Yubikey and gpg issues

I have Fedora 36 workstation plasma spin on my X1 Carbon. I am unable to get my yubikey 5 to be consistently recognized by gpg. It will occasionally start working after a mess around a bit and maybe reboot, but I can’t pin down a set of actions that causes this.

Any help would be greatly appreciated!


I currently get the error message:

╰─ gpg --card-status    
gpg: selecting card failed: Service is not running
gpg: OpenPGP card not available: Service is not running

I’ve tried a number of things, including:

  • installing and uninstalling opensc
  • enabling, killing/restarting, and disabling pcscd

If I look at running processes, I can see:

myuser      4328  0.0  0.0 370840   912 ?        Ssl  14:26   0:00 gpg-agent --homedir /home/myuser/.gnupg --use-standard-socket --daemon
myuser      4330  0.0  0.0 297484  1428 ?        SLl  14:26   0:00 scdaemon --multi-server

Config files:

  • ~/.gnupg/scdaemon.conf:
    pcsc-shared
    pcsc-driver libpcsclite.so.1
    
  • ~/.gnupg/gpg-agent.conf:
    pinentry-program /usr/bin/pinentry-tty
    

Sorry, I haven’t tried this myself.

I did notice a thread over at discussion.fedoraproject.org that relates to using yubikey with gpg. Perhaps it contains some information that can help you:

https://discussion.fedoraproject.org/t/using-yubikey-for-ssh-always-asking-for-password-gnome/75038/17

I was able to fix this by adding the a new set of polkit rules. I created the file /etc/polkit-1/rules.d/10-pcsc-custom.rules with the content:

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "myusername") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        action.lookup("reader") == 'Yubico YubiKey OTP+FIDO+CCID 00 00' &&
        subject.user == "myusername") {
            return polkit.Result.YES;
    }
});
3 Likes

I did not have this issue with F36 or F37, but it showed up in F38 and this was the fix. I will point out the two places “myusername” is included need to be changed! That one got me for a couple of minutes.

Do I need to restart some services after creating this file?

Not that I can recall (or find in my shell history).

If you need you ensure that it would be loaded if working, restarting the polkit systemd service should be enough:

sudo systemctl restart polkit.service

Still not work for me

$ gpg --card-status

gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

I added the polkit rule and created the two gnupg config files.
I also installed the package pinentry-tty

Have you tried:

gpgconf --kill gpg-agent
gpg-connect-agent updatestartuptty /bye
1 Like

Now it works, but it’s not very stable, sometimes works and sometimes give an error

$ gpg --card-status               
gpg: OpenPGP card not available: Card error

I find that sometimes I need to remove the yubikey and re-insert it, I also have pcscd running as a socket. There are suggestions to add the gpgconf and gpg-connect-agent commands to your profile, but I see mixed results with that and usually need to run those commands after a restart.