Scdaemon won't detect Yubikey on Windows 10
This has recently started after I updated to Windows 10 1803 (x64). I have updated Gpg4Win to the latest version (3.1.2), but this has not fixed anything.
I have tried the following:
- Remove the Minidriver (https://forum.yubico.com/viewtopicbe08.html?f=35&t=2756)
- Change the chuid (https://forum.yubico.com/viewtopicb199.html?f=35&t=2757)
- Uninstall all drivers related to the Yubikey so they get reinstalled using Nirsoft's Usbdeview
- Remove the entries for the Yubikey from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards - Disable and re-enable the CCID interface using Yubico's tools
- Restart the Smartcard service
- Kill and restart scdaemon and gpg-connect-agent
- (obviously) reboot
None of this fixed it, and I am pretty much out of ideas at this moment. This is the only smartcard reader on my machine (aside from a TPM), and the Yubikey has been tested to work with gpg on Linux.
The Yubikey is showing as Identity Device (NIST SP 800-73 [PIV])
Some logs:
Gpg returns:
$ gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
Certutil returns:
$ certutil -scinfo
=======================================================
Analyzing card in reader: Yubico Yubikey 4 OTP+U2F+CCID 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico Yubikey 4 OTP+U2F+CCID 0
--- Card: Identity Device (NIST SP 800-73 [PIV])
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = (null) [Default Container]
Cannot open the AT_SIGNATURE key for reader: Yubico Yubikey 4 OTP+U2F+CCID 0
Cannot open the AT_KEYEXCHANGE key for reader: Yubico Yubikey 4 OTP+U2F+CCID 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico Yubikey 4 OTP+U2F+CCID 0
--- Card: Identity Device (NIST SP 800-73 [PIV])
Provider = Microsoft Smart Card Key Storage Provider
Key Container = (null) [Default Container]
Cannot open the key for reader: Yubico Yubikey 4 OTP+U2F+CCID 0
--------------===========================--------------
Done.
CertUtil: -SCInfo command completed successfully.
The log by Scdaemon shows something (I think) might be interesting, as it seems to detect the reader:
2018-07-26 18:13:36 scdaemon[13612] detected reader 'Windows Hello for Business 9'
2018-07-26 18:13:36 scdaemon[13612] detected reader 'Yubico Yubikey 4 OTP+U2F+CCID 0'
2018-07-26 18:13:36 scdaemon[13612] reader slot 0: not connected
2018-07-26 18:13:36 scdaemon[13612] DBG: leave: apdu_open_reader => slot=0 [pc/sc]
2018-07-26 18:13:36 scdaemon[13612] DBG: enter: apdu_connect: slot=0
2018-07-26 18:13:36 scdaemon[13612] pcsc_control failed: insufficient buffer (0x80100008)
2018-07-26 18:13:36 scdaemon[13612] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65538
2018-07-26 18:13:36 scdaemon[13612] reader slot 0: active protocol: T1
2018-07-26 18:13:36 scdaemon[13612] slot 0: ATR=3B 8D 01 80 FB A0 00 00 03 97 42 54 46 59 04 01 CF
2018-07-26 18:13:36 scdaemon[13612] DBG: pcsc_get_status_change: changed present excl inuse
2018-07-26 18:13:36 scdaemon[13612] DBG: leave: apdu_connect => sw=0x0
2018-07-26 18:13:36 scdaemon[13612] DBG: send apdu: c=00 i=A4 p1=00 p2=0C lc=2 le=-1 em=0
2018-07-26 18:13:36 scdaemon[13612] DBG: PCSC_data: 00 A4 00 0C 02 3F 00
2018-07-26 18:13:36 scdaemon[13612] DBG: response: sw=6A82 datalen=0
2018-07-26 18:13:36 scdaemon[13612] DBG: send apdu: c=00 i=A4 p1=04 p2=00 lc=6 le=-1 em=0
2018-07-26 18:13:36 scdaemon[13612] DBG: PCSC_data: 00 A4 04 00 06 D2 76 00 01 24 01
2018-07-26 18:13:36 scdaemon[13612] DBG: response: sw=6A82 datalen=0
2018-07-26 18:13:36 scdaemon[13612] can't select application 'openpgp': Not supported
2018-07-26 18:13:36 scdaemon[13612] DBG: enter: apdu_close_reader: slot=0
2018-07-26 18:13:36 scdaemon[13612] DBG: enter: apdu_disconnect: slot=0
2018-07-26 18:13:36 scdaemon[13612] DBG: leave: apdu_disconnect => sw=0x0
2018-07-26 18:13:36 scdaemon[13612] DBG: leave: apdu_close_reader => 0x0 (close_reader)
2018-07-26 18:13:36 scdaemon[13612] DBG: chan_0x00000188 -> ERR 100696144 No such device <SCD>
The issue seems to be installing Office365 adds a virtual Smartcard reader for Windows Hello for Business, an authentication mechanism based on Microsoft Passport.
I think (based on the logs) this causes scdaemon to crash, as it can find two readers: this one, and the Yubikey; but it does not get to try to initialise the latter, failing right after trying the Windows Hello for Business virtual reader. The logs for certutil also show the certificates could not be retrieved for the Windows Hello virtual reader on my machine, so this might be what causes scdaemon to crash.
The issue was solved by setting Yubico Yubikey 4 OTP+U2F+CCID 0 (the name I got from the logs) on the Kleopatra settings, under the Smartcard tab.
YMMV, but what I would recommend is as follows:
- Set the Debugging level to 4, and set the path for the logfile on the
smartcardstab in Kleopatra - Look for the name of your Yubikey smartcard on the logfile: there should be a line starting by
detected reader, in my case statingdetected reader 'Yubico Yubikey 4 OTP+U2F+CCID 0' - Copy that name into the
Connect to reader at port Nfield on Kleopatra - You may now disable logging again to reduce garbage being generated.
Please see the image for reference:
