bug#31337: Unable to use gnuk usb smartcard token on GuixSD

bug#31337: Unable to use gnuk usb smartcard token on GuixSD

[Vagrant Cascadian]

[-- Attachment #1: Type: text/plain, Size: 2428 bytes --]

I've been unable to use my gnuk usb smartcard token with gnupg on
GuixSD, and it appears this is because scdaemon is built without libusb
support:

      $ gpg --card-status
      gpg: selecting openpgp failed: No such device
      gpg: OpenPGP card not available: No such device

Attached is a patch that gets scdaemon working for me and a gnuk...

Unfortunately, enabling libusb causes one of the tets to hang
indefinitely:

      PASS: tests/openpgp/decrypt-session-key.scm
      Checking unwrapping the encryption.
          > encsig-2-keys-3 encsig-2-keys-4 <
      PASS: tests/openpgp/decrypt-unwrap-verify.scm
      Checking signing with the default hash algorithm
          >

So far, I've only been able to get it to work by disabling the
tests... so it's obviously not a good idea to enable without further
troubleshooting.

Another option might be to use pcsc-lite and ccid, but I had even less
luck getting that to work.


live well,
  vagrant


diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index f397482ab..0e9e72784 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -39,6 +39,7 @@
   #:use-module (gnu packages curl)
   #:use-module (gnu packages crypto)
   #:use-module (gnu packages emacs)
+  #:use-module (gnu packages libusb)
   #:use-module (gnu packages openldap)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages perl-check)
@@ -232,6 +233,7 @@ compatible to GNU Pth.")
        ("libgcrypt" ,libgcrypt)
        ("libgpg-error" ,libgpg-error)
        ("libksba" ,libksba)
+       ("libusb" ,libusb)
        ("npth" ,npth)
        ("openldap" ,openldap)
        ("pcsc-lite" ,pcsc-lite)
@@ -246,12 +248,17 @@ compatible to GNU Pth.")
                           "--enable-all-tests")
       #:phases
       (modify-phases %standard-phases
+	;; (delete 'check)
         (add-before 'configure 'patch-paths
           (lambda* (#:key inputs #:allow-other-keys)
             (substitute* "scd/scdaemon.c"
               (("\"(libpcsclite\\.so[^\"]*)\"" _ name)
                (string-append "\"" (assoc-ref inputs "pcsc-lite")
                               "/lib/" name "\"")))
+            (substitute* "configure"
+              (("/usr/include/libusb-1.0")
+               (string-append (assoc-ref inputs "libusb")
+                              "/include/libusb-1.0")))
             #t))
         (add-after 'build 'patch-scheme-tests
           (lambda _

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

bug#31337: Unable to use gnuk usb smartcard token on GuixSD

[Nils Gillmann]

Vagrant Cascadian transcribed 3.3K bytes:
> I've been unable to use my gnuk usb smartcard token with gnupg on
> GuixSD, and it appears this is because scdaemon is built without libusb
> support:
> 
>       $ gpg --card-status
>       gpg: selecting openpgp failed: No such device
>       gpg: OpenPGP card not available: No such device
> 
> Attached is a patch that gets scdaemon working for me and a gnuk...
> 
> Unfortunately, enabling libusb causes one of the tets to hang
> indefinitely:
> 
>       PASS: tests/openpgp/decrypt-session-key.scm
>       Checking unwrapping the encryption.
>           > encsig-2-keys-3 encsig-2-keys-4 <
>       PASS: tests/openpgp/decrypt-unwrap-verify.scm
>       Checking signing with the default hash algorithm
>           >

There should be a test-suite.log in some location in the build chroot,
have you checked that? You might need to build with -K.

> So far, I've only been able to get it to work by disabling the
> tests... so it's obviously not a good idea to enable without further
> troubleshooting.
> 
> Another option might be to use pcsc-lite and ccid, but I had even less
> luck getting that to work.
> 
> 
> live well,
>   vagrant
> 
> 
> diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
> index f397482ab..0e9e72784 100644
> --- a/gnu/packages/gnupg.scm
> +++ b/gnu/packages/gnupg.scm
> @@ -39,6 +39,7 @@
>    #:use-module (gnu packages curl)
>    #:use-module (gnu packages crypto)
>    #:use-module (gnu packages emacs)
> +  #:use-module (gnu packages libusb)
>    #:use-module (gnu packages openldap)
>    #:use-module (gnu packages perl)
>    #:use-module (gnu packages perl-check)
> @@ -232,6 +233,7 @@ compatible to GNU Pth.")
>         ("libgcrypt" ,libgcrypt)
>         ("libgpg-error" ,libgpg-error)
>         ("libksba" ,libksba)
> +       ("libusb" ,libusb)
>         ("npth" ,npth)
>         ("openldap" ,openldap)
>         ("pcsc-lite" ,pcsc-lite)
> @@ -246,12 +248,17 @@ compatible to GNU Pth.")
>                            "--enable-all-tests")
>        #:phases
>        (modify-phases %standard-phases
> +	;; (delete 'check)
>          (add-before 'configure 'patch-paths
>            (lambda* (#:key inputs #:allow-other-keys)
>              (substitute* "scd/scdaemon.c"
>                (("\"(libpcsclite\\.so[^\"]*)\"" _ name)
>                 (string-append "\"" (assoc-ref inputs "pcsc-lite")
>                                "/lib/" name "\"")))
> +            (substitute* "configure"
> +              (("/usr/include/libusb-1.0")
> +               (string-append (assoc-ref inputs "libusb")
> +                              "/include/libusb-1.0")))
>              #t))
>          (add-after 'build 'patch-scheme-tests
>            (lambda _

bug#31337: Unable to use gnuk usb smartcard token on GuixSD

[Ludovic Courtès]

Hi Vagrant,

Vagrant Cascadian <vagrant@debian.org> skribis:

> I've been unable to use my gnuk usb smartcard token with gnupg on
> GuixSD, and it appears this is because scdaemon is built without libusb
> support:
>
>       $ gpg --card-status
>       gpg: selecting openpgp failed: No such device
>       gpg: OpenPGP card not available: No such device
>
> Attached is a patch that gets scdaemon working for me and a gnuk...
>
> Unfortunately, enabling libusb causes one of the tets to hang
> indefinitely:
>
>       PASS: tests/openpgp/decrypt-session-key.scm
>       Checking unwrapping the encryption.
>           > encsig-2-keys-3 encsig-2-keys-4 <
>       PASS: tests/openpgp/decrypt-unwrap-verify.scm
>       Checking signing with the default hash algorithm
>           >
>
> So far, I've only been able to get it to work by disabling the
> tests... so it's obviously not a good idea to enable without further
> troubleshooting.

Did you try attaching strace or gdb to the faulty test to see what’s
going on?

It may be that this test depends on the availability of special hardware
or something like that, in which case we should arrange to skip just
this test.

Thanks for looking into it!

Ludo’.

bug#31337: Unable to use gnuk usb smartcard token on GuixSD

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 336 bytes --]

Vagrant Cascadian <vagrant@debian.org> writes:

> Another option might be to use pcsc-lite and ccid, but I had even less
> luck getting that to work.

When you tried that, did you enable the USB drivers by creating a
symlink as described here?

https://lists.gnu.org/archive/html/guix-devel/2016-10/msg01433.html

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

bug#31337: Unable to use gnuk usb smartcard token on GuixSD

[Vagrant Cascadian]

[-- Attachment #1: Type: text/plain, Size: 1160 bytes --]

On 2018-05-07, Chris Marusich wrote:
> Vagrant Cascadian <vagrant@debian.org> writes:
>
>> Another option might be to use pcsc-lite and ccid, but I had even less
>> luck getting that to work.
>
> When you tried that, did you enable the USB drivers by creating a
> symlink as described here?
>
> https://lists.gnu.org/archive/html/guix-devel/2016-10/msg01433.html

With the symlink:

  lrwxrwxrwx 1 root root 41 Jun  2 06:31 /var/lib/pcsc/drivers -> /home/vagrant/.guix-profile/pcsc/drivers/

Then I tried to run:

  pcscd --debug --foreground
  00000000 pcscdaemon.c:347:main() pcscd set to foreground with debug send to stdout
  00000077 pcscdaemon.c:623:main() cannot create /var/run/pcscd: Permission denied

Running as root appears to have worked:

  sudo -E --debug --foreground pcscd

Then as a user, "gpg --card-status" works. Haven't tried any other
functionality yet, but that's a good start.


So this seems like a somewhat complicated workaround, and making a
proper pcscd service would reduce the complication significantly.  It
would obviously be slightly preferable to me for gnupg to support
smartcards out of the box. :)


live well,
  vagrant

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

bug#31337: Unable to use gnuk usb smartcard token on GuixSD

[Brice Waegeneire]

Hello Vagrant,

Vagrant Cascadian <vagrant@debian.org> writes:

> So this seems like a somewhat complicated workaround, and making a
> proper pcscd service would reduce the complication significantly.  It
> would obviously be slightly preferable to me for gnupg to support
> smartcards out of the box. :)

There is a pcscd service in Guix now. Do you still have issue with using
smartcard in Guix or can we close this one?

Cheers,
- Brice

bug#31337: Unable to use gnuk usb smartcard token on GuixSD

[Brice Waegeneire]

Brice Waegeneire <brice@waegenei.re> writes:

Closing this issue since it's should be solved.  Feel free to reopen it
if it's not the case.