[pkg-gnupg-maint] Bug#1113729: Bug#1113970: pcscd service restart required every time yubikey is disconnected / reconnected

Yves-Alexis Perez corsac at debian.org
Tue Sep 16 10:17:25 BST 2025 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, 2025-09-08 at 18:57 +0200, Ludovic Rousseau wrote:
> I add Yves-Alexis in Cc: since he has the exact same problem.
> He created https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113729 on
> scdaemon.
> 
> But I think the "problem" should be reported upstream to GnuPG
> https://dev.gnupg.org/
> or
> https://www.gnupg.org/documentation/mailing-lists.html
> 
> 
> It is not a problem with pcsc-lite. It is a "feature" of GnuPG.

Hi there,

I have some new data points which I would like to share. Adding both bugs on
CC: as well as Zack, who experienced issues as well and pointed me to stuff.

1) There are two GnuPG bug reports (https://dev.gnupg.org/T5436#148796 and
https://dev.gnupg.org/T7041) with similar issues. There's been a change of
behavior between 2.2 and 2.3, some of it maybe relevant to MacOS platforms,
not sure. Anyway, it seems that the PIN caching in scdaemon and/or the PIN
caching in the card itself might be wiped when the card is switched to a
different "application". So there's an advice to add `disable-application piv`
in .gnupg/scdaemon.conf. So on top of the other directives, that would be:

cat .gnupg/scdaemon.conf
pcsc-shared
disable-ccid
disable-application piv

2) In my case, disabling the PIV application wasn't enough for some reason. It
did fix the caching but only for some period of time, and that period seemed
to be totally random (between 1s and 30-40 seconds max). So I looked at other
stuff which might be using the card and I stopped all other applications. The
one doing stuff was actually Firefox, even when not doing a FIDO U2F
authentication. I investigated and noticed I had the Yubikey in the "Security
Devices", because I had opensc/opensc-pkcs11 installed (so I could store
certificates in the Yubikey using PKCS#11). Since I don't use that at the
moment I removed the opensc and opensc-pkcs11 package (I guess I could have
just unloaded the module from the Firefox Security devices, or maybe disable
the sc-hsm application in scdaemon). Now the PIN caching works just fine.

I'd thought I'd share it here so other people are aware.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmjJKyUACgkQ3rYcyPpX
RFvUDggAlRyCFjy4QxOAW1rNcb2wsBHqmd1PmjRI5plKkJvq6Fm5t8gZKub07Qz2
7jC/wIO2565CpC7Q8OHM6uL0k7miN3CCaIuvqGncZxIMikU8K/xEaXBstWyuODQo
Ygh2kel0XgphrapPp330c+zgAme5VGpbTrmHz080h5gg5AKy3enxaPvdRbUZsFJi
P2jyyG68i6IUi0VNwo3f8FPuZN+PhA2BeqklpfSRTtu1V7Bf7xpPVyCBVQqohARl
WBEA8q4zvMTb5JU/OGPtQiIa4tlcyg8u5EHnyVY3JL7Xi0QeOTdx7XvWmRyIdi0O
qVul5GR+x1jmkNNvqqe1ZuQ8UdBeJA==
=AXuX
-----END PGP SIGNATURE-----

More information about the pkg-gnupg-maint mailing list