When connecting the Nitrokey Pro to MacOSX 10.11 the dmesg shows the following messages:
001834.191521 IOUSBHostHIDDevice@fa130000,0: IOUSBHostHIDDevice::start: unable to set device idle milliseconds
001834.191528 IOUSBHostHIDDevice@fa130000,0: IOUSBHostHIDDevice::start: start has failed
IOHIDDevice::newUserClient failed to get a workloop
IOHIDDevice::newUserClient failed to get a workloop
001834.193279 IOUSBHostHIDDevice@fa130000,0: IOUSBHostHIDDevice::start: unable to set device idle milliseconds
001834.193284 IOUSBHostHIDDevice@fa130000,0: IOUSBHostHIDDevice::start: start has failed
IOHIDDevice::newUserClient failed to get a workloop
IOHIDDevice::newUserClient failed to get a workloop
gpg2 commands are still working as expected, e.g. gpg --card-status.
However PKCS#11 functions via OpenSC (version 0.15.0) fail to recognise the reader, e.g. opensc-tool -l. Also USB bridging with a VMWare guest does not even list the Nitrokey for sharing.
This behaviour was tested with several Nitrokeys on OSX. The same keys seem to work on Linux just fine.
tl;dr It works now, but the simple fix is unnecessarily complicated on OSX.
As it turns out, the error message is not related to the key not working with OpenSC/PCSCD/…
Apple’s somewhat outdated PCSCD does not known about the Nitrokey Pro vendor/product USB ID: 0x20a0/0x4108
Product ID: 0x4108
Vendor ID: 0x20a0
Version: 1.00
Serial Number: 0000XXXX0000000000000000
Speed: Up to 12 Mb/sec
Manufacturer: Nitrokey
Location ID: 0xfd120000 / 2
Current Available (mA): 1000
Current Required (mA): 100
Extra Operating Current (mA): 0
[/code]
A current CCID driver would know about 4108. So, recompiling the driver does trick: github.com/martinpaljak/osx-ccid-installer
The build script does not quite work on 10.11, but it’s not too hard to get it all compiled without errors. Build target is a .bundle which is to replace the system’s own bundle in /usr/libexec/SmartCardServices/drivers.
The man page ‘man SmartCardServices’ suggests that an installation in /usr/local/libexec/SmartCardServices/drivers should be possible, but it appeared to be ignored on my system. So, back to /usr/libexec.
Due to the new SIP (System Integration Protection) / rootless, the installation can only be done while temporarily deactivating SIP in recovery mode (boot with CMD+R, then use ‘csrutil disable’ in Terminal, reboot again. Don’t forget to reverse the process afterwards: ‘csrutil enable’).
Anyway. Here we are:
[code]$ /Library/OpenSC/bin/opensc-tool -l
Detected readers (pcsc)
Nr. Card Features Name
0 Yes Crypto Stick Crypto Stick v1.4
[/code]
In the end I hope that 10.11.1 gets an update to PCSCD’s driver bundle to support the Nitrokey out of the box. I may not be able to convince my customers to perform such a complicated installation procedure on all OSX systems.
Used the above steps but it seems that I am still missing libcsclite, can’t find a convenient way to install it on OSX. Mac port doesn’t seem to list it either.
Anyone have any suggestions?
[code]*************************
No Universal Binary build
./configure ‘CFLAGS= -DRESPONSECODE_DEFINED_IN_WINTYPES_H’ PCSC_CFLAGS=-I/Users/****/documents/workspace/CCID/CCID/MacOSX ‘PCSC_LIBS=-framework PCSC’ 'LIBUSB_CFLAGS=-I/opt/local/include/libusb-1.0 ’ 'LIBUSB_LIBS=-L/opt/local/lib -lusb-1.0 -lobjc -Wl,-framework,IOKit -Wl,-framework,CoreFoundation ’ LDFLAGS= --enable-usbdropdir=/usr/local/libexec/SmartCardServices/drivers --disable-dependency-tracking --enable-syslog --disable-static --disable-pcsclite --enable-composite-as-multislot --enable-bundle=ifd-ccid-foo.bundle
checking for a BSD-compatible install… /usr/bin/install -c
checking whether build environment is sane… yes
checking for a thread-safe mkdir -p… ./install-sh -c -d
checking for gawk… no
checking for mawk… no
checking for nawk… no
checking for awk… awk
checking whether make sets $(MAKE)… yes
checking whether make supports nested variables… yes
checking whether make supports nested variables… (cached) yes
checking build system type… x86_64-apple-darwin15.0.0
checking host system type… x86_64-apple-darwin15.0.0
checking whether to enable maintainer-specific portions of Makefiles… no
checking for gcc… gcc
checking whether the C compiler works… yes
checking for C compiler default output file name… a.out
checking for suffix of executables…
checking whether we are cross compiling… no
checking for suffix of object files… o
checking whether we are using the GNU C compiler… yes
checking whether gcc accepts -g… yes
checking for gcc option to accept ISO C89… none needed
checking whether gcc understands -c and -o together… yes
checking for style of include used by make… GNU
checking dependency style of gcc… none
checking how to run the C preprocessor… gcc -E
checking whether make sets $(MAKE)… (cached) yes
checking whether ln -s works… yes
checking for flex… flex
checking lex output file root… lex.yy
checking lex library… -ll
checking whether yytext is a pointer… yes
checking for ar… ar
checking the archiver (ar) interface… ar
checking for pkg-config… /opt/local/bin/pkg-config
checking pkg-config is at least version 0.9.0… yes
configure: WARNING: libpcsclite not found by pkg-config
checking for grep that handles long lines and -e… /usr/bin/grep
checking for egrep… /usr/bin/grep -E
checking for ANSI C header files… yes
checking for sys/types.h… yes
checking for sys/stat.h… yes
checking for stdlib.h… yes
checking for string.h… yes
checking for memory.h… yes
checking for strings.h… yes
checking for inttypes.h… yes
checking for stdint.h… yes
checking for unistd.h… yes
checking ifdhandler.h usability… yes
checking ifdhandler.h presence… yes
checking for ifdhandler.h… yes
checking reader.h usability… yes
checking reader.h presence… yes
checking for reader.h… yes
checking how to print strings… printf
checking for a sed that does not truncate output… /usr/bin/sed
checking for fgrep… /usr/bin/grep -F
checking for ld used by gcc… /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld
checking if the linker (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld) is GNU ld… no
checking for BSD- or MS-compatible name lister (nm)… /usr/bin/nm
checking the name lister (/usr/bin/nm) interface… BSD nm
checking the maximum length of command line arguments… 196608
checking how to convert x86_64-apple-darwin15.0.0 file names to x86_64-apple-darwin15.0.0 format… func_convert_file_noop
checking how to convert x86_64-apple-darwin15.0.0 file names to toolchain format… func_convert_file_noop
checking for /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld option to reload object files… -r
checking for objdump… no
checking how to recognize dependent libraries… pass_all
checking for dlltool… no
checking how to associate runtime and link libraries… printf %s\n
checking for archiver @FILE support… no
checking for strip… strip
checking for ranlib… ranlib
checking command to parse /usr/bin/nm output from gcc object… ok
checking for sysroot… no
checking for a working dd… /bin/dd
checking how to truncate binary pipes… /bin/dd bs=4096 count=1
checking for mt… no
checking if : is a manifest tool… no
checking for dsymutil… dsymutil
checking for nmedit… nmedit
checking for lipo… lipo
checking for otool… otool
checking for otool64… no
checking for -single_module linker flag… yes
checking for -exported_symbols_list linker flag… yes
checking for -force_load linker flag… yes
checking for dlfcn.h… yes
checking for objdir… .libs
checking if gcc supports -fno-rtti -fno-exceptions… yes
checking for gcc option to produce PIC… -fno-common -DPIC
checking if gcc PIC flag -fno-common -DPIC works… yes
checking if gcc static flag -static works… no
checking if gcc supports -c -o file.o… yes
checking if gcc supports -c -o file.o… (cached) yes
checking whether the gcc linker (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld) supports shared libraries… yes
checking dynamic linker characteristics… darwin15.0.0 dyld
checking how to hardcode library paths into programs… immediate
checking whether stripping libraries is possible… yes
checking if libtool supports shared libraries… yes
checking whether to build shared libraries… yes
checking whether to build static libraries… no
checking for ANSI C header files… (cached) yes
checking errno.h usability… yes
checking errno.h presence… yes
checking for errno.h… yes
checking fcntl.h usability… yes
checking fcntl.h presence… yes
checking for fcntl.h… yes
checking for stdlib.h… (cached) yes
checking for unistd.h… (cached) yes
checking termios.h usability… yes
checking termios.h presence… yes
checking for termios.h… yes
checking for string.h… (cached) yes
checking sys/time.h usability… yes
checking sys/time.h presence… yes
checking for sys/time.h… yes
checking for sys/types.h… (cached) yes
checking stdarg.h usability… yes
checking stdarg.h presence… yes
checking for stdarg.h… yes
checking arpa/inet.h usability… yes
checking arpa/inet.h presence… yes
checking for arpa/inet.h… yes
checking stdio.h usability… yes
checking stdio.h presence… yes
checking for stdio.h… yes
checking for an ANSI C-conforming const… yes
checking for size_t… yes
checking whether time.h and sys/time.h may both be included… yes
checking for select… yes
checking for strerror… yes
checking for strncpy… yes
checking for memcpy… yes
checking for strlcpy… yes
checking for strlcat… yes
checking for LIBUSB… yes
checking libusb.h usability… yes
checking libusb.h presence… yes
checking for libusb.h… yes
checking for libusb_init… yes
checking for -fvisibility=hidden… yes
checking whether pthreads work with -pthread… yes
checking for joinable pthread attribute… PTHREAD_CREATE_JOINABLE
checking if more special flags are required for pthreads… -D_THREAD_SAFE
checking for PTHREAD_PRIO_INHERIT… yes
Package libpcsclite was not found in the pkg-config search path.
Perhaps you should add the directory containing `libpcsclite.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘libpcsclite’ found
libccid has been configured with following options:
Version: 1.4.21
User binaries: /usr/local/bin
Configuration files: /usr/local/etc
libusb support: yes
composite as multislot: yes
multi threading: yes
bundle directory name: ifd-ccid-foo.bundle
USB drop directory: /usr/local/libexec/SmartCardServices/drivers
serial Twin support: no
serial twin install dir: /usr/local/libexec/SmartCardServices/drivers/serial
serial config directory:
compiled for pcsc-lite: no
syslog debug: yes
class driver: yes
CCID is used in the osx-ccid-installer, too. But the whole osx-ccid-installer package has not been updated in months and does not compile out of the box on the current OSX 10.11.
However, compiling CCID as described above works perfectly fine on 10.11. If libpcsc is not found, please do this first, as described:
git submodule init
git submodule update
If you are planning to only use the Nitrokey on OSX after initialization, which can be done on a different machine, have a look at github.com/sektioneins/scd-pkcs11. This PKCS#11 provider works with GnuPG’s scdaemon instead of PCSC/CCID.
