YubiKey Not Working with GnuPG 2.3

YubiKey 5 Nano YubiKey 5 Nano - the One I Use

I’m a long time fan of USB security keys for SSH access and signig GitHub commits, currently using YubiKey ones on both my laptop and desktop.

I did a semi-regular bulk upgrade of all the software packages managed on my desktop with Homebrew and then noticed a few days later that my YubiKey stopped working. It took me a few days to notice because I mostly worked on laptop (where things kept working) and also because my desktop has recently been upgraded - so I expected some instability.

After a few reboots, restarts of GnuPG daemon and even resintall of all the relevant packages using Brew, YubiKey was still not working.

Turns out it’s because GnuPG 2.3 and later releases (I’m using 2.3.1) stopped identifying YubiKey keys properly, and so CCID (it means Chip Card Interface Device protocol) way of accessing keys on the YubiKey device is not working.

Apparently, the way to fix this for now is to disable CCID, forcing GnuPG to use other means of accessing the same keys on the same YubiKey device - PC/SC (Personal Computer/Smart Card) interface.

Just add disable-ccid line to the ~/.gnupg/scdaemon.conf file. I didn’t even have the file, so had to create it.

As you know, ~ means “your current user’s home directory”, so in my case it’s /Users/greys:

disable-ccid option in scdaemon.conf Adding disable-ccid option to scdaemon.conf

After updating the file I killed the gnupg-agent:

$ pkill gpg-agent
gpg-agent[30678]: SIGTERM received - shutting down ...
gpg-agent[30678]: gpg-agent (GnuPG) 2.3.1 stopped

… and restarted it again:

$ gpg-agent --homedir /Users/greys/.gnupg --use-standard-socket --daemon 
SSH_AUTH_SOCK=/Users/greys/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
gpg-agent[30795]: gpg-agent (GnuPG) 2.3.1 started
$ SSH_AUTH_SOCK=/Users/greys/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;

Listing SSH identities the first tiem resulted in scdaemon restart:

$ ssh-add -l
gpg-agent[30795]: daemon /usr/local/Cellar/gnupg/2.3.1/libexec/scdaemon killed by signal 11
The agent has no identities.

… but running the same command again finally showed my YubiKey card:

$ ssh-add -l
256 SHA256:eLmBPUmca8ZCANT5d47SPellye8WiNOuWAYSU/YVCgY cardno:11 524 133 (ED25519)

I expect this will be fixed in the future GnuPG releases, so please revisit this issue and possibly this page in the next few weeks for an update.

See Also

Contact Me

Follow me on Facebook, Twitter or Telegram:
I learn with Educative: Educative
IT Consultancy
I'm a principal consultant with Tech Stack Solutions. I help with cloud architectrure, AWS deployments and automated management of Unix/Linux infrastructure. Get in touch!

Recent Tweets