Yubikey and gpg issues

Ask Fedora Ask in English
1

I have Fedora 36 workstation plasma spin on my X1 Carbon. I am unable to get my yubikey 5 to be consistently recognized by gpg. It will occasionally start working after a mess around a bit and maybe reboot, but I can’t pin down a set of actions that causes this.

Any help would be greatly appreciated!

I currently get the error message:

╰─ gpg --card-status    
gpg: selecting card failed: Service is not running
gpg: OpenPGP card not available: Service is not running

I’ve tried a number of things, including:

  • installing and uninstalling opensc
  • enabling, killing/restarting, and disabling pcscd

If I look at running processes, I can see:

myuser      4328  0.0  0.0 370840   912 ?        Ssl  14:26   0:00 gpg-agent --homedir /home/myuser/.gnupg --use-standard-socket --daemon
myuser      4330  0.0  0.0 297484  1428 ?        SLl  14:26   0:00 scdaemon --multi-server

Config files:

  • ~/.gnupg/scdaemon.conf:
    pcsc-shared
pcsc-driver libpcsclite.so.1
  • ~/.gnupg/gpg-agent.conf:
    pinentry-program /usr/bin/pinentry-tty
2

Sorry, I haven’t tried this myself.

I did notice a thread over at discussion.fedoraproject.org that relates to using yubikey with gpg. Perhaps it contains some information that can help you:

https://discussion.fedoraproject.org/t/using-yubikey-for-ssh-always-asking-for-password-gnome/75038/17

3

I was able to fix this by adding the a new set of polkit rules. I created the file /etc/polkit-1/rules.d/10-pcsc-custom.rules with the content:

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "myusername") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        action.lookup("reader") == 'Yubico YubiKey OTP+FIDO+CCID 00 00' &&
        subject.user == "myusername") {
            return polkit.Result.YES;
    }
});
1 Like