Re: Nitrokey and udev rules
On Fri, May 25, 2018 at 16:46:57 +0200, Pierre Neidhardt wrote: > 1. I can't seem to be able to change the PIN with any pinentry but > pinentry-gtk-2: I have this in my ~/.gnupg/gpg-agent.conf: pinentry-program /run/current-system/profile/bin/pinentry Maybe you can try something like that? > 2. After transfering my encryption key and my authentication key, `gpg > --card-edit` segfauls: I haven't experienced segfaults so I can't provide any insight there. Maybe attaching a debugger can provide some insight. -- Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com signature.asc Description: PGP signature
Re: Nitrokey and udev rules
On Fri, May 25, 2018 at 07:22:57 +0200, Ricardo Wurmus wrote: > This sounds like you’ve installed the package into the system profile. > If this works we should probably add a system service that takes care of > setting up this directory. I'd love to have a service; I just haven't had the time to look into how to write it yet. I'm sure it's pretty easy to do, but I forget if there are any caveats to consider with pcscd. There may not be. -- Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com signature.asc Description: PGP signature
Re: Nitrokey and udev rules
Different issue, but I have a few problems with `gpg --card-edit`: 1. I can't seem to be able to change the PIN with any pinentry but pinentry-gtk-2: - With pinentry-emacs: > Error changing the PIN: No pinentry - With pinentry-tty: > Error changing the PIN: End of file - With pinentry-curses: > Error changing the PIN: No such file or directory 2. After transfering my encryption key and my authentication key, `gpg --card-edit` segfauls: --8<---cut here---start->8--- > gpg --card-edit Reader ...: Nitrokey Nitrokey Start (FSIJ-1.2.6-67143146) 00 00 Application ID ...: D276000124010200FFFE67143146 Version ..: 2.0 Manufacturer .: unmanaged S/N range Serial number : 67143146 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..: unspecified URL of public key : [not set] Login data ...: [not set] Signature PIN : forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key : [none] Encryption key: created : 2015-09-26 19:12:48 keygrip : gpg: signal Segmentation fault caught ... exiting segmentation fault --8<---cut here---end--->8--- gpg's fault? -- Pierre Neidhardt signature.asc Description: PGP signature
Re: Nitrokey and udev rules
Ricardo Wurmus writes: > Mike Gerwitz writes: > >> Looking through my notes, it looks like I symlinked >> `/run/current-system/profile/pcsc/drivers/' to `/var/lib/pcsc/drivers'. >> See Marius Bakke's message on ccid here: >> >> <87vawczpb2.fsf@duckhunt.i-did-not-set--mail-host-address--so-tickle-me>: >> https://lists.gnu.org/archive/html/guix-devel/2016-10/msg01433.html >> >> Can you see if that solves your problem? > > This sounds like you’ve installed the package into the system profile. > If this works we should probably add a system service that takes care of > setting up this directory. I tried without installing in the system profile > sudo ln -s ~/.guix-profile/pcsc /var/lib/pcsc and it worked! So what do you reckon? Do we need a service? What would it do? How do we populate /var/lib/pcsc/drivers? -- Pierre Neidhardt signature.asc Description: PGP signature
Re: Nitrokey and udev rules
Mike Gerwitz writes: > Looking through my notes, it looks like I symlinked > `/run/current-system/profile/pcsc/drivers/' to `/var/lib/pcsc/drivers'. > See Marius Bakke's message on ccid here: > > <87vawczpb2.fsf@duckhunt.i-did-not-set--mail-host-address--so-tickle-me>: > https://lists.gnu.org/archive/html/guix-devel/2016-10/msg01433.html > > Can you see if that solves your problem? This sounds like you’ve installed the package into the system profile. If this works we should probably add a system service that takes care of setting up this directory. -- Ricardo
Re: Nitrokey and udev rules
Pierre: On Thu, May 24, 2018 at 16:04:31 +0200, Pierre Neidhardt wrote: > Mike Gerwitz writes: [...] > I did: > >> sudo pcscd >> gpg --card-status > gpg: selecting openpgp failed: No such device > gpg: OpenPGP card not available: No such device > > Can you share your udev rules? I don't have any udev rules that weren't included by default with GuixSD. The packages I installed are: gnupg, pcsc-lite, ccid, and pinentry. I used to know how to debug this problem very well back when I contributed the pcsc-lite package, but it's been a couple years, but I can try to help you through this. Looking through my notes, it looks like I symlinked `/run/current-system/profile/pcsc/drivers/' to `/var/lib/pcsc/drivers'. See Marius Bakke's message on ccid here: <87vawczpb2.fsf@duckhunt.i-did-not-set--mail-host-address--so-tickle-me>: https://lists.gnu.org/archive/html/guix-devel/2016-10/msg01433.html Can you see if that solves your problem? While we're at it, here's my dmesg output for the Nitrokey Pro: --8<---cut here---start->8--- [17145.084169] usb 6-2: new full-speed USB device number 9 using uhci_hcd [17145.269203] usb 6-2: New USB device found, idVendor=20a0, idProduct=4108 [17145.269211] usb 6-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [17145.269215] usb 6-2: Product: Nitrokey Pro [17145.269219] usb 6-2: Manufacturer: Nitrokey [17145.269223] usb 6-2: SerialNumber: 3C75 [17145.276690] input: Nitrokey Nitrokey Pro as /devices/pci:00/:00:1d.0/usb6/6-2/6-2:1.0/0003:20A0:4108.0009/input/input21 [17145.336410] hid-generic 0003:20A0:4108.0009: input,hidraw0: USB HID v1.10 Keyboard [Nitrokey Nitrokey Pro] on usb-:00:1d.0-2/input0 --8<---cut here---end--->8--- And `pcscd -f' output (which looks bad, but `gpg --card-status' does work): --8<---cut here---start->8--- ifdhandler.c:150:CreateChannelByNameOrChannel() failed 0023 readerfactory.c:1106:RFInitializeReader() Open Port 0x20 Failed (usb:20a0/4108:libudev:0:/dev/bus/usb/006/009) 0006 readerfactory.c:376:RFAddReader() Nitrokey Nitrokey Pro (3C75) init failed. --8<---cut here---end--->8--- If you're still having a problem then we can continue from that point. -- Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com signature.asc Description: PGP signature
Re: Nitrokey and udev rules
Mike Gerwitz writes: > Have you started pcscd? We don't yet have a service for it, so that > needs to be done manually. When I first log in, I run it as root (just > `sudo pcscd'), and then `gpg --card-status` works as expected. > > Can you give that a try? I did: --8<---cut here---start->8--- > sudo pcscd > gpg --card-status gpg: selecting openpgp failed: No such device gpg: OpenPGP card not available: No such device --8<---cut here---end--->8--- Can you share your udev rules? -- Pierre Neidhardt signature.asc Description: PGP signature
Re: Nitrokey and udev rules
On Tue, May 22, 2018 at 12:53:43 +0200, Pierre Neidhardt wrote: > I'm trying to use my nitrokey on GuixSD. I use a Nitrokey Pro on GuixSD. >> gpg --card-status > gpg: selecting openpgp failed: No such device > gpg: OpenPGP card not available: No such device Have you started pcscd? We don't yet have a service for it, so that needs to be done manually. When I first log in, I run it as root (just `sudo pcscd'), and then `gpg --card-status` works as expected. Can you give that a try? -- Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com signature.asc Description: PGP signature
Re: Nitrokey and udev rules
I've reported upstream: https://support.nitrokey.com/t/guixsd-no-such-device/1117 -- Pierre Neidhardt signature.asc Description: PGP signature
Re: Nitrokey and udev rules
NixOS has packaged Nitrokey App: https://github.com/NixOS/nixpkgs/tree/master/pkgs/tools/security/nitrokey-app I'm not too familiar with the system, but I understand that they've replaced "plugdev" by "nitrokey". Not sure how that can help. NixOS uses systemd however. -- Pierre Neidhardt signature.asc Description: PGP signature
Re: Nitrokey and udev rules
Marius Bakke writes: > As a workaround you can try e.g. 'GROUP+="gpg", MODE=”0660″'. I tried your suggestion but then `dmesg | grep udevd` rightfully complained that the "gpg" group did not exist. Am I supposed to create it? Anyways, I tried with 'GROUP+="users", MODE=”0666″', but it did not work either. > I suspect you may also need 'pcscd' which we currently don't have a > service for. The Nitrokey is a PGP key I believe. According to Arch Wiki (https://wiki.archlinux.org/index.php/GnuPG#GnuPG_with_pcscd_.28PCSC_Lite.29), if it were the issue I should see an error like > gpg: selecting openpgp failed: ec=6.108 I also tried to install libusb-compat in my operating system package selection as suggested by Arch Wiki, to no avail. Any clue? Otherwise I'll ask Nitrokey. signature.asc Description: PGP signature
Re: Nitrokey and udev rules
Pierre Neidhardt writes:
> I'm trying to use my nitrokey on GuixSD.
>
> --8<---cut here---start->8---
>> gpg --card-status
> gpg: selecting openpgp failed: No such device
> gpg: OpenPGP card not available: No such device
> --8<---cut here---end--->8---
>
> It turns out that the nitrokey needs some udev rules to be driven by
> gpg:
>
>
> https://www.nitrokey.com/documentation/installation#p:nitrokey-start&os:linux
>
> Thus I tried to configure the following rule:
>
> --8<---cut here---start->8---
> (define %nitrokey-udev-rule
> (udev-rule
>"41-nitrokey.rules"
>(string-append "ACTION==\"add\", SUBSYSTEM==\"usb\", "
> "ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4211\", "
> "ENV{ID_SMARTCARD_READER}=\"1\",
> ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", GROUP+=\"users\",
> TAG+=\"uaccess\"")))
The 'uaccess' builtin is not currently supported by eudev and elogind.
As a workaround you can try e.g. 'GROUP+="gpg", MODE=”0660″'.
I suspect you may also need 'pcscd' which we currently don't have a
service for.
signature.asc
Description: PGP signature
Re: Nitrokey and udev rules
Indeed, `guix system reconfigure` shows my 41-nitrokey rule. Does anyone know how to further debug udev rules? -- Pierre Neidhardt Silence is the element in which great things fashion themselves. -- Thomas Carlyle signature.asc Description: PGP signature
Re: Nitrokey and udev rules
Pierre Neidhardt writes:
> I'm trying to use my nitrokey on GuixSD.
>
> --8<---cut here---start->8---
>> gpg --card-status
> gpg: selecting openpgp failed: No such device
> gpg: OpenPGP card not available: No such device
> --8<---cut here---end--->8---
>
> It turns out that the nitrokey needs some udev rules to be driven by
> gpg:
>
>
> https://www.nitrokey.com/documentation/installation#p:nitrokey-start&os:linux
>
> Thus I tried to configure the following rule:
>
> --8<---cut here---start->8---
> (define %nitrokey-udev-rule
> (udev-rule
>"41-nitrokey.rules"
>(string-append "ACTION==\"add\", SUBSYSTEM==\"usb\", "
> "ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4211\", "
> "ENV{ID_SMARTCARD_READER}=\"1\",
> ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", GROUP+=\"users\",
> TAG+=\"uaccess\"")))
>
> ; ...
> (modify-services
>%desktop-services
>(udev-service-type config =>
> (udev-configuration
>(inherit config)
>(rules (append (udev-configuration-rules config)
> (list %nitrokey-udev-rule))
> --8<---cut here---end--->8---
This looks correct to me. I do something similar for udev rules for my
digital oscilloscope, the Axoloti audio development board, and an AVR
programmer.
> I've tried the "plugdev" (as suggested on the website) and "users"
> GROUP, to no avail: I get the same error from `gpg --card-status`.
>
> I tried testing the rule with udevadm:
>
> --8<---cut here---start->8---
> sudo udevadm test ${udevadm info -q path -n /dev/bus/usb/001/008}
[…]
> Reading rules file:
> /gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/[…]
[…]
> As you can see, 41-nitrokey.rules does not show here. In fact I can't
> find it on the filesystem. I don't understand how GuixSD manages the
> udev rules. Am I missing something?
FWIW, udevadm on my machine also doesn’t show all udev rules, because it
only seems to look in the rules.d directory of the eudev package. When
you reconfigure your system you actually get a directory like this:
/gnu/store/crjkqwqsc42sq8zmd1slgpb4jhx9h524-udev-rules/lib/udev/rules.d/
that is the union of all rules, including your custom rules.
--
Ricardo
Nitrokey and udev rules
I'm trying to use my nitrokey on GuixSD.
--8<---cut here---start->8---
> gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
--8<---cut here---end--->8---
It turns out that the nitrokey needs some udev rules to be driven by
gpg:
https://www.nitrokey.com/documentation/installation#p:nitrokey-start&os:linux
Thus I tried to configure the following rule:
--8<---cut here---start->8---
(define %nitrokey-udev-rule
(udev-rule
"41-nitrokey.rules"
(string-append "ACTION==\"add\", SUBSYSTEM==\"usb\", "
"ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4211\", "
"ENV{ID_SMARTCARD_READER}=\"1\",
ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", GROUP+=\"users\",
TAG+=\"uaccess\"")))
; ...
(modify-services
%desktop-services
(udev-service-type config =>
(udev-configuration
(inherit config)
(rules (append (udev-configuration-rules config)
(list %nitrokey-udev-rule))
--8<---cut here---end--->8---
I've tried the "plugdev" (as suggested on the website) and "users"
GROUP, to no avail: I get the same error from `gpg --card-status`.
I tried testing the rule with udevadm:
--8<---cut here---start->8---
sudo udevadm test ${udevadm info -q path -n /dev/bus/usb/001/008}
calling: test
version 3.2.5
This program is for debugging only, it does not run any program
specified by a RUN key. It may show incorrect results, because
some values may be different, or not available at a simulation run.
=== trie on-disk ===
tool version: 3
file size: 7431994 bytes
header size 80 bytes
strings1901394 bytes
nodes 5530520 bytes
Load module index
timestamp of
'/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/etc/udev/rules.d'
changed
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/50-udev-default.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/60-block.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/60-cdrom_id.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/60-drm.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/60-evdev.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/60-persistent-alsa.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/60-persistent-input.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/60-persistent-storage-tape.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/60-persistent-storage.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/60-persistent-v4l.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/60-sensor.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/60-serial.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/64-btrfs.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/70-mouse.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/70-touchpad.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/75-net-description.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/75-probe_mtd.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/78-sound-card.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/80-drivers.rules
Reading rules file:
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/80-net-name-slot.rules
rules contain 24576 bytes tokens (2048 * 12 bytes), 8930 bytes strings
1035 strings (15626 bytes), 649 de-duplicated (7083 bytes), 387 trie nodes used
IMPORT builtin 'usb_id'
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/50-udev-default.rules:13
IMPORT builtin 'hwdb'
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/50-udev-default.rules:13
MODE 0664
/gnu/store/if6kkgnbwx1lmb5wp8p8g68i8s9hqs58-eudev-3.2.5/lib/udev/rules.d/50-udev-default.rules:43
handling device node '/dev/bus/usb/001/008', devnum=c189:7, mode=0664, uid=0,
gid=0
preserve permissions /dev/bus/usb/00
