Gpg and pcscd on Fedora 33

If you use a yubikey (or similar) to store GPG keys and indirectly SSH keys, you’re likely familiar with the pcsc-lite package. Silverblue added the pcsc-lite as a default package in Fedora 33. This is great!

Since upgrading to Fedora 33, gpg --card-status began not finding the device. In previous versions, I experienced this problem when my zsh init scripts started gpg-agent. I fixed the problem by manually starting it every boot. Not sure why this worked, but it did. This work-around stopped working in Fedora 33. (Side note: gpg-agent starts automatically when you run gpg --card-status, which is useful if you need to do this frequently.)

My current work around is to kill the pcscd process after booting and then starting gpg-agent. Afterwards, gpg --card-status works again.

Hopefully this helps someone.

Possibly someone can look into why the boot process mucks up pcscd. My only layered packages are: fedora-workstation-repositories gnome-tweak-tool google-chrome-stable zsh

1 Like

After a little investigation, I found that this is not a new problem. This blog discusses issues using GnuPG and PC/SC on the same system. The problem occurs when pcscd is started before scdaemon. The author suggests adding disable-ccid into ~/.gnupg/scdaemon.conf. Unfortunately, this does not work for me.

Possibly related is Silverblue’s use of gpg-agent, visible for only a short period after boot:

% ps auxw | grep gpg 
root        3790  0.0  0.0 305540   888 ?        Ss   15:29   0:00 gpg-agent --homedir /tmp/ostree-gpg-JOPXoq --use-standard-socket --daemon

My hypothesis is that ostree’s gpg-agent is somehow starting pcscd before scdaemon, and since it is not running as my user, it does not read my user’s scdaemon.conf. I tried creating both /etc/scdaemon.conf and /etc/gnupg/scdaemon.conf and adding disable-ccd; however, neither options worked. Any thoughts would be welcome.

Last useful trick: systemctl restart pcscd, which is slightly easier than manually killing it.

2 Likes

I have similar issue, though I’m using Workstation (not Silverblue) in my case. I have been killing pcscd (with systemctl stop pcscd) and then use gpg since a year now. I have following block in my ~/.gnupg/scdaemon.conf, but it does not seem to make any difference.

disable-ccid
pcsc-driver libpcsclite.so.1

Reference: https://security.stackexchange.com/q/233916

I also have this problem on Workstation (not Silverblue) so I’m pretty sure it’s not Silverblue/ostree specific. Disabling pcscd “solves” the problem of gpg not being able to see the card but it’s not necessarily a great solution.

systemctl disable --now pcscd.socket pcscd.service
1 Like