Gpg and pcscd on Fedora 33

If you use a yubikey (or similar) to store GPG keys and indirectly SSH keys, you’re likely familiar with the pcsc-lite package. Silverblue added the pcsc-lite as a default package in Fedora 33. This is great!

Since upgrading to Fedora 33, gpg --card-status began not finding the device. In previous versions, I experienced this problem when my zsh init scripts started gpg-agent. I fixed the problem by manually starting it every boot. Not sure why this worked, but it did. This work-around stopped working in Fedora 33. (Side note: gpg-agent starts automatically when you run gpg --card-status, which is useful if you need to do this frequently.)

My current work around is to kill the pcscd process after booting and then starting gpg-agent. Afterwards, gpg --card-status works again.

Hopefully this helps someone.

Possibly someone can look into why the boot process mucks up pcscd. My only layered packages are: fedora-workstation-repositories gnome-tweak-tool google-chrome-stable zsh

1 Like

After a little investigation, I found that this is not a new problem. This blog discusses issues using GnuPG and PC/SC on the same system. The problem occurs when pcscd is started before scdaemon. The author suggests adding disable-ccid into ~/.gnupg/scdaemon.conf. Unfortunately, this does not work for me.

Possibly related is Silverblue’s use of gpg-agent, visible for only a short period after boot:

% ps auxw | grep gpg 
root        3790  0.0  0.0 305540   888 ?        Ss   15:29   0:00 gpg-agent --homedir /tmp/ostree-gpg-JOPXoq --use-standard-socket --daemon

My hypothesis is that ostree’s gpg-agent is somehow starting pcscd before scdaemon, and since it is not running as my user, it does not read my user’s scdaemon.conf. I tried creating both /etc/scdaemon.conf and /etc/gnupg/scdaemon.conf and adding disable-ccd; however, neither options worked. Any thoughts would be welcome.

Last useful trick: systemctl restart pcscd, which is slightly easier than manually killing it.

2 Likes

I have similar issue, though I’m using Workstation (not Silverblue) in my case. I have been killing pcscd (with systemctl stop pcscd) and then use gpg since a year now. I have following block in my ~/.gnupg/scdaemon.conf, but it does not seem to make any difference.

disable-ccid
pcsc-driver libpcsclite.so.1

Reference: smartcard - GnuPG - connecting to specific card reader when multiple reader available - Information Security Stack Exchange

I also have this problem on Workstation (not Silverblue) so I’m pretty sure it’s not Silverblue/ostree specific. Disabling pcscd “solves” the problem of gpg not being able to see the card but it’s not necessarily a great solution.

systemctl disable --now pcscd.socket pcscd.service
1 Like

I found that putting pcsc-shared instead of disable-ccid in ~/.gnupg/scdaemon.conf solved the problem. Rember to killall gpg-agent to make the change take effect without reboot. The pcsc-shared option does come with a warning in the man page:

Use shared mode to access the card via PC/SC. This is a somewhat dangerous option because Scdaemon assumes exclusive access to the card and for example caches certain information from the card. Use this option only if you know what you are doing.