MacOS 10.11.6: gpg --card-status = Operation not supported by device

Nitrokey Pro with latest firmware isn’t working for me on MacOS 10.11.6 :

gpg --card-status
gpg: selecting openpgp failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

I’ve installed osx-ccid-installer and restarted.

Tried the suggestion here in the FAQ but that file does not exist:

ls -al /System/Library/Security/tokend/OpenSC.tokend
ls: /System/Library/Security/tokend/OpenSC.tokend: No such file or directory

Any suggestions?

gpg --version
gpg (GnuPG/MacGPG2) 2.1.21

gpg --card-status works fine for me on Linux.

After hours of trying different things, the Nitrokey Pro began working as soon as I was able to install and run pcsc_scan.

More info here:

So far, I spent about 8 hours trying to setup and use this device on the Mac… very disappointing. Hopefully others will be able to benefit from the info above.

Hello @jonf3n,

I am really sorry, that it took so much time for you!

@Peacekeeper As you use MacOS as well: Did you have troubles like this? Did you may do anything different from the instructions here ?

Maybe we can improve the experience for other users by adding your suggestions. Right now I have no Mac at hand. But I try to test it soon by myself.

Kind regards

Hi there ,

:thinking: I am using a different version of libccid : 1.4.25 . I am also not sure if the installer recognize the macOSX savety with SIP (System Integrity Protection) , where you have to disable that before you could install some system files ( or replace them)

:yum: But I see that the libccid Version is now 1.4.27 on git-hub. Maybe I should try that one in my VM. @jonf3n has the pcsc_scan installed a new lib ? or updated the info files with the storage VID and PID ? Can you tell us , which version of libccid is now installed and working for you ?

Hi @jonf3n!
Sorry you had it the hard way.

Just for completeness, I have installed gpg with brew install gpg on macOS 10.12.5 and it worked out of the box with Nitrokey Storage v0.47. Pro 0.7/0.8 works too.
My version:

bash-3.2$ gpg --version
gpg (GnuPG) 2.1.23
libgcrypt 1.8.0

@Peacekeeper What about using brew instead of osx-ccid-installer? Are there really any advantages with the latter when using only gpg? I do not know macOS specifics, hence the question.

@nitroalex Maybe we could update manual with brew as an alternative?

@szszszsz to be honest: I am a bit sensitive with package installers: you never know, what they really do. So call me paranoid, but I don’t trust them. Regardless of home-brew, macports etc. I don’t use them. Now saying that , I am using GnuPG and GPGTools and their installer as I reviewed the code so far as possible.

As libccid was only one library, I did the installation by myself ( at that time) - but as said. need to check the new version… stay tuned :smiley:

[Update] Ok, I quickly tested it and have the following findings:
a) make of osx-ccid-installer will fail due to missing sw one a non-brew system
b) the newest osx-ccid-installer.dmg will install a new libccid.dylib after a reboot. The problem I guess is, that it will be installed in /usr/local/libexec/ … and so the system will still use /usr/libexec/ … /libccis.dylib

[Update] Ok, disabling SIP, mv ccidlib, ln - s from /usr/local/libexec/ … to /usr/libexec, enable SIP and gpg2 recognize the ccid reader ( see ~/.gnupg/reader_0_status )

1 Like

I see, fair enough. Thank you for checking!

@nitroalex @jan It might be good to report this issue (and the workaround) to osx-ccid-installer project.

Just to make sure: Did anybody tried to use GPG without osx-ccid-installer? Perhaps a dump question but I don’t understand it from this discussion and I want to ensure that osx-ccid-installer doesn’t prevent GnuPG from recognizing the Nitrokey.

I have used it without the mentioned with simple brew install gpg instruction (I had earlier installed homebrew though).
Just checked to be sure and by looking in osx-ccid-installer's uninstall script I can confirm that bundle’s directory is not existing on my macOS 10.12.5.

Sorry for late reply.
I am using the gpg version (/usr/local/MacGPG2/bin/gpg) that comes with the Mac GPG Suite (because of issues with the Apple Mail plugin). Nitrokey did not work without osx-ccid-installer in my case.

I see. If it is for Apple Mail then we might have to stick to osx-ccid-installer.

Glad you got the issue solved. I’m wondering what could be improved so that other users don’t run into the same issue. Or is this case too specific because it is caused by self-compiling the tools?

I just checked it on a VM with macOS 10.12.6 - there is no need for osx-ccid-installer from my point of view. NK Storage works well with gpgtools and macOS mail. Also the command line tool as “gpg --card-status” works fine.

[Update] I also installed GnuPG - worked also without osx-ccid-installer …

Although I can now use the Nitrokey Pro, it is not a great experience.
For example I get this error each time I insert:

Seems to start working eventually by itself, sometimes I run gpg --card-status in a loop to “wake it up”. The first few times it often fails, but comes alive after 10 seconds or so.

until gpg --card-status 2> /dev/null;do sleep 1;printf X;done
Reader ...........: Nitrokey Nitrokey Pro
Application ID ...: ....etc

Hi @jan, Would be good to know what the recommended setup is. The current documentation suggests that osx-ccid-installer is required.

It should work without additional steps. Do you use any other applications while Nitrokey App is opened? Please write any helpful details to replicate your setup, so this could be solved.

Hi @jan, Would be good to know what the recommended setup is. The current documentation suggests that osx-ccid-installer is required.

I will soon update the instructions. I just have to do some research. Sorry for the inconvenience!

Hi @jonf3n,

finally I got.

I changed the instructions now. As @Peacekeeper and @szszszsz said the ccid installer is not needed in the standard case. I read between the lines here, that the ccid driver is already installed on Mac OS X but sometimes it is broken. It would be misleading to recommend the custom installer for all.

I am not sure if this caused your problem in the first place, but cannot reproduce it either. So for now I can only apologize, that you had such difficulties and that I am happy, that it works for you now.

Kind regards

1 Like