OpenPGP and PIV - is coexistence possible?

2016-09-17T22:34:53+01:00

I've loaded up my Yubikey 4 with my OpenPGP keys, and my X.509 certificates (which I use for S/MIME). I'm using Fedora 24, and NSS has been configured to use the OpenSC PKCS#11 module and it all seems to work with Thunderbird, Evolution, Firefox, etc. The trouble is both GnuPG and OpenSC seem to dislike sharing the toys.

If I launch an NSS-based application with the OpenSC module, it locks the Yubikey and I can't GnuPG with it until I quit that application.
Conversely, if I've run GnuPG first I have to kill scdaemon (and re-plug) before I can use PIV functionality again.

This is all a bit clunky. Is there something I've missed to get seamless co-existence of GnuPG and OpenSC, or are these just known shortcomings with multi-application smartcards?

I can't really unload the OpenSC module completely from NSS as it's needed for my work smart card. So far the only workaround I've found is to bodge together a local OpenSC config file to use the wrong driver for the YK4 ATR (thereby disabling it), and use environment variables to flip between it and the default config for when I need the keys stored in the Yubikey's PIV applet.

Statistics: Posted by drmhv — Sat Sep 17, 2016 10:34 pm

Yubico Forum

OpenPGP and PIV - is coexistence possible?