[pkg-gnupg-maint] Bug#1113729: Bug#1113970: pcscd service restart required every time yubikey is disconnected / reconnected

Gabriel Filion lelutin at torproject.org
Tue Sep 16 15:41:31 BST 2025 

Hello,

On 2025-09-16 05:17, Yves-Alexis Perez wrote:
> On Mon, 2025-09-08 at 18:57 +0200, Ludovic Rousseau wrote:
>> I add Yves-Alexis in Cc: since he has the exact same problem.
>> He created https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113729 on
>> scdaemon.
> 
>> But I think the "problem" should be reported upstream to GnuPG
>> https://dev.gnupg.org/
>> or
>> https://www.gnupg.org/documentation/mailing-lists.html
> 
> 
>> It is not a problem with pcsc-lite. It is a "feature" of GnuPG.
> 
> Hi there,
> 
> I have some new data points which I would like to share. Adding both bugs on
> CC: as well as Zack, who experienced issues as well and pointed me to stuff.
> 
> 1) There are two GnuPG bug reports (https://dev.gnupg.org/T5436#148796 and
> https://dev.gnupg.org/T7041) with similar issues. There's been a change of
> behavior between 2.2 and 2.3, some of it maybe relevant to MacOS platforms,
> not sure. Anyway, it seems that the PIN caching in scdaemon and/or the PIN
> caching in the card itself might be wiped when the card is switched to a
> different "application". So there's an advice to add `disable-application piv`
> in .gnupg/scdaemon.conf. So on top of the other directives, that would be:
> 
> cat .gnupg/scdaemon.conf
> pcsc-shared
> disable-ccid
> disable-application piv

Thanks Yves-Alexis for the added details!

I've just tried the above cocktail of options and found at first that I 
could ssh to multiple hosts without getting multiple pin prompts, which 
is better!

however, as soon as I login to a site in firefox with Webauthn, then the 
next ssh login will again bring up the pin prompt.

so it's working better, but still not in the same way than how it was 
before (i.e. I used to get one pin prompt and then not one more till I 
unplugged my yubikey), unfortunately

I'll try using the above options for a bit longer to see if it's too 
annoying or not. for now it's a tiny bit better than having to remember 
to restart pcscd every time I plug the yubikey back in, or getting a pin 
prompt every time I use the key for anything.

More information about the pkg-gnupg-maint mailing list