Florian Boor

Making tiny things useful...


Cardman 4000 with GnuPG

When I received my FSFE Fellowship Smartcard it took me a while to find out how GnuPG and the Omnikey Cardman 4000 PCMCIA smartcard reader can play together. It looks like there quite some of these cheap devices around... I wrote down some lines about how to make it work. The procedure was tested on Ubunty Gutsy but should work on any more or less up to date Debian based system.

You need an up to date kernel 2.6 with the cardman4000_cs driver. Make sure not to have the reader in the PCMCIA slot during boot or suspend - this caused some oopses here.

PC/SC-Lite used by GnuPG does not know how handle the CM4000 directly, but you can use OpenCT as a driver for PC/SC-Lite. So first get root and install the necessary software packges:

apt-get install pcscd pcsc-tools openct
In /etc/openct.conf you need to activate the cm4000 driver: Comment in the cm4000 lines to read:
reader cm4000 {
driver = cm4000;
device = pcmcia:/dev/cmm0;

After this edit the PC/SC-Lite configuration file /etc/reader.conf.d/openct and activate the OpenCT driver:

DEVICENAME       /dev/cmm0
LIBPATH          /usr/lib/openct-ifd.so
CHANNELID        0

Start both services:

/etc/init.d/openct start
/etc/init.d/pcscd start

If you insert the reader and a Smartcard pcsc_scan should list a reader and card like this:

fuchs@gibson:~$ pcsc_scan
PC/SC device scanner
V 1.4.9 (c) 2001-2006, Ludovic Rousseau
Compiled with PC/SC lite version: 1.4.2
Scanning present readers
0: OpenCT 00 00
Tue Oct 23 16:35:02 2007
Reader 0: OpenCT 00 00
Card state: Card inserted,
ATR: 3B FA 13 00 FF 81 31 80 45...

Now make it usable as user:

We create a group scard and add the users that should be able to use the card to it.

# addgroup scard
# addgroup <username> scard

Now create a set of udev rules to create the device node with the correct owner and permission settings:

Edit /etc/udev/rules.d/99-gnupg.rules to read:

SUBSYSTEM=="cardman_4000", ACTION=="add", GROUP="scard", MODE="0660"
ACTION=="add", SUBSYSTEM=="usb_device", SYSFS{idVendor}=="04e6", 
SYSFS{idProduct}=="e003", GROUP="scard", MODE="0660"
ACTION=="add", SUBSYSTEM=="usb_device", SYSFS{idVendor}=="04e6", 
SYSFS{idProduct}=="5115", GROUP="scard", MODE="0660"

This should cover the permissions for USB CCID readers as well. If you insert the reader again you should get a device like this:

crw-rw---- 1 root scard 252, 0 2007-10-23 15:43 /dev/cmm0

Finally log out your user, log in again to make the group changes become active and check if it works. gpg should print out some lcard inflormation like this:

fuchs@gibson:~$ gpg --card-status
gpg: detected reader `OpenCT 00 00'
Application ID ...: D276000124010101000100000D0E0000
Version ..........: 1.1
Manufacturer .....: PPC Card Systems
Serial number ....: 00000D0E
Name of cardholder: Florian Boor

If this doesn't work confgure gpg not to use gpg-agent, I have read some reports that this might cause trouble in combination with Smartcards. This whole text was written from memory, I might have missed some important step - bug reports and additions are very welcome.


[1] FSFE Cardreader Howto: http://www.fsfe.org/en/card/howto/card_reader_howto_udev
[2] OpenCT Wiki: http://www.opensc-project.org/openct/wiki/cardman

Contact | Sitemap | Last change: About me (2013-03-06, 19:25:15)