Yubikey and PIV support in 2.3 (was: Multiple readers with scdaemon)

Werner Koch wk at gnupg.org
Thu Sep 19 10:06:45 CEST 2019

On Thu, 19 Sep 2019 00:13, uri at mit.edu said:
> Another problem is that GnuPG insists on opening the card in an
> exclusive mode - which is unacceptable for cards/tokens with multiple
> applets (OpenPGP and PIV is what I've got), as different apps require

Actually this is a another reason to have exclusive access.  It allows
us to switch between the PIV and OpenPGP apps on a Yubikey as needed.

> use of both applets, sometimes running in parallel - like a browser
> session that uses PIV to authenticate to the server, an email session
> that may use both PIV and OpenPGP applets to deal with S/MIME and
> PGP/MIME emails, and occasional SSH operations during that time.

That is exactly the use case we have implemented.  Needs more testing
with several cards but a single Yubikey works well enough known in 2.3.

To make testing easier we have Debian packages of gnupg master (to be
2.3) and scute (our pkcs11 provider) available:

  deb [arch=amd64] https://ftp.g10code.com/apt buster gnupg-beta
  deb [arch=amd64] https://ftp.g10code.com/apt stretch gnupg-beta
  deb [arch=amd64] https://ftp.g10code.com/apt cosmic gnupg-beta

The version currently available do not yet include gniibe's latest
changes.  I was able to use gpg for signing and encrypting with a card
while also accessing PIV key protected pages with Firefox.  Earlier this
year I also did tests with Thunderbird which also worked.  Yubikey 5 and
4 are supported.  You may want to have a look at the new gpg-card tool
and its man page.  Also gpg --full-gen-key and gpgsm --gen-key now show
a list of keys available on the current smartcard and allow to use them
for the generation of OpenPGP/X.509 certificates.  --quick-gen-key has
also been enhanced to act upon the special algo parameter "card" with
the generation of a standard OpenPGP key based on the standard signing
and decryption key of the card (for OpenPGP, Netkey, and PIV cards).



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190919/7b677d14/attachment.sig>

More information about the Gnupg-devel mailing list