Page MenuHome GnuPG
Create Task
Maniphest T7041

Yubikey (PGP + PIV) --pcsc-shared: PIN requires every time
Open, NormalPublic
Actions

Description

When the --pcsc-shared option is enabled for Yubikey access, PIN is always asked (not cached).

Related Objects

Event Timeline

gniibe claimed this task.EditedMar 13 2024, 7:58 AM
gniibe created this task.

https://dev.gnupg.org/source/gnupg/browse/master/scd/app-openpgp.c$2630

This rejection could be relaxed.

werner added a subscriber: werner.EditedMar 13 2024, 9:25 AM

But only if you can figure out in a transaction or locked sytate whether the card needs a verify. Otherwise we have a race between changing the PIN and verifying a PIN.

What I mean is that we can replace our own PIN state caching state by querying the card whether the PIN is needed.

werner triaged this task as Normal priority.Apr 9 2024, 1:42 PM
werner added projects: gnupg24, yubikey.
gniibe mentioned this in T5436: gpg-agent 2.3.1: PIN caching not working for decrypt operations.Apr 16 2024, 7:16 AM
mdawar added a subscriber: mdawar.Apr 16 2024, 7:59 AM
whites11 added a subscriber: whites11.May 31 2024, 10:45 AM

Hello all. I think I am affected by this problem (I get asked for the yubikey PIV pin every time I make a git commit).
Is there a known workaround?

werner added a comment.May 31 2024, 12:36 PM

Do not use the pcscd but the integrated CCID driver. This is actually the default form Unix. Or are you on Windows?

whites11 added a comment.May 31 2024, 2:33 PM

Thanks for your answer, @werner

I am on linux (I use arch, by the way 😁 ).
Jokes apart, my "problem" is I wish to use the same yubikey for both GPG signing (for git specifically) and as SSH authentication with pkcs11 using ssh-agent.
If I use CCID the former works, the latter won't.
Do you know if this is somehow possible (sorry, I am diverging from the topic of the ticket).