Nitrokey 3A NFC smart card and firmware update failing

I have been using the Nitrokey 3A NFC for several things, FIDO2 as well as smart card for GPG and SSH. While FIDO2 still works, the smart card device has not been recognized since the beginning of this week. It could be related to my trials to get firmware updates for Nitrokey HSM allthough those are still recognized by SmartCardShell. NitrokeyApp 2 still recognizes Nitrokey 3A NFC, but udating the firmware fails with the following error:

If I unplug it and reconnect it, FIDO2 still works and I can repeat the process with the same result. Any suggestions on what I could do?

I had to uninstall pcsc and scdaemon, reinstall again and then follow the Troubleshooting - Nitrokey Documentation section again and it finally works.

Unfortunately I have to reopen this topic:

The aforementioned solution works, but every 2-3 days, I have to repeat reinstalling and doing the troubleshooting again:

sudo apt remove pcsc scdaemon
sudo apt install pcsc scdaemon
gpg-connect-agent "SCD KILLSCD" /bye

And of course leavingdisable-ccid in ~/.gnupg/scdaemon.conf

I noticed that there might be an issue with a second SmartCard/TPM being part of my computer:
If it works, pcsc_scan -r returns

0: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
1: Broadcom Corp 58200 [Contacted SmartCard] (***) 01 00

but if it doesn’t, the order is switched

0: Broadcom Corp 58200 [Contacted SmartCard] (***) 01 00
1: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00

I think this might actually be related to using the Nitrokey HSM, because SCSH also shows

GPError: Card (CARD_CONNECT_FAILED/0) - “No card in reader or mute card.” in /home/…/CardContact/scsh/scsh-3.18.60/keymanager/keymanager.js#3346at /home/…/CardContact/scsh/scsh-3.18.60/keymanager/keymanager.js#3346

when Nitrokey 3 is working but SCSH doesn’t have a problem connecting Nitrokey HSM, when I can’t access the Nitrokey 3 smart card.

Hello,

is your Nitrokey 3 in bootloader mode ? (BL)

what’s the output of lsusb while is plugged ?

Bus 003 Device 015: ID 20a0:4230 Clay Logic Nitrokey HSM

the issue is likely using gnupg (note: the standard is called pgp - pretty good privacy - the common used implementation is calld gpg - gnupg - gnu/privacyguard)
unfortunately gnupg has a very bad habbit of lazily grabbing a lock onto a smartcard (no matter if via built-in scdaemon or when using disable-ccid in scdaemon.conf via pcscd) and keeps onto it until either

• the token is replugged
• gpgconf –kill all is called
• systemctl stop pcscd is called
• using gpg-card and issue the command reset followed by immediate quit

I analyzed this digging thru the gnupg code while having a similar issue with my yubikey trying to use it with all its features (pgp, piv, fido) and learned that gnupg doesn’t properly release the lock.

I reported this to gnupg - but its maintainers have the rather strange attitude of “we become the de-factor standard of pgp - if you want to use pgp - use gnupg - and gnupg only! we refuse to change our code - and also refuse to accept this report as a bug of our code as it works fine as long as you stay within gnupg” - sorry to call them out but they’re quite some ignorant assholes

this can be repeated very easy: use a fido+pgp capable token - register it in your browser with any fido website - use some gpg command accessing the token - switch back to your browser and see how the token is no longer available until replug

tl;dr: just stay away from GnuPG - if you want to use PGP on your token: use other implementations that handle token locking and lock release properly

as for firmware update: I noticed it seem to work best when doing it right after replugging the nitrokey before using it for anything else

also: make sure you have the udev rules installed or execute firmware update as root