apitz 
El día viernes, junio 09, 2017 a las 08:06:50a. m. +0200, Werner Koch escribió:

> On Thu,  8 Jun 2017 12:48, g...@unixarea.de said:
> > Every time I write to gnupg-users@gnupg.org I get this crap from a robot
> > or from Sarah about dating. Can someone do anything that he/she/it is not
> 
> That bot is subscribed.  I enabled the moderation flag and disabled
> delivery.
> 

Thanks for this.

Re/ the issue itself, it seems that a complete restart of the chain
gpg-agent -- scdaemon -- /usr/local/sbin/pcscd
fixed the issue. It asks now once for the PIN for signing and then not
again until reboot.

Thanks as well for the nice hint about X-message-flag: header line.
The warning looks really nice in the crappy MS OutLook.

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: RE: setting GnuPG card to 'not forces' does not let sign

2017-06-09 Thread Werner Koch 
On Thu,  8 Jun 2017 12:48, g...@unixarea.de said:
> Every time I write to gnupg-users@gnupg.org I get this crap from a robot
> or from Sarah about dating. Can someone do anything that he/she/it is not

That bot is subscribed.  I enabled the moderation flag and disabled
delivery.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpo9P1kYyd8C.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: setting GnuPG card to 'not forces' does not let sign

2017-06-09 Thread Werner Koch 

> The bad PIN counter in the card is not decremented. Switching the card
> back to 'forced' makes signing with PIN working again.

Interesting.  Did you also try to reset the card (i.e. re-insert) whit
non-forced set?


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpU34DdC6IJ0.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: RE: setting GnuPG card to 'not forces' does not let sign

2017-06-08 Thread Ben McGinnes 
On Thu, Jun 08, 2017 at 01:18:35PM +0200, Peter Lebbing wrote:
> On 08/06/17 12:48, Matthias Apitz wrote:
> > Every time I write to gnupg-users@gnupg.org I get this crap from a robot
> > or from Sarah about dating. Can someone do anything that he/she/it is not
> > triggered.
> 
> Yes, same here. I thought it was rather funny that she told me:
> 
> > Hello again! My boyfriend can read my email!
> > It is not secure.
> 
> and later:
> 
> > Honey, I've told you, email is not secure enough!
> 
> How a spambot can be oddly on-topic for this mailing list...

Yeah, I thought that was a little amusing too ... then I reactivated
my filtering of everything from AOL, sent them a spam report and
forgot about it.


Regards,
Ben


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: RE: setting GnuPG card to 'not forces' does not let sign

2017-06-08 Thread Matthias Apitz 
El día jueves, junio 08, 2017 a las 01:18:35p. m. +0200, Peter Lebbing escribió:

> On 08/06/17 12:48, Matthias Apitz wrote:
> > Every time I write to gnupg-users@gnupg.org I get this crap from a robot
> > or from Sarah about dating. Can someone do anything that he/she/it is not
> > triggered.
> 
> Yes, same here. I thought it was rather funny that she told me:
> 
> > Hello again! My boyfriend can read my email!
> > It is not secure.
> 
> and later:
> 
> > Honey, I've told you, email is not secure enough!
> 
> How a spambot can be oddly on-topic for this mailing list...

Perhaps, when the spambot sees part of his 1st message in the incoming
mail, it reacts on this.

I have it blacklisted now in my spamassassin config.

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: RE: setting GnuPG card to 'not forces' does not let sign

2017-06-08 Thread Peter Lebbing 
On 08/06/17 12:48, Matthias Apitz wrote:
> Every time I write to gnupg-users@gnupg.org I get this crap from a robot
> or from Sarah about dating. Can someone do anything that he/she/it is not
> triggered.

Yes, same here. I thought it was rather funny that she told me:

> Hello again! My boyfriend can read my email!
> It is not secure.

and later:

> Honey, I've told you, email is not secure enough!

How a spambot can be oddly on-topic for this mailing list...

But I doubt very much anyone can do anything about this. Somebody has
arranged their spambot to respond to messages on this list, but the list
is public, so anybody can see those messages to the list; it could be
anybody doing it. However, upon checking, all the 6 such messages I've
received over the last couple of days all originated from the IP
104.160.29.115. That's something.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Fwd: RE: setting GnuPG card to 'not forces' does not let sign

2017-06-08 Thread Matthias Apitz 

Every time I write to gnupg-users@gnupg.org I get this crap from a robot
or from Sarah about dating. Can someone do anything that he/she/it is not
triggered.

Sarah, I have no intention to click on the URL and much less to click on
you. Crap.

matthias

- Forwarded message from Sarah <rhona29...@aol.com> -

Date: Thu, 8 Jun 2017 06:41:21 -0400
From: Sarah <rhona29...@aol.com>
To: g...@unixarea.de
Subject: RE: setting GnuPG card to 'not forces' does not let sign
X-Mailer: JAS STD

Have you finally got my pix?
Let's meet tomorrow!
Write me only here: 
http://free-new-dating.online/?=35&:uni:2g-17=Sarah212





On Jun 08, 2017, at 10:29 AM, Matthias Apitz <g...@unixarea.de> wrote:

>
>--k1lZvvs/B4yU6o8G
>Content-Type: text/plain; charset=utf-8
>Content-Disposition: inline
>Content-Transfer-Encoding: quoted-printable
>
>
>Hello,
>
>I was tired of having always enter the PIN when sending mails to sign them
>and switched the card to 'not forces':
>
>Signature PIN : not forced
>
>After this (without withdrawing the card, i.e. the PIN was already
>entered around 10 times and the card unlocked), the signing says:
>
>$ echo bla > test.doc
>$ LANG=3DC
>$ gpg2 --armor --output test.doc.signed --sign test.doc
>gpg: signing failed: Bad PIN
>gpg: signing failed: Bad PIN
>
>The bad PIN counter in the card is not decremented. Switching the card
>back to 'forced' makes signing with PIN working again.
>
>What do I wrong?
>
>   matthias
>
>
>--=20
>Matthias Apitz, =E2=9C=89 g...@unixarea.de, =E2=8C=82 http://www.unixarea.d=
>e/  =E2=98=8E +49-176-38902045
>Public GnuPG key: http://www.unixarea.de/key.pub
>8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
>8 de mayo de 1945: Quien no festeja perdi=C3=B3 la Guerra.
>May 8, 1945: Who does not celebrate lost the War.
>
>--k1lZvvs/B4yU6o8G
>Content-Type: application/pgp-signature; name="signature.asc"
>
>-BEGIN PGP SIGNATURE-
>
>iQIzBAABCAAdFiEEXmn7rBYYViyzy/vBR8z35Hb+nREFAlk5JxMACgkQR8z35Hb+
>nRG0Pg//XxtBaoPPQN3uinfxxExnoNQcScfx/Eycxr1kDZjFQxp6LVIK1KZy+Dht
>V5Sx+ssn0lids22szU5uZlT60dqbaUAASzsBo74FPxsvJ03BishsCIvCCqArpj5S
>kZLe/iUExNj+hq4XRUh0Ia0MllI20rzjEF1sC0EC2r1YfYv2ePdFzgQtD8HvDMqo
>v0vPISHoPF7Xsswu9q3TFQGbiim6HEoOLgQlYGMB1egP4NS66RGWU/s3fVVXqEw5
>c8btka/S64hNVMiFEzNl573csiQDLdT/OHk9DvDpHDqzcSCZVuutCznj4sDmMIEx
>7GKZsfv4xLJT4CuKHDedm7AOctRw9fV2GqFCeIlc/sdELxg4MX+pYpmd6gN79Dno
>wDe5oCXXSmUvodvGS5iSfVYCmoJZ+Ww1oxWFG2YHl6kAGZP6h3Lam6GjOhoaoXLJ
>P4MD+4EG9GAs8cMpCtiCjbqW27eV6KeglGu2RCLhSp3pWGTXFxuXW2X4fMbhZrNC
>3pc2X3QTClcbmPaRActZ3Kt5KqxbHS7iAAWJr/Rna+SRsCxFpCQYnl+m6BOdJs9X
>rx86Ca/NAZBOtWbrnVlT5yCgUAZ2gNaQPVDXhKRNUmosdwC8RKG1y+JyEav8CmKc
>UbJa6pIIYknZQ+UGTbIuuZX/VM2PR+86Tr3FihuDKt/VA9IBpq4=
>=EM3I
>-END PGP SIGNATURE-
>
>--k1lZvvs/B4yU6o8G--
>
>

- End forwarded message -

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users