[pkg-gnupg-maint] Bug#1102717: gnupg: fails to interact with HSM after upgrade from 2.2.46

Andreas Metzler ametzler at bebt.de
Sat Apr 12 12:43:47 BST 2025 

On 2025-04-12 Andrew Bower <andrew at bower.uk> wrote:
> Package: gnupg
> Version: 2.4.7-14
> Severity: normal

> I upgraded gnupg from 2.2.46-6 to 2.4.7-13 and all operations with a hardware
> security module (Yubikey 5) now fail.

> It may be that there is a user configuration or dependency change that needs
> satisfying but I can't find any documentation to that effect:

> # gpg --card-status
> gpg: selecting card failed: No such device
> gpg: OpenPGP card not available: No such device

> Other tools such as yubioath-desktop and ykman can interact with the device
> fine:

> $ ykman list
> YubiKey 5 NFC (5.2.7) [OTP+FIDO+CCID] Serial: 

> Other packages:

> ii  pcscd          2.3.3-1      amd64        Middleware to access a smart card using PC/SC (daemon side)
> ii  scdaemon       2.4.7-14     amd64        GNU privacy guard - smart card support

> Running processes:

> root      2143  0.0  0.0 487728  8232 ?        Sl   10:24   0:00 /usr/sbin/pcscd
> andy      4308  0.0  0.0 164448  4320 ?        SLl  10:25   0:00 scdaemon --multi-server
> root      4334  0.0  0.0 164448  4256 ?        SLl  10:25   0:00 scdaemon --multi-server

> Although other aspects of gnupg may operate fine, for me this is a
> serious issue and I will need to downgrade to the previous upstream
> release in order to continue operating as a Debian contributor because
> my private key resides on my HSM!

> I appreciate that there has been a lot of work behind getting this new
> upstream release into Debian so thank you and I hope this bug report
> helps. Let me know if you need anything else from me.

Hello Andrew,

afaiui with gnupg 2.4 you have to either use gnupg's built-in ccid driver
*instead* of pcdsd (i.e. stop pcscd from grabbing the device) or
configure gnupg to *not* use the built-in ccid driver:
scdaemon.1:
  --disable-ccid
         The  integrated  CCID  driver  for  CCID compliant devices can be
         available when libusb was detected at build time, and it is  used
         to  access  the  smartcard reader.  If access via PC/SC driver is
         needed, please configure this option to disable CCID driver  sup‐
         port (if any).  In GnuPG 2.2, there was a fallback mechanism from
         CCID  driver to PC/SC driver.  The fallback mechanism worked, be‐
         cause scdaemon in GnuPG 2.2 only supported a single token/reader.
         To support of multiple tokens/readers at the same time,  fallback
         mechanism was removed.

(This would be disable-ccid in ~/.gnupg/scdaemon.conf.)

Over at Ubuntu LP https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2061708 Julian Andres Klode recommends to choose the built-in ccid driver.

Yubikey otoh suggests pcdsd
https://support.yubico.com/hc/en-us/articles/4819584884124-Resolving-GPG-s-CCID-conflicts

Archlinux has a little bit of info here:
https://wiki.archlinux.org/title/GnuPG#Smartcards

cu Andreas

https://dev.gnupg.org/T6871

More information about the pkg-gnupg-maint mailing list