[Nix-dev] Using a smartcard with GPG

Kirill Elagin kirelagin at gmail.com
Fri Feb 6 12:13:58 CET 2015 

Ok, I’m back with some details.
The proper way to handle this is to create an udev rule that sets
`ENV{ID_SMARTCARD_READER}="1"`. This will cause builtin rules to add
`uaccess` and `seat` tags (the first one means that logind will set ACLs
directly on the dev node, the second one tells it to attach it to the
seat). It will also start `smartcard.target`.

How to match the device in the rule is another question. You can use
`udevadm monitor` or some other means to find its path in `/sys` and then
`udevadm info -q all -p </sys/path>` to see what udev thinks about it. If
it really has `cardman_4040` subsystem then you’ll have to debug your udev
rules with `udevadm test </sys/path>`.

On Fri Feb 06 2015 at 12:29:08 PM Kirill Elagin <kirelagin at gmail.com> wrote:

> On Thu Feb 05 2015 at 5:50:13 PM Nikita Karetnikov <nikita at karetnikov.org>
> wrote:
>
>> Since NixOS is an unusual system, I’ve decided to ask here before
>> talking to the GnuPG people.
>>
>> How can I access a smart card?  'pccardctl'
>> (see https://github.com/NixOS/nixpkgs/pull/6172) detects it:
>>
>> $ /nix/store/dwibbrcls43c0bxkcj52qj6mi8xipd6a-pcmciautils-017/bin/pccardctl
>> ls
>> Socket 0 Bridge:        [yenta_cardbus]         (bus ID: 0000:05:00.0)
>> Socket 0 Device 0:      [cm4040_cs]             (bus ID: 0.0)
>>
>> $ /nix/store/dwibbrcls43c0bxkcj52qj6mi8xipd6a-pcmciautils-017/bin/pccardctl
>> status
>> Socket 0:
>>   5.0V 16-bit PC Card
>>   Subdevice 0 (function 0) bound to driver "cm4040_cs"
>>
>> $ /nix/store/dwibbrcls43c0bxkcj52qj6mi8xipd6a-pcmciautils-017/bin/pccardctl
>> ident
>> Socket 0:
>>   product info: "OMNIKEY", "CardMan 4040", "", ""
>>   manfid: 0x0223, 0x0200
>>
>> I've tried adding the following lines to 'configuration.nix' as
>> suggested in
>> https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/107337, but it
>> doesn't make a difference:
>>
>>   services.udev.extraRules =
>>     ''
>>         SUBSYSTEM=="cardman_4040", GROUP="scard", MODE="0660"
>>         '';
>>
>>   users.extraGroups = { sdcard = { }; };
>>   users.extraGroups.sdcard.members = [ "nikita" ];
>>
>> After switching to the new config and rebooting:
>>
>> $ ls -l /dev/cmx0
>> crw-rw---- 1 root root 248, 0 Feb  5 16:45 /dev/cmx0
>>
>
> Well, looks like the rule doesn’t work.
> You can play with `udevadm` to find out why it doesn’t match your reader.
>
> (BTW using special groups for this kind of things is braindead IMO. It
> should be managed by logind [so Ubuntu links are definitely not the best
> source of wisdom]. I’m not sure how to properly handle this, `loginctl
> attach` might be enough or you might have to write an udev rule. In the
> latter case Fedora probably has what you need.)
>
>
>> $ gpg2 --card-edit
>>
>> scdaemon[2242]: error sending PC/SC OPEN request: Broken pipe
>> scdaemon[2242]: error sending PC/SC OPEN request: Broken pipe
>> gpg: selecting openpgp failed: Card error
>> gpg: OpenPGP card not available: Card error
>>
>> With ‘sudo’:
>>
>> $ sudo gpg2 --card-status
>> gpg: selecting openpgp failed: Card not present
>> gpg: OpenPGP card not available: Card not present
>> _______________________________________________
>> nix-dev mailing list
>> nix-dev at lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150206/cd53a863/attachment.html

More information about the nix-dev mailing list