OS X El Capitan and CCID driver upgrades
Silent upgrade of the CCID driver
This is part of the series: "OS X El Capitan and smart cards: known bugs".The first version of El Capitan 10.11 in September, 2015 was provided with the CCID driver version 1.4.14. See "OS X El Capitan and smart cards status" for more details.
I recently discovered that Apple upgraded the CCID driver in the minor upgrades (also thanks to Martin P. for the notice):
- Mac OS X 10.11.3 provides the CCID driver version 1.4.20 (driver released 5 August 2015)
- Mac OS X 10.11.4 provides the CCID driver version 1.4.21 (driver released 21 October 2015)
OS X 10.11
On Mac OS X 10.11 (or 10.11.0) I have:$ ls -lR /usr/libexec/SmartCardServices/drivers
total 0
drwxr-xr-x 3 root wheel 102 23 aoû 2015 ifd-ccid.bundle
/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle:
total 0
drwxr-xr-x 5 root wheel 170 5 oct 2015 Contents
/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents:
total 56
-rw-r--r-- 1 root wheel 27616 5 oct 2015 Info.plist
drwxr-xr-x 4 root wheel 136 2 oct 2015 MacOS
-rw-r--r-- 1 root wheel 471 23 aoû 2015 version.plist
/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/MacOS:
total 176
lrwxr-xr-x 1 root wheel 20 2 oct 2015 libccid.dylib -> libccid.dylib.1.4.14
-rwxr-xr-x 1 root wheel 165888 17 sep 2015 libccid.dylib.1.4.14
OS X 10.11.3
On Mac OS X 10.11.3 I have:$ ls -lR /usr/libexec/SmartCardServices/drivers total 0 drwxr-xr-x 3 root wheel 102 Aug 23 2015 ifd-ccid.bundle /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle: total 0 drwxr-xr-x 5 root wheel 170 Jan 28 10:05 Contents /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents: total 24 -rw-r--r-- 1 root wheel 33873 Sep 23 2015 Info.plist drwxr-xr-x 5 root wheel 170 Jan 28 10:05 MacOS -rw-r--r-- 1 root wheel 469 Sep 23 2015 version.plist /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/MacOS: total 344 lrwxr-xr-x 1 root wheel 20 Dec 9 15:06 libccid.dylib -> libccid.dylib.1.4.14 -rwxr-xr-x 1 root wheel 165888 Oct 18 2015 libccid.dylib.1.4.14 -rwxr-xr-x 1 root wheel 166096 Jan 14 03:06 libccid.dylib.1.4.20
OS X 10.11.4
On Mac OS X 10.11.4 I have:$ pwd /Volumes/ElCapitan/usr/libexec/SmartCardServices/drivers $ ls -lR ifd-ccid.bundle/ total 0 drwxr-xr-x 5 root wheel 170 Mar 22 13:23 Contents ifd-ccid.bundle//Contents: total 24 -rw-r--r-- 1 root wheel 36860 Dec 21 06:05 Info.plist drwxr-xr-x 5 root wheel 170 Mar 22 13:23 MacOS -rw-r--r-- 1 root wheel 470 Dec 21 06:05 version.plist ifd-ccid.bundle//Contents/MacOS: total 344 lrwxr-xr-x 1 root wheel 20 Sep 16 2015 libccid.dylib -> libccid.dylib.1.4.14 -rwxr-xr-x 1 root wheel 165888 Sep 3 2015 libccid.dylib.1.4.14 -rwxr-xr-x 1 root wheel 166096 Mar 12 09:30 libccid.dylib.1.4.21
Half upgrade
What is strange is that only the driver Info.plist file has been updated. A new binary driver is installed (libccid.dylib.1.4.20 or libccid.dylib.1.4.21) but not used.The driver Info.plist file contains:
<key>CFBundleExecutable</key> <string>libccid.dylib</string>
So the driver binary is always the file libccid.dylib. And, as you can see from the previous commands libccid.dylib is just a symbolic link to the same libccid.dylib.1.4.14 file.
It looks like the upgrade is not complete:
- New readers present in the driver Info.plist file will be recognized
- Bugs fixes and new code from versions 1.4.15 to 1.4.21 are not used since the driver binary used is still at version 1.4.14.
Broken upgrade
Some/many people reported that the CCID driver was not working any more after the 10.11.4 upgrade. I have not (yet) reproduce this problem myself.The driver configuration looks like this:
/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/MacOS: lrwxr-xr-x 1 root wheel 20 3 déc 08:37 libccid.dylib -> libccid.dylib.1.4.20 -rwxr-xr-x 1 root wheel 166096 12 mar 09:30 libccid.dylib.1.4.21
The symbolic link points to a non-existent libccid.dylib.1.4.20 file. So, of course, the driver is not loaded and the support of CCID readers is broken.
Error message in the system log file:
com.apple.ifdreader[219]: Failed to load IFD bundle executable:
'file:///usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/' with error: Error Domain=NSCocoaErrorDomain Code=4 "The bundle “CCIDCLASSDRIVER” couldn’t be loaded because its executable couldn’t be located." UserInfo={NSLocalizedFailureReason=The bundle’s executable couldn’t be located., NSLocalizedRecoverySuggestion=Try reinstalling the bundle., NSBundlePath=/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle, NSLocalizedDescription=The bundle “CCIDCLASSDRIVER” couldn’t be loaded because its executable couldn’t be located.}
Proposed solution
Because of System Integrity Protection [or wikipedia], it is forbidden to change/remove/add files in the /usr/ directory.My proposal to fix the issue, until Apple provides a fix, is to:
- disable SIP
- fix the symbolic link using some think like
cd /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/MacOS ln -sf libccid.dylib.1.4.21 libccid.dylib
- enable SIP
Another solution
In the Apple developer forums "gtall" reported the same problem in "el capitan 10.11.4 unable to see smartcard" and "Metsma" posted a different workaround.Maybe Apple will publish a Technical Note to give a better solution or, better, provide a version 10.11.5 with a fix for the CCID driver.
Conclusion
I reported the problem to Apple as bug #25873806 "CCID smart card reader driver update failed in 10.11.4".That is the first time that Apple updates a smart card component (instead of just fixing bugs) with minor revisions of Mac OS X. Maybe it is a sign that Apple cares about smart cards?
My list of El Capitan known smart card bugs contains 7 unfixed bugs and 3 wanted features. There is still Apple work to do for the next (minor or major) release of Mac OS X.
Update
On 26th April 2016, Apple closed my bug report as a duplicate:"Engineering has determined that your bug report (25873806) is a duplicate of another issue (25416818) and will be closed."