pynitrokey is not working with openssl 3.0.10: Error detecting the version of libcrypto

[SebastianHuettersen]

Currently, pynitrokey does not work if the system uses an openssl version where a version part consists of more than one number, such as openssl 3.0.10 used by Debian 13 Trixie.

In this case pynitrokey aborts with the following error:

Critical error:
An unhandled exception occurred
	Exception encountered: LibraryNotFoundError('Error detecting the version of libcrypto')

The error is in the used library oscrypto where the regex to extract the version string has a fuzziness.
An issue has already been raised here, but a new release that fixes this problem is still missing at the moment:

• oscrypto/issues/75
• oscrypto/issues/78

Workaround:
Modify the regex in the file oscrypto/_openssl/_libcrypto_cffi.py:41 from

'\\b(\\d\\.\\d\\.\\d[a-z]*)\\b'

to

'\\b(\\d+\\.\\d+\\.\\d+[a-z]*)\\b'

[4SH-gaupee]

Hi, did you do any other step beside changing the regex ? I've tried on my venv and I still get the error

[robin-nitrokey]

@4SH-gaupee You should be able to install the fixed oscrypto version inside the virtual environment with:

$ pip install "oscrypto @ git+https://github.com/wbond/oscrypto.git@1547f535001ba568b239b8797465536759c742a3"

[daringer]

For this to be permanently fixed we have to wait for a release of: https://pypi.org/project/oscrypto/ (hopefully 1.3.1) also requested it here: wbond/oscrypto#78. The dependency that is using it is spsdk (yay!) which pins it to <1.4 so lets hope for a 1.3.1 otherwise I don't see how we could solve that

[karami-omid]

@robin-nitrokey
Thank you so much. It works for me whin run the command! (oscrypto)

[DexterNemrod]

As a workaround it is possible to run the app or nitropy (which is the cli-basis for the app) on older distros in distrobox.
I tried it with Debian 11
All I had to do was to install pip
Install pynitrokey via pip
Download an move the udev-rules to /lib/udev/rules.d/

sudo apt install pip
pip install pynitrokey
wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
sudo mv 41-nitrokey.rules /lib/udev/rules.d/

And restart the container

[UndeadDevel]

Would it be possible to apply a similar workaround to the released binaries as was applied to the pypy package (that can be installed with pipx)? This is relevant in connection with #495.

[robin-nitrokey]

AFAIK there is no workaround for the pypi package. You have to manually apply the fix described above. To fix the problem both for the pypi package and the binary we would have to fork and release oscrypto. I’d rather avoid that, but maybe we have to consider that option if there is no upstream release.

[daringer]

just for the sake of documentation, the issue should be solvable for a pipx installation like that:

pipx inject --pip-args="--upgrade --force" pynitrokey "oscrypto @ git+https://github.com/wbond/oscrypto.git@1547f535001ba568b239b8797465536759c742a3"

[robin-nitrokey]

Since pynitrokey 0.5.0, we no longer depend on oscrypto.