The problem: scdaemon insists on grabbing the token. It refuses to access it when
another daemon (tokend in this case) is already connected to it (tokend on Mac OS X
is the daemon that makes the token available to all the native OS X applications, such
as Safari, Google Chrome, Apple Mail, MS Outlook, Adobe Acrobat, Keychain Access, etc.
etc.). Tokend is talking to PIV applet, which is used by all of the above apps (in my
case at least).
The way it is now, I have to kill tokend in order for scdaemon to access the card.
And then there’s no way for tokend to get back to it until the card is re-inserted.
My desired workflow in processing emails: use whatever standard the given email came in
under (S/MIME, PGP/MIME) and respond in kind. Just like with soft certificates and keys.
The way it is with scdaemon now, however, I have to process all the S/MIME emails first,
then kill tokend, exit Apple Mail, make sure gpg2 can access the card, start Apple Mail,
process PGP/MIME emails, quit Apple Mail, remove the card. Since the token is used for
things other than email (including OS login and privilege elevation), it is really
inconvenient.
What I am asking for: add a configuration option that would tell scdaemon to open the
token in non-exclusive (shared) mode. Keep it off by default. But those who (like me)
have need to use multi-applet tokens, would be able to have a smooth workflow.
This has already been brought up by Martin Paljak in 2011:
https://lists.gnupg.org/pipermail/gnupg-devel/2011-August/026210.html