GnuPG and PC/SC conflicts


" GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications. "

GnuPG provides support of smart card using the OpenPGP application in the card or token. See "How to use the Fellowship Smartcard" for more details.


PC/SC (defined by the PC/SC workgroup) is the "standard" way to access smart cards and smart card readers.

pcsc-lite is a Free Software implementation of the PC/SC standard often used in Unix systems.
pcscd is a daemon, part of pcsc-lite, accessing the smart card readers.

The problem

By default GnuPG has its own way to access smart cards with the help of the scdaemon helper process.

If you use GnuPG and also PC/SC on the same system you may have problems.

scdaemon get access

If scdaemon is started before pcscd then the smart card reader will not be available at the PC/SC level.
In pcscd logs you get the error:
ccid_usb.c:653:OpenUSBByName() Can't claim interface 1/12: LIBUSB_ERROR_BUSY

pcscd get access

If pcscd is started before scdaemon then the smart card will not be available at the GnuPG level.
You get the error:
$ gpg --card-status 
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

It is becoming a FAQ (Debian bug #925312, github issue) so I decided to document possible solutions.

The solutions

Remove pcscd from your system

The obvious solution to avoid the conflict is to remove one of the two participants.
If you use your smart card only with GnuPG then you can remove pcscd entirely.

But if you have pcscd installed it may be for a good reason. You may want/need to use PC/SC for other applications.

Tell GnuPG to use PC/SC

Another solution is to make GnuPG and pcscd collaborate to work together.
Luckily it is possible to do that using the scdaemon option --disable-ccid

From the documentation:

Disable the integrated support for CCID compliant readers. This allows falling back to one of the other drivers even if the internal CCID driver can handle the reader. Note, that CCID support is only available if libusb was available at build time.

With this option scdaemon will use PC/SC to talk to the smart card and the conflict is solved.

It is possible to tell scdaemon to always use this option by editing the scdaemon configuration file. By default it is ~/.gnupg/scdaemon.conf and it should contain the line:

If you try to make it work be sure to kill any running scdaemon process so that it is restarted with the new option.


I don't know if the problem comes from pcscd or from GnuPG.

The good news is that there is a solution. is back

After few days the PC/SC work group web site is available again.

One week ago in " is gone" I announced that the website was dead. It has now resurrected.

PC/SC specifications copies

I will keep my PC/SC specifications copies at just in case the official web site disappears again.

WHQL test cards

It is now also possible to order the "PC/SC Test Card Set V2.0" from
The price is $1000 for 5 cards.

I am not sure I will buy some sets just to speculate on the death again of the PC/SC website. 😏

PC/SC workgroup and WHQL test cards

PC/SC work group

The PC/SC work group was not only used for updating and distributing the PC/SC specification. It was also the reseller of a set of smart cards used by the WHQL process.


WHQL is Windows Hardware Quality Labs. I am not a Windows user (and even less an expert) so I may be wrong here.

It looks like that smart card reader drivers need to go through the WHQL process to be signed by Microsoft and accepted by Windows systems.
The WHQL process for smart card reader driver required the use of a specific set of cards. This set of cards was sold by the PC/SC work group.

Test cards set

Since the PC/SC work group is now dead (see " is gone") it is no more possible to buy such cards set.

The Internet archive service do not have a copy of the "Test Cards" or "Test Cards Ordering" pages. I never used such test cards for my own use. I don't know what the procedure was to order such a Test Cards set.


I can't help here.
The best I can think of is to contact Microsoft so they provide the Test Cards set themselves or change the WHQL process to use something else.

Maybe some company that have one (or more) complete Test Cards set can rent the set for a good amount of money. If the set is rare it should be expensive (supply and demand). Why don't I have such set myself? 😀 is gone

Since a few days/weeks the web site is no more available (HTTP Error 404).
This web site hosted the PC/SC specification. This specification is implemented as WinSCard API for Windows and pcsc-lite on Unix.

PC/SC is the standard way to access smart card readers and smart cards from a Windows of Unix system.
See "PC/SC sample in different languages" for some examples.

Last days

The death of the web site was not announced on any PC/SC mailing list I know.

The latest meeting of the PC/SC members was in December 2016.
The latest email I received from the pcscmembers mailing list was in January 2018.
I guess the group went out of money (not enough paying members) and the company managing the website and meetings (at a very high price) just stopped providing services.

The PC/SC specification are mature enough, or PC/SC members just moved to something else?
It is important to note that Windows never implemented the latest version of PC/SC v2 part 10 (to support pinpad readers in the Windows CCID driver for example). So working on a specification that is not implemented by the major provider is somewhat useless.

Web site copies

The web site was still available the 9th of January 2019 and it has been archived by the Internet Archive (Wayback Machine) at

The specification files are also available from the Internet Archive at

PC/SC specifications copies

I decided to host a copy of the PC/SC specification documents on
I used the copies I made for my own use. But now that the official web site is down I make them public.


It is sad to see a website to disappear silently with no warnings.
If you have other PC/SC public documents you want to share just tell me.

Surprising request from a law firm

A few weeks ago I received this email:

Subject: [high priority] [19444663] Content Removal - SENSITIVE DATA

Dear Sir/Madam,

Our company, AXUR, represents C.......R in issues involving the violation of intellectual property and fraud on the Internet.

C.......R is the only company authorized to use the trademark and owns or licenses numerous trademark registrations worldwide, including, but not limited to the following registration number 825503736.

The trademarks, logos, words and phrases registered by C.......R shall be exclusively used by C.......R and any other use by a third party constitutes a trademark infringement.

It has come to our attention that the reported content provides related content (see attached) to the trademark without having obtained prior written authorization from C.......R . More specifically, this content disclosures SENSITIVE DATA from our client or its customer, creating a Likelihood of Confusion between the trademark and the reported content.

Furthermore, by misusing the trademark on your website, you are also diluting its use, because it weakens the ability of brand identification as a single source of research and may lead consumers to believe that there is some association between C.......R and your website.

Official Website:

Considering the violation of intellectual property rights of C.......R on your website, we kindly request that you remove all content available on the attached URL(s) which use the above mentioned trademark without having obtained prior authorization.

In order to avoid a lawsuit from a federal court, please, send confirmation that this email was received along with your guarantee to comply with the requests reported above.

Under penalty of perjury, we affirm that AXUR is authorized to act on behalf of the C.......R and this notification is in accordance with International Regulations of Internet and Intellectual Property Offices.

Should you require further information or should you prefer to discuss this issue, please do not hesitate to contact us through the e-mail address listed on the signature of this message.


Legal Team


I replaced the real trademark by "C.......R" to avoid receiving a new email asking to remove this blog article :-)

I also received the same email but with a different subject "[high priority] [19444667] Content Removal" for the same list but with a different URL:


I updated the list of ATR to remove any mention of "C.......R".

I asked confirmation from that the ATR list was OK now. I got no answer.

I also wrote them I would blog about it and got no answer as well.

pam_pkcs11: new version 0.6.11


From the project wiki page:
This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are thereby accessed by means of an appropriate PKCS #11 module. For the verification of the users’ certificates, locally stored CA certificates as well as either online or locally accessible CRLs are used.

The idea is to use a smart card and its corresponding PKCS#11 library to login (and more) into a GNU/Linux system.


22 May 2019
  • Version 0.6.11
  • Support OpenSSL 1.1.0
  • use green instead of blue text for logs on the console
  • Solaris runs build process outside of srcdir
  • Fix openssh_mapper_match_keys() for OpenSSL 1.0 & 1.1
  • Fix 64-bit pkcs11_inspect(1) fails on SPARC with a SIBGUS due to misaligned access
  • Add support of ECDSA signature in addition to RSA


Download the .tar.gz archive from

The .tar.gz or .zip files available from github are not complete (the ./configure script is missing for example)


In a previous blog article "pam_pkcs11: new/last version 0.6.9" (3 years ago) I wrote that it was my last release of pam_pkcs11.
  1. But I had to work on a problem related to the use of pam_pkcs11.
  2. I discovered that the version 0.6.10 (released by Paul Wolneykien, thanks) was not available in Debian.
  3. I decided to upgrade the Debian package.
  4. But version 0.6.10 broke support of OpenSSL 1.1.0 and the build for Debian failed.
  5. So I had to fix that and decided to also merge submitted patches and fix other reported bugs.
That is why you now have a new version of pam_pkcs11.

New PyKCS11 1.5.5 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction" or "PyKCS11’s documentation".


1.5.5 - April 2019, Ludovic Rousseau
  • fix source package generation

1.5.4 - April 2019, Ludovic Rousseau
  • getTokenInfo: replace NUL char by ' ' in utcTime
  • dumpit:
    • print hardwareVersion and firmwareVersion
    • print slot flags
    • move to next slot if token not present
  • add samples for ECC key generation and use
  • move from distutils to setuptools
  • upload of wheels to pypi on "make dist"

PySCard 1.9.8 released

I just released a new version 1.9.8 of pyscard. PySCard is a python module adding smart cards support (PC/SC) to Python.

The PySCard project is available at:


1.9.8 (March 2018)

  • SmartcardException: store the PC/SC return code in hresult
  • CardMonitoring: stop the looping only if PCSC exited
  • setup: support build on OpenBSD, and other BSD
  • Fix Windows 10 SCARD_E_SERVICE_STOPPED from SCardListReaders()
  • Minor documentation improvements

New version of pcsc-lite: 1.8.25

I just released a new version of pcsc-lite 1.8.25.
pcsc-lite is a Free Software implementation of the PC/SC (or WinSCard) API for Unix systems.

1.8.25: Ludovic Rousseau
25 March 2019

  • Fix a socket issue when pcscd is used inside LXC container
  • pcsc-spy: always provide a total time of execution
  • Fix resource leak if SCardEstablishContext() fails
  • Fix realloc(3) error handling (possible memory leak)
  • Remove usage of function chmod(2) to use fchmod(2) (fix race condition)

ATR statistics: TA4

Article from the series "ATR statistics"


The first TA for T=15 encodes the clock stop indicator (X) and the class indicator (Y). The default values are X = "clock stop not supported" and Y = "only class A supported".

bits 8 and 7 indicate whether the card supports clock stop (≠ 00) or not (= 00) and, when supported, which state is preferred on the electrical circuit CLK when the clock is stopped.
  • 00b: Clock stop not supported
  • 01b: State L
  • 10b: State H
  • 11b: No preference

bits 6 to 1 indicate the classes of operating conditions accepted by the card. Each bit represents a class: bit 1 for class A, bit 2 for class B and bit 3 for class C.
  • 00 0001b: A only
  • 00 0010b: B only
  • 00 0100b: C only
  • 00 0011b: A and B
  • 00 0110b: B and C
  • 00 0111b: A, B and C
  • Any other value: RFU

TA4 # %
2009 96.96 %
0x03 27 1.30 %
0x83 15 0.72 %
0xC3 12 0.58 %
0x07 6 0.29 %
0x43 2 0.10 %
0xC7 1 0.05 %

Clock stop # %
not supported 33 52.38 %
state L 2 3.17 %
state H 15 23.81 %
no preference 13 20.63 %

The class defines the current voltage the card can use:
  • class A: 5 V
  • class B: 3 V
  • class C: 1.8 V
Some readers can't provide a tension of 5V. For example the Gemalto CT1100 reader does only provide 3 V. The default value for TA4 is "only class A supported". Some (old) cards require a voltage of 5 V to work and will not work with a CT1100. That can be surprising.

Class # %
A & B 56 88.89 %
A & B & C 7 11.11 %