Hello world :-) I have just updated the gnupg package to 2.3.8 and it seems to break gpg-agent. Reverting to previous 2.3.3_3 (gnupg-2.3.3_3~f3199a7e94.pkg) from my pkg cache fixed the issue. I am using Yubikey and yubikey-personalization-gui works fine. Seem a problem with 2.3.8. I have noticed that other people also have this issue [1], so here goes the report :-) [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267152 Best regards :-) Tomek
% gpg-agent --daemon -v gpg-agent[43237]: listening on socket '/home/XXX/.gnupg/S.gpg-agent' gpg-agent[43237]: listening on socket '/home/XXX/.gnupg/S.gpg-agent.extra' gpg-agent[43237]: listening on socket '/home/XXX/.gnupg/S.gpg-agent.browser' gpg-agent[43237]: listening on socket '/home/XXX/.gnupg/S.gpg-agent.ssh' SSH_AUTH_SOCK=/home/XXX/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK; gpg-agent[43670]: gpg-agent (GnuPG) 2.3.8 started gpg-agent[43670]: ssh handler 0x82783d700 for fd 7 started gpg-agent[43670]: ssh request handler for request_identities (11) started gpg-agent[43670]: no running /usr/local/libexec/scdaemon daemon - starting it gpg-agent[43670]: first connection to daemon /usr/local/libexec/scdaemon established gpg-agent[43670]: ssh handler 0x82783de00 for fd 10 started gpg-agent[43670]: ssh request handler for request_identities (11) started gpg-agent[43670]: new connection to /usr/local/libexec/scdaemon daemon established gpg-agent[43670]: ssh handler 0x827840100 for fd 14 started gpg-agent[43670]: ssh request handler for request_identities (11) started gpg-agent[43670]: ssh handler 0x827840800 for fd 17 started gpg-agent[43670]: ssh request handler for request_identities (11) started Each handler indicated a connection made with `ssh-add -l` but there seems to be no response from gpg-agent. I have rebuilt from sources but that does not help. % uname -a FreeBSD octagon 13.1-STABLE FreeBSD 13.1-STABLE #0 stable/13-n253075-2b20cade1eca: Sun Nov 13 20:06:09 CET 2022 root@octagon:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
It works for me on stable/13-n253109-c2a74ca2c3d9 (arm64). Can you describe the steps to reproduce? Do you have a non-FreeBSD machine with gnupg-2.3.8? Does it work there?
Hello Herbert :-) 1. I have noticed this issue after update to 2.3.8. Reproduction steps is to use gpg-agent as always :-) Verbose output was presented: daemon starts, then when connecting from ssh-add -l client connects and nothing happens (the same with ssh). If you know the gpg-agent part any ideas on how to test (debug?) are welcome :-) 2. Reverting from 2.3.8 to 2.3.3_3 fixes the issue for me and all works as expected. I am using 2.3.3 for now with the same token on the same machine. 3. I did not find configuration changes remarks in a release notes.. but there were some Yubikey firmware "fixes". Do you have Yubikey token too? I am still using Yubikey4NFC but I also have Yubikey5NFC maybe this is Yubikey related problem? I will try to play with YK5 and see if that makes a difference. 4. I will try to find a free machine (Linux and FreeBSD 13.1-RELEASE) install gnupg-2.3.8 and report back :-) Thank you :-) Tomek
Okay, so I have checked on a laptop with 13.1-RELEASE-p2 (AMD64) with gnupg-2.3.8 and that YK4NFC works fine! o_O I will freebsd-update to latest 13.1-RELEASE and will report back. Is this a problem with 13.1-STABLE? Kernel? World? Kernel World out of sync?
I have upgraded to 13.1-RELEASE-p3 (although freebsd-update says there are no updates available for 13.1-RELEASE-p4).. and the gpg-agent works fine o_O I will update 13.1-STABLE rebuild kernel + world and will report back. This can take some time as I am switching machines right now and have to finish badblocks on a new disks before install (one of brand new WDRedPro had badblocks can you imagine).
I guess we can close this now?
Well the problem still exists on that box but it seems box specific so I will have to find the cause myself if it works for the others and also on other box with 13.1-RELEASE ;-) Thank you for your time folks :-)
Hey, I still had been having this issue, but managed to solve it today. Adding the comment in case some poor soul comes across it: Starting with security/gnupg 2.3.8 communication between gpg-agent and certain YubiKeys broke as documented here. After much research, I came across this [1], which documents how to stop using scdaemon in favour of pcscd and decided to give it a go (it worked). [1]: https://support.yubico.com/hc/en-us/articles/4819584884124-Resolving-GPG-s-CCID-conflicts In a nutshell and more FreeBSD-specific: adding "disable-ccid" to ~/.gnupg/scdaemon.conf (creating it if absent) instructs gpg-agent not to start scdaemon. We install devel/pcsc-lite and devel/libccid (pkg install pcsc-lite ccid) Create /usr/local/etc/devd/pcscd.conf with following contents: attach 100 { device-name "ugen[0-9]+"; action "/usr/local/sbin/pcscd -H"; }; detach 100 { device-name "ugen[0-9]+"; action "/usr/local/sbin/pcscd -H"; }; And add pcscd_enable=YES to /etc/rc.conf. After a "reboot" (or service pcsd start + killall -9 scdaemon + gpgconf --kill gpg-agent) this issue stopped existing. Possibly something changed on gnupg's ccid implementation.
(In reply to Evilham from comment #8) Thanks for this hint, but unfortunately this still doesn't work for me - any attempt at e.g. using a key on a yubikey for ssh login leads to: sign_and_send_pubkey: signing failed for RSA "cardno:000[...]" from agent: agent refused operation I tried this configuration with gnupg 2.3.8 and 2.4.3 on 3 different systems (12.4-RELEASE, 13.2-RELEASE and 14.0-STABLE/ALPHA3) with the same results. gnupg 2.3.3 works on all of those systems with smartcards/yubikey, but any later version is simply broken regarding smartcards and gpg-agent...
(In reply to Sebastian from comment #9) I also got this "agent refused operation" error. I'm not sure why, but decrypting a file (and entering my pin) THEN using ssh fixes it for me.
Okay, so my problem with latest gnupg (2.4.3) and gpg-agent/ssh-agent was fixed with disable-ccid line in scdaemon.conf. Thank you EvilHAM for the hints works for me too! :-) ~/.gnupg/scdaemon.conf: disable-ccid Regarding agent refused operation I suggest asking at https://forums.freebsd.org or mailing lists. In general: 1. Make sure that gpg-agent is properly configured (`enable-ssh-support` and optional pinentry for example `pinentry-program /usr/local/bin/pinentry-qt5`). 2. Make sure that gpg-agent is running (run it with `gpg-agent --daemon`). 3. Make sure that gpg-agent provided auth socket is exported to your environment (this is displayed and can be evaluated when starting the `gpg-agent --daemon` i.e. `SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh`). 4. When gpg-agent/ssh-agent works fine `ssh-add -l` should display your card key.