Page MenuHome GnuPG

Yubikey (PGP + PIV) --pcsc-shared: PIN requires every time
Open, NormalPublic

Description

When the --pcsc-shared option is enabled for Yubikey access, PIN is always asked (not cached).

Event Timeline

But only if you can figure out in a transaction or locked sytate whether the card needs a verify. Otherwise we have a race between changing the PIN and verifying a PIN.

What I mean is that we can replace our own PIN state caching state by querying the card whether the PIN is needed.

werner triaged this task as Normal priority.Apr 9 2024, 1:42 PM
werner added projects: gnupg24, yubikey.

Hello all. I think I am affected by this problem (I get asked for the yubikey PIV pin every time I make a git commit).
Is there a known workaround?

Do not use the pcscd but the integrated CCID driver. This is actually the default form Unix. Or are you on Windows?

Thanks for your answer, @werner

I am on linux (I use arch, by the way 😁 ).
Jokes apart, my "problem" is I wish to use the same yubikey for both GPG signing (for git specifically) and as SSH authentication with pkcs11 using ssh-agent.
If I use CCID the former works, the latter won't.
Do you know if this is somehow possible (sorry, I am diverging from the topic of the ticket).

You should use gpg-agent's integrated ssh-agent. It is anyway much more convenient. I'll move this task to gnupg26, though.