New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pythonPackages.pcsclite: refactor #21991
Conversation
layus
commented
Jan 19, 2017
- hardcode lipcsclite path
- remove runtime dependency on swig
- add myself as maintainer
@layus @7c6f434c: This commit breaks the pgp card feature of my yubikey on my system ("gpg: OpenPGP card not available: No such device"). Reverting the commit and rebuilding my system instantly fixes the issue. At the moment I do not have the time to debug this properly but wanted to let you know that there might be an issue. |
Pinging @jonslp for he was the original author. That being said, I would appreciate if you could dig into this issue. I have no yubikey to play with, and it works with my bank cards ;-). Also, what platform / python version are you using ? |
I'll try and take a look - I'm not sure why the python smartcard library would upset your system, it should be dormant unless installed/used and it wasn't part of Nix until the first commit was merged. I have noticed some issues around sleeping my laptop causing GPG to stop working, and the fix was to restart the pcsclite daemon (although sudo gpg2 --card-status worked before restart) so I wondered it it was a permissions problem. My system also has additional udev entries to support U2F so I haven't isolated the problem yet. Is it possible that reverting the commit and then runningnixos-rebuild switch restarted pcsclite? (reposted from the correct account) |
I have the same problem as @fadenb, can no longer use my Yubikey. I can get
And restarting
|
I played around too. When it works with sudo, it is not using pcsdlite. That still works if you totally stop the daemon. Look at the Reader line - when it's working normally it says 'Yubikey' in there. I ran strace against gpg2 and discovered all the talking to the smartcard is actually through the gpg-agent if you have one running. I restarted the pcscd.service, pcscd.socket and gpg-agent and it fixed it. I haven't worked out which one was the real culprit. I was hoping it was fixed by some of the recent systemd fixes that went into pcsclite, but I think the issue may be with libusb beneath. |
@jonslp can you share the commands you used to restart those services in a way that fixes it? It won't work for me:
Trace here: https://gist.github.com/eqyiel/9a1b2f078c7e1059c4e5139bb8c62f7f You mentioned in your other post that you have additional udev entries to support U2F, would you mind sharing those? |
The only difference from what I did was to fully stop both the service and the socket, remove the socket from the file system for good measure, then restart it and check it was recreated. Something like I can't remember how I restarted gpg-agent, however it is running as and in my sessions where it works, I have my environment as |
On the udev - it looks like I'm just using the entries that come with libu2fhost. I'm not sure if they're helping or not and I don't think they affect GPG, but I'm not sure as they're for access to /dev/hidraw*
|
And here's the difference in strace before and after restarting gpg-agent |
I have just checked. The only real change this PR produces is a change in the following source code: void* handle=NULL;
char* dlsym_error;
const char *lib = NULL;
#ifdef __APPLE__
lib = "/System/Library/Frameworks/PCSC.framework/PCSC";
#else
lib = "libpcsclite.so.1";
#endif
if( bFirstCall )
{
dlerror();
handle = dlopen( lib, RTLD_NOW );
if( NULL!=handle )
....
else
{
dlsym_error = dlerror();
if( NULL!= dlsym_error )
{
printf( "Failed to dlopen %s: %s!", lib, (dlsym_error==NULL) ? "" : (char*)dlsym_error );
}
} replacing the If this induced an error somewhere, it is because dynamically resolving libpcsclite.so.1 was used before, and is bypassed by a direct link now. |
Bingo! yubikey is doing strange manipulation of LD_LIBRARY_PATH and LD_PRELOAD.
|
@jonslp Could you give us some insights on why LD_PRELOAD was used in yubikey-personalization in the first place ? |
I used LD_PRELOAD because the Python interpreter is patched to ignore LD_LIBRARY_PATH for dynamic loading, so it was the easiest way I could think of to make it work. Or at least, I think that's what this patch is doing. So without LD_PRELOAD, pyscard couldn't load the shared objects it needed to work. |
Maybe we could get useful insights from @FRidh as to why it is disabled, but I guess that it is to prevent just what you are doing. By ignoring LD_LIBRARY_PATH, we have control over the origin of libraries. The expected solution in this case is to patch the python sources of yibioath-desktop to hardcode the library location. As an added benefit, libykpers would be automatically detected as a runtime dependency. The library name appears in Now, I am not sure at all that this would solve the issue at hand. But I think it is worth trying. LD_PRELOAD is a hack and should remain so. |
I agree, LD_PRELOAD is a hack and if we can get rid of it, we should. I thought I tried something like that, but I couldn't get the python to do the right thing. Regardless of what we do about that, I still don't see how this change would affect anything other than components using pyscard. It should not affect GPG as far as I can tell. It seems more likely that the upgrade from 1.8.17 -> 1.8.20 for pcsclite 4acd692 I haven't had my Yubikey very long, so I'm not sure how stable it used to be. I hadn't noticed the problem with gpg being unable to access the card until I used it on the road with my laptop and was using the suspend/hibernate more than I usually do. |
That's indeed the reason. In Python code we always need to replace such references, see |
Hey y'all-- regarding gpg not being able to see the key, it's actually a bug with gpg itself. https://bugs.gnupg.org/gnupg/issue2933 It can be "fixed" by adding
Kill scdaemon and gpg and gpg will work on non root users again. That said, the output of |
Thanks for the info - I'll give that a go when I get a chance. |
Also, check out the above pull request. It includes some patches from the debian team that has fixed my problems with yubikey+gpg. |
The use of smartcard functionality for yubikeys (and presumably other usb smartcards) was broken in gnupg 2.1.18. This has apparently already been fixed in gnupg master, and debian backports the included patches for 2.1.18. See also: https://bugs.gnupg.org/gnupg/issue2933 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852702 NixOS#21991
The use of smartcard functionality for yubikeys (and presumably other usb smartcards) was broken in gnupg 2.1.18. This has apparently already been fixed in gnupg master, and debian backports the included patches for 2.1.18. See also: https://bugs.gnupg.org/gnupg/issue2933 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852702 #21991