Failure with Smartcard + Pin + Touch Security

[envygeeks]

Diagnostics

• Distro: Ubuntu 16.04 LTS (Xenial)
• SmartCard: YubiKey 4, YubiKey Nano 4
• GPG Version: gpg (GnuPG) 2.1.11

/home/jordon/.gnupg/pubring.kbx
-------------------------------
sec#  rsa4096/0x2D670E76F3B19D80 2017-05-14 [SC]
      Key fingerprint = 1E47 C010 BF1C B42A 61C5  CFBB 2D67 0E76 F3B1 9D80
uid                   [ultimate] Jordon Bedwell <*>
uid                   [ultimate] Jordon Bedwell <*>
uid                   [ultimate] Jordon Bedwell <*>
ssb>  rsa4096/0x193E56F2B0105B9F 2017-05-14 [S]
ssb>  rsa4096/0xB34DB76CCA838EF3 2017-05-14 [E]
ssb>  rsa4096/0xE1BA8DD5F28499C9 2017-05-14 [A]

Where > is a key that is held on the smartcard and # is a key that is missing.

~/.gnupg/gpg.conf

no-greeting
no-comments
no-emit-version
fixed-list-mode
with-fingerprint
cipher-algo AES256
default-recipient-self
cert-digest-algo SHA512
verify-options show-uid-validity
personal-cipher-preferences AES256 AES192
keyserver-options auto-key-retrieve, no-include-revoked
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256
personal-digest-preferences SHA512 SHA384 SHA256
keyserver hkp://keyserver.ubuntu.com
list-options show-uid-validity
s2k-cipher-algo AES256
keyid-format 0xlong
escape-from-lines
charset utf-8
use-agent

~/.gnupg/gpg-agent.conf

enable-ssh-support
pinentry-program /usr/bin/pinentry-gnome3
default-cache-ttl 60
max-cache-ttl 120

Description

When GPG/Git is configured to use a smartcard with pin+touch the git integration confuses that with a GPG passphrase, does not pass onto gpg-agent, scdaemon or anything else configured to ask for the pin and then require a touch to confirm anti-malware entry. Resulting in an error that will confuse some people.

Steps to Reproduce

1. Buy a Yubikey 4
2. Configure said Yubikey with SEA keys.
3. Configure Yubikey to require a touch to confirm human entry
4. Configure git to use gpg2, configure gpg2 to use gpg-agent w/ scdaemon
5. Open Atom and try to commit a file w/ github-integration
6. Cry and then go do it in the terminal.

Expected behavior:

Request for pin and then Yubikey to turn green prompting for touch.

[envygeeks]

This could be an scdaemon bug. We were able to get it to work by adjusting our udev rules and working out some scdaemon stuff. For now I'm going to close this since it's probably not the problem of Atom Github integration.

[tiferrei]

Hey I'm having the exact same problem on Atom 1.19.7, @envygeeks how did you fix this?

[tiferrei]

For anyone with macs and the same issue, it's usually pinentry. Personally I love the standard pinentry in the terminal, but if you want this working ASAP you can use pinentry-mac for now, and wait for the PR that fixes the standard pinentry on mac, providing a native Atom popup for the passcode.

The PR is #846