Ff Smart Card Not Found

[Cookie Grosky]

Inorder to reproduce, you need a CryptotokenKit smart card driver appex working under Big Sur or Monterey. Install the same appex on Ventura. You'll see that Safari does not see the certificates provided by the appex, and cannot perform SSL/TLS client authentications with them. Similar symptoms can be seen with other apps (Chrome, mail clients, or even custom apps that directly use the Keychain API: token instances cannot be obtained from the app).

We tested with both our own CryptoTokenKit driver (a TKSmartCard driver, which worked well with all previous MacOS versions), and the CryptoTokenKit driver from another company (Yubico). Both work on older MacOS, but not on Ventura.

Has something changed in the security framework between Monterey and Ventura? Do we need to change something in our CryptoTokenKit, or is it a bug from MacOS? If it's a bug, is Apple aware of it, and will it be fixed? This is a functionality that is largely used in enterprise environments.

For information, the CryptokTokenKit is still called successfully when the card is inserted, and we can return some certificates when the smart card content is queried, but it is never called later when an application tries to make use of KeyChain APIs. All the calls we see are successfull, and seem to return the correct information, but it just goes blank at some point.

I am very much looking forward to updates on this topic. Several thousands of our users can't upgrade to Ventura due to inability to authenticate.In our case it's both web applications and Citrix Workspace that are subject to the issue.

No, we had no contact with this person. However, I have no doubt that, if he is using smart cards for his auth, and it used to work and not working anymore with Ventura, it is the same problem: basically, CryptoTokenKit smart card drivers don't work at all anymore, so it is easy to diagnose. By the way, I had no response from the feedback I sent through the assistant. This is becoming critical now that Ventura is out. Is there any way to push this, either from my side or your side? Thank you.

The issue seems be related to that the plugin doesn't show up as a smartcard reader, why that doesn't happen I can not answer. I can just point to the differences, works in Monterey but not in Ventura.

I can confirm this as well. We use a custom CTK-plugin (CryptoTokenKit), which works in Monterey, but not in Ventura.The issue seems be related to that the plugin doesn't show up as a smartcard reader, why that doesn't happen I can not answer. I can just point to the differences, works in Monterey but not in Ventura.

I experience the same issues... In Ventura (13.1) the security list-smartcard command returns No smart card found. even though the smart card reader is listed under System Information > Hardware > USB.

I'm a CTK developer, and I've observed this on Ventura.We have coded a persistent token extension, works very well on Monterey.On Ventura, the token will show up in System Information, but will not show any associated certificate or key.I enabled smart card logging, and I see this from ctkahp in the Console:

We have encountered a similar issue where the CTK extension was not working on Ventura, despite it functioning on older macOS versions. Upon investigation, we discovered that the problem was caused by the main application bundle CTKApp (.app) which included the CTK extension (.appex) having an incorrect bundle identifier.

However, it's worth noting that the correct bundle identifier to use should be based on your provisioning profile. For instance, if your profile is configured differently, you might need to use different identifiers instead. For example:

I have upgrade to Mac OS 14 and my smart card reader quit working. Works in safe mode and while booting up. Then stops functioning.Allow Accessories to connect is not visible. However, I can search for the function but not select it.MacBook Air M1, Sonoma Beta.

Mine has stopped working also. I can view the USB Card readers in the System Report, but it appears the readers aren't reading my actual card. Likely a firmware issue. Tried on two different card readers. 2020 MBP M1, Sonoma Developer Beta 2.

The latest update push did not solve our issue. I really relied on my MacBook Air M1 for telework. Now, I have to use a Microsoft device. Not good at the moment. I might need to roll back off the beta program until this issue with trusted USB devices is solved.

The smart card and reader works perfectly in Ventura and worked perfectly in the first developer beta of macOS Sonoma, but somewhere either beta 2 or beta 3 of the developer previews it stopped working.

I have replicated this with a clean install on different Mac hardware and the same issue. This is a Sonoma issue and not a reader or Mac hardware issue as the same reader and smart card continue to work well if I plug them into Ventura machine.

Just to confirm, a clean install of the released public version on 27th September - and still smart cards are NOT working, whereas they work perfectly on Ventura (and did on initial developer builds of Sonoma)

Yeah, it's not completely fixed for me, either. I'm on the RC, or Gold Master, or wherever we are at now. I can use the card reader to open sites in Safari, and to log into our virtual desktop, but once I do that, I can't use it for anything inside the virtual desktop. It can see the card reader but can't read the tokens off it. This same computer (2022 M1 MBP) worked fine the day prior to updating to the RC. No changes to hardware or software apart from the OS itself, and it stopped passing card reader credentials through to the virtual machine.

I GOT IT WORKING in macOS 14.1 Beta (23B5046f) by INSTEAD of connecting by USB, I connected with BlueTooth using the GBDM App (Gemalto Card Reader for Barclays iPortal login) and connecting the card reader by BLUETOOTH (which has NEVER been possible in Ventura, it always failed to connect)

I had been using a Saicoo card reader (FBA_S0201B-SSM) which was working fine on macOS 13 (Ventura). Upon upgrading to Sonoma 14.0, the reader stopped functioning. I then purchased the Belkin F1DN008U card reader and it works out of the box with no additional drivers. I also have heard success with the Identiv SCR3310v2.0 card reader on macOS 14.0. Hope this helps if someone is encountering the same issue. It appears like there may be some card readers that stop functioning on macOS 14.0 due to the built in driver not being compatible.

My system recognizes correctly the smart card reader when I plug my cards off and on, unfortunately if I try to log into websites using the certificate stored in my card, it simply doesn't find any certificate nor smart card.

If you go to about:preferences#advanced > Your Certificates > select smart card certificate & view. If you see that the certificate is not trusted then you need to import the CA that signed it. Very important: check "Trust this CA to Identify Email Users.".

If you did not check this then you need to remove the CA and add it again.

The links refers probably to an old version of firefox, since there's no more a about:preferences#advanced page.

If I go to Certificates page, I can't see a section named "Your certificate" nor a "Smart Card" entry. Maybe this is the issue.

I configured successfully a OpenPGP smart card, it can be verified by Kleopatra and by gpg --card-status via powershell. My aim is to keep the private key only on the smart card and keep it away from the computer. Therefore, all keyrings with private keys were deleted in Kleopatra. Only public keys are now stored there. If the smart card is inserted, Kleopatra recognizes the card and all parameter, including keys can be seen. Screenshots can be of course submitted.

Then I wrote a text in the Kleoatra notepad and tried to encrypt it. No keyring was found in Kleopatra, but my public Key could be selected for decription for someone else. I selected that and encryption happened.

However, as I tried to decrypt the file for test purpose, again no private key was found, although the card is recognized. gpg --card-status shows: "General key info..: pub rsa4096/B5ACA4148AFF0103 2019-03-14". Therefore, I believe the private key is on the card. A set of 7 screenshots can be provided by e-mail.

Well, I can narrow the root case. A Yubikey 5 was successfull installed and can be used. Then I started to test the OpenPGP card. I recognized, that by pressing F5 in Kleopatara a change between YubiKey and Smart Card happens. However, if I test it via command line, Yubikey does not change, although it is dismounted and the smart card is inserted. Probably therefore, the private key cannot be found. It should be mentioned that I have a computer with integrated smart card reader. First I configured the card, then the Yubikey. I started to test the Yubikey first. Therefore, I believe it is a mess in detection of smart card / Yubikey if used parallel.

If you can't select your key for "encrypt to myself" in Kleopatra though that means that Kleopatra does not think that the secret key is available. In the Keylist of Kleopatra do the Keys show up under "My Certificates" and are bold?

Kleopatra recognizes the smart card, shows the correct version number and keys in the "smart card - management" window. In the Keylist I cant find the key. Currently GnuPG 2.2.15 is installed. Do you know then version 2.3. will be released?

After re-start, the smart card will be recognized in proper way and it works. I assume it has something to do with using Yubikey and smart cards with different keys alternatively. The Yubikey was not found originally, so I modified the following:

and Yubikey was detected. I assume if a smart card is used after a Yubikey, the procedure has to be done manually again or the computer has to be re-started. As work around ok, but in future the program should recognize changes between Yubikey and smart card it automatically.

By installation from version 2.3 an error occurred, Ill send you a screenshot by e-mail. However, I have some comments to the current version which may also help: I have three keys, two on smart cards and one on a Yubikey. So long as only smart cards are used, it is no problem to change between the cards and they work fine. Problems occur, if a Yubikey comes in. (i) Not always a Yubikey is recognized by pressing F5. (ii) It the Yubikey is recognized and next a key from a smart card is needed, a computer restart is required.

I tried also command: gpgconf --kill gpg-agent

It was possible to change from smart card to Yubikey with the command. However, if the Yubikey 5 NFC was recognized, the only way to change back to the smart card was a restart of the computer.

3a8082e126