So after a very long hiatus and no less than five Fedora releases I was ready to write something new on this blog. Unfortunately, when I plugged in my NitroKey Pro to update my site repository I was greeted by permission denied (pubkey) errors whenever I tried to SSH. Digging in a bit further with gpg --card-status reported no card even when dmesg and the NitroKey app itself would happily show the device.

After some research here, here, and here; turns out that the issue is pcscd and scdaemon fighting with eachother for exclusive control of the smartcard device. Since pcscd seems to be started at or very soon after login and scdaemon only starts up when I start gpg-agent in my .zshrc it gets exclusive control of the card before gpg ever gets a chance.

The solution seems to be to add the directive pcsc-shared to the file ~/.gnupg/scdaemon.conf and then killall gpg-agent to get it to reload its configuration. According to my research the pcsc-shared option is an “only if you know what you’re doing” option but it seems to be stable for the moment. The other proposed solutions of disabling and masking the pcscd daemon with systemctl or putting disable-ccid in ~/.gnupg/scdaemon.conf either seemed like overkill or didn’t work for me respectively.

Long story short I seem to still be able to use the GNOME smartcard subsystem with things like Firefox while also using gpg to SSH into my various servers. Time will tell how well this works but for the moment it has me rolling again.