On Wed, 8 Jan 2025 at 23:08, Daniel Kahn Gillmor <d...@debian.org> wrote:
>
> Thanks for this discussion, all--
>
> On Tue 2025-01-07 15:16:27 +0100, Simon Josefsson wrote:
> > I believe this would be good, I frequently run into GnuPG bugs in the
> > 2.2.x branch that was fixed years ago in 2.4
>
> Can you identify some of those bugs? It would be good to be clear about
> what 2.2 is lacking.
There's one issue that I have experience of, that is fixed with 2.4
and doesn't work with 2.2: using a Yubikey that has _both_ pgp keys
and x509 certs, and trying to use both. With 2.2 it's a constant fight
between scdaemon and opensc, and you have to constantly manually
restart, switch configs, etc.
With 2.4, I can instruct scdaemon to ignore the piv slots, and opensc
to ignore the gpg slots, and both to accept shared access, and things
_mostly_ work smoothly, only requiring an occasional restart of pcscd,
every few days or so. I found no way to make this setup work with 2.2.
Just my 2c.
For reference, scdaemon.conf:
pcsc-driver /usr/lib/x86_64-linux-gnu/libpcsclite.so
pcsc-shared
disable-ccid
disable-application piv
opensc.conf:
app default {
card_atr <your:series:of:numbers> {
atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:00:00";
name = "Yubikey Neo";
# Select the PKI applet to use ("PIV-II" or "openpgp")
driver = "PIV-II";
# Recover from other applications accessing a different applet
flags = "keep_alive";
}
}
