GPG was a nightmare with it's own particular way of doing things and general refusal to help other projects.
Their scdaemon takes exclusive use of the card and when this has been brought up with the project, they said other projects should use their scdaemon to inferface with cards rather than PKCS11 and opensc.
This was exactly my experience from two years ago. But to my surprise with recent gpg2 versions most of those issues are gone (plus EC ssh key files are supported, older gpg-agent could only do RSA)
scdaemon used to crash all the time, that doesn't happen anymore. GPG doesn't lock the card so I have to stop scdaemon to use it w/ other apps.
So for the last half year I've happily used gpg-agent/scdaemon also as SSH agent and it works really well without any issues.
But setting this up (w/ Ubuntu+Gnome) is still a ridiculous task:
- Ensure gnupg2, scdaemon, pinentry-gnome3 are installed
- edit ~/.config/autostart/gnome-keyring-ssh.desktop and add "X-GNOME-Autostart-enabled=false"
- edit ~/.gnupg/gpg-agent.conf and add "enable-ssh-support"
Gnome session startup will read both the "X-GNOME-Autostart-enabled=false" and the "enable-ssh-support" and set up and start gpg-agent as ssh agent in the session. There are other ways to disable a .desktop file, but the String "X-GNOME-Autostart-enabled=false" has to be there for this to work.
When all this is set up usability is excellent. the system will even prompt to plug in the right yubikey when you ssh into something. No need to add/remove the card to/from the agent.
And yet, scdaemon will still hang everytime you suspend on linux[0]. I've written a udev rule to somewhat mitigate this[1], but it's still really annoying that seemingly nobody cares enough to fix this issue.
I recommend using the winscard/pcsc interface directly. winscard is a standard library on Windows, PCSC.framework is standard on Mac OS, and libpcsclite is available on Linux by installing pcscd/pcsc-lite.
I recently implemented a library (https://github.com/pyauth/exile) to use Yubikeys to sign AWS API requests, which required writing Python ctypes bindings to call these libraries. It turned out to be fairly easy once I threw away the idea that I should rely on any of the intermediary libraries, and just started talking via the winscard/PCSC protocol directly.
GPG was a nightmare with it's own particular way of doing things and general refusal to help other projects.
Their scdaemon takes exclusive use of the card and when this has been brought up with the project, they said other projects should use their scdaemon to inferface with cards rather than PKCS11 and opensc.