Yubico Forum
https://forum.yubico.com/

OpenPGP and PIV - is coexistence possible?
https://forum.yubico.com/viewtopic.php?f=35&t=2428		 Page 1 of 1
Author:  drmhv [ Sat Sep 17, 2016 10:34 pm ]
Post subject:  OpenPGP and PIV - is coexistence possible?
I've loaded up my Yubikey 4 with my OpenPGP keys, and my X.509 certificates (which I use for S/MIME). I'm using Fedora 24, and NSS has been configured to use the OpenSC PKCS#11 module and it all seems to work with Thunderbird, Evolution, Firefox, etc. The trouble is both GnuPG and OpenSC seem to dislike sharing the toys.

  • If I launch an NSS-based application with the OpenSC module, it locks the Yubikey and I can't GnuPG with it until I quit that application.
  • Conversely, if I've run GnuPG first I have to kill scdaemon (and re-plug) before I can use PIV functionality again.

This is all a bit clunky. Is there something I've missed to get seamless co-existence of GnuPG and OpenSC, or are these just known shortcomings with multi-application smartcards?

I can't really unload the OpenSC module completely from NSS as it's needed for my work smart card. So far the only workaround I've found is to bodge together a local OpenSC config file to use the wrong driver for the YK4 ATR (thereby disabling it), and use environment variables to flip between it and the default config for when I need the keys stored in the Yubikey's PIV applet.
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/