[pkg-gnupg-maint] Bug#1113729: scdaemon: no PIN caching with PC/SC shared mode

Yves-Alexis Perez corsac at debian.org
Mon Sep 1 20:15:41 BST 2025 

Package: scdaemon
Version: 2.4.8-3
Severity: normal

Hi,

I recently moved my smartcard setup from a custom OpenPGP smartcard
(using SmartPGP applet [1]) to a Yubikey 5. Like a lot of people using that
kind of setup, I have issues here and there when using the other
features of the Yubikey (FIDO for hardware-backed ssh keys or 2FA),
where gnupg/scdaemon can't access the card.

Following the great blog posts [2,3,4] by Ludovic I added `pcsc-shared`
to my .scdaemon.conf (`disable-ccid` was already there). Now I don't
have issues with the sharing, but I then discovered that everytime I
need to use a key (whether for SSH using my authentication key, or for
my password manager using the encryption key) I need to provide the PIN.

Indeed, scdaemon won't cache the PIN in shared mode [5]. I can
understand the rationale but it makes it really painful to use the keys.

Some things puzzle me though:

- I had the impression that the PIN was cached by the smartcard itself,
  not by scdaemon (inside gpg-agent), but the source code seems to imply
  the opposite.
- there is a discrepancy (I think) between the various levels of
  abstraction: pcscd will allow access to all the smartcard features,
  but only scdaemon will talk to the OpenPGP application

In my opinion, if caching is not done anymore in pcsc_shared mode, it
would be helpful then to implement the card-timeout or similar features
in exclusive mode. This way the PIN cache would be useful during a
specific duration but not prevent working with other features all the
time.

Regards,
-- 
Yves-Alexis

[1]: https://github.com/github-af/SmartPGP
[2]: https://blog.apdu.fr/posts/2019/06/gnupg-and-pcsc-conflicts/
[3]:
https://blog.apdu.fr/posts/2024/04/gnupg-and-pcsc-conflicts-episode-2/
[4]:
https://blog.apdu.fr/posts/2024/12/gnupg-and-pcsc-conflicts-episode-3/
[5]:
https://sources.debian.org/src/gnupg2/2.4.8-3/scd/app-openpgp.c?hl=2627#L2631
-- System Information:
Debian Release: forky/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.16.3+deb14-amd64 (SMP w/14 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages scdaemon depends on:
ii  gpg-agent        2.4.8-3
ii  libassuan9       3.0.2-2
ii  libc6            2.41-12
ii  libgcrypt20      1.11.2-2
ii  libgpg-error0    1.55-2
ii  libksba8         1.6.7-2+b1
ii  libnpth0t64      1.8-3
ii  libreadline8t64  8.3-2
ii  libusb-1.0-0     2:1.0.29-2

scdaemon recommends no packages.

scdaemon suggests no packages.

-- no debconf information

More information about the pkg-gnupg-maint mailing list