When the --pcsc-shared option is enabled for Yubikey access, PIN is always asked (not cached).
Description
Related Objects
Event Timeline
https://dev.gnupg.org/source/gnupg/browse/master/scd/app-openpgp.c$2630
This rejection could be relaxed.
But only if you can figure out in a transaction or locked sytate whether the card needs a verify. Otherwise we have a race between changing the PIN and verifying a PIN.
What I mean is that we can replace our own PIN state caching state by querying the card whether the PIN is needed.
Hello all. I think I am affected by this problem (I get asked for the yubikey PIV pin every time I make a git commit).
Is there a known workaround?
Do not use the pcscd but the integrated CCID driver. This is actually the default form Unix. Or are you on Windows?
Thanks for your answer, @werner
I am on linux (I use arch, by the way 😁 ).
Jokes apart, my "problem" is I wish to use the same yubikey for both GPG signing (for git specifically) and as SSH authentication with pkcs11 using ssh-agent.
If I use CCID the former works, the latter won't.
Do you know if this is somehow possible (sorry, I am diverging from the topic of the ticket).
You should use gpg-agent's integrated ssh-agent. It is anyway much more convenient. I'll move this task to gnupg26, though.