Gpg and pcscd on Fedora 33

If you use a yubikey (or similar) to store GPG keys and indirectly SSH keys, you’re likely familiar with the pcsc-lite package. Silverblue added the pcsc-lite as a default package in Fedora 33. This is great!

Since upgrading to Fedora 33, gpg --card-status began not finding the device. In previous versions, I experienced this problem when my zsh init scripts started gpg-agent. I fixed the problem by manually starting it every boot. Not sure why this worked, but it did. This work-around stopped working in Fedora 33. (Side note: gpg-agent starts automatically when you run gpg --card-status, which is useful if you need to do this frequently.)

My current work around is to kill the pcscd process after booting and then starting gpg-agent. Afterwards, gpg --card-status works again.

Hopefully this helps someone.

Possibly someone can look into why the boot process mucks up pcscd. My only layered packages are: fedora-workstation-repositories gnome-tweak-tool google-chrome-stable zsh

After a little investigation, I found that this is not a new problem. This blog discusses issues using GnuPG and PC/SC on the same system. The problem occurs when pcscd is started before scdaemon. The author suggests adding disable-ccid into ~/.gnupg/scdaemon.conf. Unfortunately, this does not work for me.

Possibly related is Silverblue’s use of gpg-agent, visible for only a short period after boot:

% ps auxw | grep gpg 
root        3790  0.0  0.0 305540   888 ?        Ss   15:29   0:00 gpg-agent --homedir /tmp/ostree-gpg-JOPXoq --use-standard-socket --daemon

My hypothesis is that ostree’s gpg-agent is somehow starting pcscd before scdaemon, and since it is not running as my user, it does not read my user’s scdaemon.conf. I tried creating both /etc/scdaemon.conf and /etc/gnupg/scdaemon.conf and adding disable-ccd; however, neither options worked. Any thoughts would be welcome.

Last useful trick: systemctl restart pcscd, which is slightly easier than manually killing it.

1 Like