Impossible to sign a USB key

Question

Impossible to sign a USB key

Closed this issue a year ago · 26 comments

Hello,

I installed KeySAS admin on Debian 12 in a VM. While trying to sign a USB key, i got an error. In the logs I obtain the following informations:

sept. 19 11:27:09 KeySAS keysas-admin.desktop[2126]: 2023-09-19T09:27:09.614Z DEBUG [keysas_admin::usb_sign] Found new USB device : Device: /dev/sdb, Vendor: ***, Model: ***, Revision: ***, Serial: ***
sept. 19 11:27:09 KeySAS keysas-admin.desktop[2126]: 2023-09-19T09:27:09.617Z DEBUG [keysas_admin::usb_sign] Resetting the MBR for /dev/sdb.
sept. 19 11:27:09 KeySAS keysas-admin.desktop[2126]: 2023-09-19T09:27:09.637Z ERROR [keysas_admin] Error while looking for new USB device: Cannot open device for signing.
sept. 19 11:27:11 KeySAS keysas-admin.desktop[2126]: 2023-09-19T09:27:11.111Z WARN  [keysas_admin]  is_alive: Name must not be empty

Do you know where it might have come from?

Answer 1 · 2023-09-19T11:46:26.000Z

Yes, this point is actually missing in the actual online documentation (this will be fixed in the next version). You must give your current user the rights to write raw USB devices by adding it to the plugdev group and adding a udev rules like:
SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0660", GROUP="plugdev"

Answer 2 · 2023-09-19T13:16:01.000Z

I tried to add the rule and it doesn't work
I also tried to add the rule that is in the keySAS admin panel without sucess

Answer 3 · 2023-09-19T13:26:09.000Z

Is you current user a member of the plugdev group ?
usermod -aG plugdev $LOGNAME
Did you try to logout and login ?

Answer 4 · 2023-09-19T13:30:52.000Z

Yes, the current user is a member of plugdev and i tried to logout and also to reboot the PC

Answer 5 · 2023-09-19T13:38:09.000Z

Strange. In fact, I'm not sure that being a member of plugdev is useful. Adding a rule like explained in keysas-admin panel :
SUBSYSTEMS=="usb", MODE="0660", TAG+="uaccess"
Then :
udevadm trigger && udevadm control --reload

...should be enough.
As you mentioned running on a Virtual machine, is the USB controller correctly mapped ?

Answer 6 · 2023-09-19T13:58:02.000Z

It's looks like the USB controller is correctly, i can edit files on the usb in the VM.

Answer 7 · 2023-09-19T14:03:27.000Z

Can you check that your Desktop or windows manager isn't auto-mounting new USB devices ?
If so, depending on your desktop, can you disable it ?

Answer 8 · 2023-09-19T14:12:32.000Z

I checked that my desktop wasn't auto-mounting USB devices by disabling udisks2, it didn't changed anything.
I also tried to changed VM to an Ubuntu one, i've got the same error, the VM (Virtual Box) is probably the problem)

Answer 9 · 2023-09-19T14:22:05.000Z

Need the USB stick follow some rules? Be free? Doesn't have any partition?

Answer 10 · 2023-09-19T15:23:40.000Z

No, signing a key is actually flashing the MBR + rewritting a new one + adding the hybrid signature. Once it is signed, you just need to mkfs.vfat your newly signed device basically and it's ready to go.
When looking at your debug log posted previously, it seems that the device is recognized. I guess you have intentionally masked the Vendor, Model, Revision and Serial ?
It just feels like your udev rules do not work as expected.
Let me some time to check this out.

Answer 11 · 2023-09-19T19:27:13.000Z

Yes, the details are hidden, but they are correctly identified.
Thank you

Answer 12 · 2023-09-20T06:00:57.000Z

Hi,
Can you check that your udev rule is located at /etc/udev/rules.d/71-keysas.conf
(I have noticed that I forgot the ".conf" in keysas-admin's help) and that this file contains :
SUBSYSTEMS=="usb", MODE="0660", TAG+="uaccess"

No need to use the plugdev group btw.

Fix for v2.2: 69c8430

Answer 13 · 2023-09-20T07:36:15.000Z

Hello, adding the .conf didn't changed anything, even when rebooting after doing the changes.

Thank you for your help

Answer 14 · 2023-09-20T08:04:04.000Z

After trying to run keysas-admin as root, I obtained an other error, don't know if it can help you:

2023-09-20T07:54:24.151Z DEBUG [keysas_admin::usb_sign] Found new USB device : Device: ***, Vendor: ***, Model: ***, Revision: ***, Serial: ***
2023-09-20T07:54:24.151Z DEBUG [keysas_admin::usb_sign] Resetting the MBR for /dev/sdb.
2023-09-20T07:54:24.164Z DEBUG [keysas_admin::store] Found: ""
2023-09-20T07:54:24.190Z ERROR [keysas_admin] Error while looking for new USB device: Aucun fichier ou dossier de ce type (os error 2)

Answer 15 · 2023-09-20T08:12:45.000Z

Have you created a PKI ?

Answer 16 · 2023-09-20T12:30:47.000Z

Okay, when I changed the user the PKI wasn't saved. It works, but i needed to launch keysas with this command:
pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY keysas-admin to launch it with root. I will try to find why keysas didn't has the right to change the MBR

Answer 17 · 2023-09-21T06:34:19.000Z

Hi,
Try to rename /etc/udev/rules.d/71-keysas.conf into /etc/udev/rules.d/71-keysas.rules

Answer 18 · 2023-09-22T07:14:16.000Z

I tried to rename it and to reboot the VM, it didn't changed anything

To run the admin panel, I just need to use the .deb fils, no depencies to ad?

Answer 19 · 2023-09-22T08:44:37.000Z

No, you don't need to add any dependencies.
This is a bit strange here, I started a fresh install of keysas-admin on Debian (and even Ubuntu) and once /etc/udev/rules.d/71-keysas.rules is added, it works perfectly.

Answer 20 · 2023-09-22T09:00:03.000Z

I tried to check a few things, when i run ls -l /dev/usb/*BUS*/*device*
The usb stick is in the good group (i even tried to set the owner of the device for the user)
The permission are crw-rw----+ wich looks good

When i does ps -a -l
The user is the good one (same as the owner of the USB stick and is in the plugdev group)

I have just one other udev rule (number 60):

KERNEL=="vboxguest", NAME="vboxguest", OWNER="vboxadd, MODE="0660"
KERNEL=="vboxuser", NAME="vboxguest", OWNER="vboxadd, MODE="0660

Wich should be fine

I run it in VirtualBox, don't know if it can be a problem

Answer 21 · 2023-09-22T09:16:33.000Z

Here are all the information that give journalctl when i plug the USB to sign:

sept. 22 11:11:27 KeySAS keysas-admin.desktop[2788]: 2023-09-22T09:11:27.690Z DEBUG [keysas_admin::usb_sign] Watching... you can plug your device in !
sept. 22 11:11:37 KeySAS kernel: usb 2-1: new SuperSpeed USB device number 6 using xhci_hcd
sept. 22 11:11:37 KeySAS kernel: usb 2-1: New USB device found, idVendor=1f75, idProduct=0917, bcdDevice= 0.01
sept. 22 11:11:37 KeySAS kernel: usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
sept. 22 11:11:37 KeySAS kernel: usb 2-1: Product: PenDrive
sept. 22 11:11:37 KeySAS kernel: usb 2-1: Manufacturer: Innostor
sept. 22 11:11:37 KeySAS kernel: usb 2-1: SerialNumber: 3850101334
sept. 22 11:11:37 KeySAS kernel: usb-storage 2-1:1.0: USB Mass Storage device detected
sept. 22 11:11:37 KeySAS mtp-probe[2896]: checking bus 2, device 6: "/sys/devices/pci0000:00/0000:00:0c.0/usb2/2-1"
sept. 22 11:11:37 KeySAS mtp-probe[2896]: bus: 2, device: 6 was not an MTP device
sept. 22 11:11:37 KeySAS mtp-probe[2898]: checking bus 2, device 6: "/sys/devices/pci0000:00/0000:00:0c.0/usb2/2-1"
sept. 22 11:11:37 KeySAS mtp-probe[2898]: bus: 2, device: 6 was not an MTP device
sept. 22 11:11:37 KeySAS kernel: scsi host4: usb-storage 2-1:1.0
sept. 22 11:11:38 KeySAS kernel: scsi 4:0:0:0: Direct-Access     Innostor Innostor         1.00 PQ: 0 ANSI: 6
sept. 22 11:11:38 KeySAS kernel: sd 4:0:0:0: Attached scsi generic sg3 type 0
sept. 22 11:11:38 KeySAS kernel: sd 4:0:0:0: [sdc] 15728640 512-byte logical blocks: (8.05 GB/7.50 GiB)
sept. 22 11:11:38 KeySAS kernel: sd 4:0:0:0: [sdc] Write Protect is off
sept. 22 11:11:38 KeySAS kernel: sd 4:0:0:0: [sdc] Mode Sense: 23 00 00 00
sept. 22 11:11:38 KeySAS kernel: sd 4:0:0:0: [sdc] Write cache: disabled, read cache: disabled, doesn't support DPO or FUA
sept. 22 11:11:38 KeySAS kernel:  sdc: sdc1
sept. 22 11:11:38 KeySAS kernel: sdc: p1 size 15726592 extends beyond EOD, enabling native capacity
sept. 22 11:11:38 KeySAS kernel:  sdc: sdc1
sept. 22 11:11:38 KeySAS kernel: sdc: p1 size 15726592 extends beyond EOD, truncated
sept. 22 11:11:38 KeySAS kernel: sd 4:0:0:0: [sdc] Attached SCSI removable disk
sept. 22 11:11:39 KeySAS keysas-admin.desktop[2788]: 2023-09-22T09:11:39.069Z DEBUG [keysas_admin::usb_sign] Found new USB device : Device: /dev/sdc, Vendor: 1f75, Model: 0917, Revision: 1.00, Serial: Innostor_>
sept. 22 11:11:39 KeySAS keysas-admin.desktop[2788]: 2023-09-22T09:11:39.069Z DEBUG [keysas_admin::usb_sign] Resetting the MBR for /dev/sdc.
sept. 22 11:11:39 KeySAS keysas-admin.desktop[2788]: 2023-09-22T09:11:39.069Z ERROR [keysas_admin] Error while looking for new USB device: Cannot open device for signing.

Answer 22 · 2023-09-22T09:22:56.000Z

Can you print me the output of a simple:
cat /etc/udev/rules.d/71-keysas.rules

Answer 23 · 2023-09-22T09:24:26.000Z

For this log, it was: SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0660", GROUP="plugdev", OWNER="1000", TAG+="uaccess"
I tried to change it to add the OWNER

Answer 24 · 2023-09-22T09:25:25.000Z

I've maybe found a problem, when i do: ls -l /dev/sdc
I obtain: brw-rw---- 1 root disk 8, 32 22 sept. 11:11 /dev/sdc

Answer 25 · 2023-09-22T09:27:08.000Z

Ok try adding your user to the "disk" group

Answer 26 · 2023-09-22T09:34:32.000Z

It works, the problem came from here, thank you