Resolving GPG's CCID conflicts


This article is an extension to Troubleshooting Issues with GPG. For an overview of the conflict addressed in this article, refer to this blog post by Ludovic Rousseau.

 

Linux

The following instructions were tested against Pop!_OS 22.04 and should be considered a reference. If you're using a Linux distribution other than Pop!_OS or another Ubuntu derivative, you may need to adapt these instructions accordingly, as package names, etc. may differ.

 

  1. Install required packages by running the following command in Terminal.

sudo apt install gnupg scdaemon pcscd pcsc-tools

 

  1. Create or edit the file ~/.gnupg/scdaemon.conf, and add the following line to it.

disable-ccid

 

  1. Since GPG relies on pcscd (PC/SC Smart Card Daemon) to communicate with the YubiKey, enable it to start with the system by running the following command in Terminal.

sudo systemctl enable --now pcscd

 

  1. Reboot the system to clear any GPG locks
  2. Following the reboot, open Terminal, and run the following commands. These commands assume you have a certificate enrolled on the YubiKey.

pkcs11-tool --login --test

pkcs11-tool --list-slots

 

  1. Open a second Terminal, and in it, run the following commands.

gpg --card-edit

quit (at the gpg/card> prompt)

 

Windows

  1. Install Yubico PIV Tool (x64) and OpenSC.
  2. Open an elevated PowerShell window (run PowerShell as administrator) and change its working directory to the GPG home folder by running the following.

cd $env:UserProfile\gnupg\

 

  1. Run the following command to create a new file called scdaemon.conf in the working directory (GPG home folder), and open it for editing with Notepad.

notepad.exe scdaemon.conf

 

  1. Once Notepad opens, add the line disable-ccid to the file, save, then exit.
  2. Reboot the system.
  3. Use cd again to change PowerShell's working directory to OpenSC's tools folder:

cd "$env:ProgramFiles\OpenSC Project\OpenSC\tools\"

 

  1. Run the following commands to test communication with the YubiKey.

.\pkcs11-tool --module "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll" --show-info

 

.\pkcs11-tool --module "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll" --login --test

 

  1. In a second Powershell window, run the following commands to test GPG's access to the YubiKey.

gpg --card-edit

quit (at the gpg/card> prompt)

 

  1. Lastly, release the GPG lock by running:

Restart-Service SCardSvr