-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, 2025-09-08 at 18:57 +0200, Ludovic Rousseau wrote: > I add Yves-Alexis in Cc: since he has the exact same problem. > He created https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113729 on > scdaemon. > > But I think the "problem" should be reported upstream to GnuPG > https://dev.gnupg.org/ > or > https://www.gnupg.org/documentation/mailing-lists.html > > > It is not a problem with pcsc-lite. It is a "feature" of GnuPG.
Hi there, I have some new data points which I would like to share. Adding both bugs on CC: as well as Zack, who experienced issues as well and pointed me to stuff. 1) There are two GnuPG bug reports (https://dev.gnupg.org/T5436#148796 and https://dev.gnupg.org/T7041) with similar issues. There's been a change of behavior between 2.2 and 2.3, some of it maybe relevant to MacOS platforms, not sure. Anyway, it seems that the PIN caching in scdaemon and/or the PIN caching in the card itself might be wiped when the card is switched to a different "application". So there's an advice to add `disable-application piv` in .gnupg/scdaemon.conf. So on top of the other directives, that would be: cat .gnupg/scdaemon.conf pcsc-shared disable-ccid disable-application piv 2) In my case, disabling the PIV application wasn't enough for some reason. It did fix the caching but only for some period of time, and that period seemed to be totally random (between 1s and 30-40 seconds max). So I looked at other stuff which might be using the card and I stopped all other applications. The one doing stuff was actually Firefox, even when not doing a FIDO U2F authentication. I investigated and noticed I had the Yubikey in the "Security Devices", because I had opensc/opensc-pkcs11 installed (so I could store certificates in the Yubikey using PKCS#11). Since I don't use that at the moment I removed the opensc and opensc-pkcs11 package (I guess I could have just unloaded the module from the Firefox Security devices, or maybe disable the sc-hsm application in scdaemon). Now the PIN caching works just fine. I'd thought I'd share it here so other people are aware. Regards, - -- Yves-Alexis -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmjJKyUACgkQ3rYcyPpX RFvUDggAlRyCFjy4QxOAW1rNcb2wsBHqmd1PmjRI5plKkJvq6Fm5t8gZKub07Qz2 7jC/wIO2565CpC7Q8OHM6uL0k7miN3CCaIuvqGncZxIMikU8K/xEaXBstWyuODQo Ygh2kel0XgphrapPp330c+zgAme5VGpbTrmHz080h5gg5AKy3enxaPvdRbUZsFJi P2jyyG68i6IUi0VNwo3f8FPuZN+PhA2BeqklpfSRTtu1V7Bf7xpPVyCBVQqohARl WBEA8q4zvMTb5JU/OGPtQiIa4tlcyg8u5EHnyVY3JL7Xi0QeOTdx7XvWmRyIdi0O qVul5GR+x1jmkNNvqqe1ZuQ8UdBeJA== =AXuX -----END PGP SIGNATURE-----
