I have set the udev rules and followed the Fedora specific instructions, but I just can’t understand why gpg is not finding the NitroKey.
gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
The NitroKey is good, I have another Fedora computer and it works just fine.
Any troubleshooting ideas would be greatly appreciated. I am at this for a while and my head hurts.
Hello,
It might be the udev rules: Setting up The udev Rules - Nitrokey Documentation
Thank you for the reply.
Following a GitHub udev troubleshoot, I have:
nitropy nk3 reboot --bootloader =>
Sep 23 10:36:39 Iskra kernel: hid-generic 0003:20A0:42DD.000D: hiddev98,hidraw5: USB HID v1.00 Device [NXP SEMICONDUCTOR INC. USB COMPOSITE DEVICE] on usb-0000:00:14.0-1/input0
udevadm info --query=path /dev/hidraw5 =>
/devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/0003:20A0:42DD.000D/hidraw/hidraw5
udevadm test /devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/0003:20A0:42DD.000D/hidraw/hidraw5 =>
This program is for debugging only, it does not run any program
specified by a RUN key. It may show incorrect results, because
some values may be different, or not available at a simulation run.
Trying to open "/etc/systemd/hwdb/hwdb.bin"...
Trying to open "/etc/udev/hwdb.bin"...
=== trie on-disk ===
tool version: 257
file size: 13750479 bytes
header size 80 bytes
strings 2774599 bytes
nodes 10975800 bytes
Loading kernel module index.
Loaded 'libkmod.so.2' via dlopen()
Failed to read $container of PID 1, ignoring: Permission denied
Found container virtualization none.
Using default interface naming scheme 'v257'.
Parsed configuration file "/usr/lib/systemd/network/99-default.link"
Parsed configuration file "/usr/lib/systemd/network/98-default-mac-none.link"
Parsed configuration file "/usr/lib/systemd/network/80-vm-vt.link"
Parsed configuration file "/usr/lib/systemd/network/80-namespace-ns.link"
Parsed configuration file "/usr/lib/systemd/network/80-container-vz.link"
Parsed configuration file "/usr/lib/systemd/network/80-container-ve.link"
Parsed configuration file "/usr/lib/systemd/network/80-container-vb.link"
Parsed configuration file "/usr/lib/systemd/network/80-6rd-tunnel.link"
Created link configuration context.
Reading rules file: /usr/lib/udev/rules.d/01-md-raid-creating.rules
Reading rules file: /usr/lib/udev/rules.d/10-dm.rules
Reading rules file: /usr/lib/udev/rules.d/10-nvidia.rules
Reading rules file: /usr/lib/udev/rules.d/11-dm-lvm.rules
Reading rules file: /usr/lib/udev/rules.d/11-dm-parts.rules
Reading rules file: /usr/lib/udev/rules.d/13-dm-disk.rules
Reading rules file: /usr/lib/udev/rules.d/39-usbmuxd.rules
Reading rules file: /usr/lib/udev/rules.d/40-libgphoto2.rules
Reading rules file: /usr/lib/udev/rules.d/40-usb-media-players.rules
Reading rules file: /usr/lib/udev/rules.d/40-usb_modeswitch.rules
Reading rules file: /etc/udev/rules.d/41-nitrokey.rules
Reading rules file: /usr/lib/udev/rules.d/50-udev-default.rules
Reading rules file: /usr/lib/udev/rules.d/51-dlm.rules
Reading rules file: /usr/lib/udev/rules.d/51-ocfs2.rules
Reading rules file: /usr/lib/udev/rules.d/56-hpmud.rules
Reading rules file: /usr/lib/udev/rules.d/60-autosuspend.rules
Reading rules file: /usr/lib/udev/rules.d/60-block-scheduler.rules
Reading rules file: /usr/lib/udev/rules.d/60-block.rules
Reading rules file: /usr/lib/udev/rules.d/60-cdrom_id.rules
Reading rules file: /usr/lib/udev/rules.d/60-ddcutil-i2c.rules
Reading rules file: /usr/lib/udev/rules.d/60-dmi-id.rules
Reading rules file: /usr/lib/udev/rules.d/60-drm.rules
Reading rules file: /usr/lib/udev/rules.d/60-evdev.rules
Reading rules file: /usr/lib/udev/rules.d/60-fido-id.rules
Reading rules file: /usr/lib/udev/rules.d/60-infiniband.rules
Reading rules file: /usr/lib/udev/rules.d/60-input-id.rules
Reading rules file: /usr/lib/udev/rules.d/60-libjaylink.rules
Failed to open /usr/lib/udev/rules.d/60-nfs.rules, ignoring: Permission denied
Failed to read rules file /usr/lib/udev/rules.d/60-nfs.rules, ignoring: Permission denied
Reading rules file: /usr/lib/udev/rules.d/60-persistent-alsa.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-input.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-storage-mtd.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-storage-tape.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-storage.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-v4l.rules
Reading rules file: /usr/lib/udev/rules.d/60-sensor.rules
Reading rules file: /usr/lib/udev/rules.d/60-serial.rules
Reading rules file: /usr/lib/udev/rules.d/60-steam-input.rules
Reading rules file: /usr/lib/udev/rules.d/60-steam-vr.rules
Reading rules file: /usr/lib/udev/rules.d/60-tpm-udev.rules
Reading rules file: /usr/lib/udev/rules.d/60-upower-battery.rules
Reading rules file: /usr/lib/udev/rules.d/60-vboxguest.rules
Reading rules file: /usr/lib/udev/rules.d/60_flashrom.rules
Reading rules file: /usr/lib/udev/rules.d/61-kde-bluetooth-rfkill.rules
Reading rules file: /usr/lib/udev/rules.d/63-md-raid-arrays.rules
Reading rules file: /usr/lib/udev/rules.d/64-btrfs-dm.rules
Reading rules file: /usr/lib/udev/rules.d/64-btrfs-zoned.rules
Reading rules file: /usr/lib/udev/rules.d/64-btrfs.rules
Reading rules file: /usr/lib/udev/rules.d/64-ext4.rules
Reading rules file: /usr/lib/udev/rules.d/64-md-raid-assembly.rules
Reading rules file: /usr/lib/udev/rules.d/65-libwacom.rules
Reading rules file: /usr/lib/udev/rules.d/65-persistent-net-nbft.rules
Reading rules file: /usr/lib/udev/rules.d/65-sane-backends.rules
Reading rules file: /usr/lib/udev/rules.d/66-kpartx.rules
Reading rules file: /usr/lib/udev/rules.d/68-del-part-nodes.rules
Reading rules file: /usr/lib/udev/rules.d/69-cd-sensors.rules
Reading rules file: /usr/lib/udev/rules.d/69-dm-lvm.rules
Reading rules file: /usr/lib/udev/rules.d/69-libftdi.rules
Reading rules file: /usr/lib/udev/rules.d/69-libmtp.rules
Reading rules file: /usr/lib/udev/rules.d/69-md-clustered-confirm-device.rules
Reading rules file: /usr/lib/udev/rules.d/70-camera.rules
Reading rules file: /usr/lib/udev/rules.d/70-hypervfcopy.rules
Reading rules file: /usr/lib/udev/rules.d/70-hypervkvp.rules
Reading rules file: /usr/lib/udev/rules.d/70-hypervvss.rules
Reading rules file: /usr/lib/udev/rules.d/70-joystick.rules
Reading rules file: /usr/lib/udev/rules.d/70-libcamera.rules
Reading rules file: /usr/lib/udev/rules.d/70-libfprint-2.rules
Reading rules file: /usr/lib/udev/rules.d/70-memory.rules
Reading rules file: /usr/lib/udev/rules.d/70-mouse.rules
Reading rules file: /usr/lib/udev/rules.d/70-nvmf-autoconnect.rules
Reading rules file: /usr/lib/udev/rules.d/70-nvmf-keys.rules
Reading rules file: /usr/lib/udev/rules.d/70-power-switch.rules
Reading rules file: /usr/lib/udev/rules.d/70-printers.rules
Reading rules file: /usr/lib/udev/rules.d/70-spice-vdagentd.rules
Reading rules file: /usr/lib/udev/rules.d/70-spice-webdavd.rules
Reading rules file: /usr/lib/udev/rules.d/70-touchpad.rules
Reading rules file: /usr/lib/udev/rules.d/70-uaccess.rules
Reading rules file: /usr/lib/udev/rules.d/71-ipp-usb.rules
Reading rules file: /usr/lib/udev/rules.d/71-nvmf-hpe.rules
Reading rules file: /usr/lib/udev/rules.d/71-nvmf-netapp.rules
Reading rules file: /usr/lib/udev/rules.d/71-nvmf-vastdata.rules
Reading rules file: /usr/lib/udev/rules.d/71-prefixdevname.rules
Reading rules file: /usr/lib/udev/rules.d/71-seat.rules
Reading rules file: /usr/lib/udev/rules.d/73-seat-late.rules
Reading rules file: /usr/lib/udev/rules.d/75-net-description.rules
Reading rules file: /usr/lib/udev/rules.d/75-probe_mtd.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-broadmobi-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-cinterion-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-dell-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-dlink-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-ericsson-mbm.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-fibocom-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-foxconn-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-gosuncn-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-haier-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-huawei-net-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-linktop-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-longcheer-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-mtk-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-nokia-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-qcom-soc.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-quectel-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-sierra.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-simtech-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-telit-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-tplink-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-ublox-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-x22x-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-zte-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/78-sound-card.rules
Reading rules file: /usr/lib/udev/rules.d/80-drivers.rules
Reading rules file: /usr/lib/udev/rules.d/80-iio-sensor-proxy.rules
Reading rules file: /usr/lib/udev/rules.d/80-libinput-device-groups.rules
Reading rules file: /usr/lib/udev/rules.d/80-mm-candidate.rules
Reading rules file: /usr/lib/udev/rules.d/80-net-setup-link.rules
Reading rules file: /usr/lib/udev/rules.d/80-nvidia-pm.rules
Reading rules file: /usr/lib/udev/rules.d/80-pktsetup.rules
Reading rules file: /usr/lib/udev/rules.d/80-udisks2.rules
Reading rules file: /usr/lib/udev/rules.d/81-net-dhcp.rules
Reading rules file: /usr/lib/udev/rules.d/84-nm-drivers.rules
Reading rules file: /usr/lib/udev/rules.d/85-nm-unmanaged.rules
Reading rules file: /usr/lib/udev/rules.d/85-regulatory.rules
Reading rules file: /usr/lib/udev/rules.d/90-alsa-restore.rules
Reading rules file: /usr/lib/udev/rules.d/90-bolt.rules
Reading rules file: /usr/lib/udev/rules.d/90-iocost.rules
Reading rules file: /usr/lib/udev/rules.d/90-libinput-fuzz-override.rules
Reading rules file: /usr/lib/udev/rules.d/90-nm-thunderbolt.rules
Reading rules file: /usr/lib/udev/rules.d/90-pipewire-alsa.rules
Reading rules file: /usr/lib/udev/rules.d/90-vconsole.rules
Reading rules file: /usr/lib/udev/rules.d/91-drm-modeset.rules
Reading rules file: /usr/lib/udev/rules.d/95-cd-devices.rules
Reading rules file: /usr/lib/udev/rules.d/95-dm-notify.rules
Reading rules file: /usr/lib/udev/rules.d/95-upower-hid.rules
Reading rules file: /usr/lib/udev/rules.d/95-upower-wup.rules
Reading rules file: /usr/lib/udev/rules.d/98-kexec.rules
Reading rules file: /usr/lib/udev/rules.d/99-nfs.rules
Reading rules file: /usr/lib/udev/rules.d/99-qemu-guest-agent.rules
Reading rules file: /usr/lib/udev/rules.d/99-systemd.rules
Reading rules file: /usr/lib/udev/rules.d/99-vmware-scsi-udev.rules
sd-device: Failed to chase symlinks in "/devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/0003:20A0:42DD.000D/hidraw/hidraw5".
hidraw5: /usr/lib/udev/rules.d/50-udev-default.rules:17 Importing properties from results of builtin command 'hwdb'
hidraw5: hwdb modalias key: "hid:b0003g0001v000020A0p000042DD"
hidraw5: hwdb modalias key: "usb:v20A0p42DDd0300dc00dsc00dp00ic03isc00ip00in00"
hidraw5: /usr/lib/udev/rules.d/60-fido-id.rules:5 Importing properties from results of 'fido_id'
hidraw5: Starting 'fido_id'
Successfully forked off '(spawn)' as PID 25067.
Skipping PR_SET_MM, as we don't have privileges.
hidraw5: 'fido_id'(err) 'Failed to get current device from environment: Invalid argument'
hidraw5: Process 'fido_id' failed with exit code 1.
hidraw5: /usr/lib/udev/rules.d/60-fido-id.rules:5 Command "fido_id" returned 1 (error), ignoring
hidraw5: /usr/lib/udev/rules.d/71-seat.rules:75 Importing properties from results of builtin command 'path_id'
hidraw5: /usr/lib/udev/rules.d/73-seat-late.rules:16 RUN 'uaccess'
Properties:
DEVPATH=/devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/0003:20A0:42DD.000D/hidraw/hidraw5
DEVNAME=/dev/hidraw5
MAJOR=242
MINOR=5
ACTION=add
SUBSYSTEM=hidraw
TAGS=:uaccess:seat:
CURRENT_TAGS=:seat:uaccess:
ID_VENDOR_FROM_DATABASE=Clay Logic
ID_MODEL_FROM_DATABASE=Nitrokey 3A NFC Bootloader/3C NFC Bootloader
ID_PATH_WITH_USB_REVISION=pci-0000:00:14.0-usbv2-0:1:1.0
ID_PATH=pci-0000:00:14.0-usb-0:1:1.0
ID_PATH_TAG=pci-0000_00_14_0-usb-0_1_1_0
ID_FOR_SEAT=hidraw-pci-0000_00_14_0-usb-0_1_1_0
USEC_INITIALIZED=41408062345
ID_PROCESSING=1
Tags:
uaccess
seat
Inotify watch:
disabled
Queued commands:
RUN{builtin} : uaccess
Unload kernel module index.
Unloaded link configuration context.
Why are you following this GitHub issue from 2022 ?
You just need to install the udev rules as explained in the documentation and then try again to do the GPG command to see if it’s fixed.
additionally do you have pcscd installed ?
The NitroKey documentation for setting up the udev rules has a link to that old GitHub comment for getting some debugging hints.
The udev rules are installed, you can see in the udevadm test:
[...]
Reading rules file: /usr/lib/udev/rules.d/40-usb_modeswitch.rules
Reading rules file: /etc/udev/rules.d/41-nitrokey.rules
Reading rules file: /usr/lib/udev/rules.d/50-udev-default.rules
[...]
additionally do you have pcscd installed ?
Yep, it looks to be installed and working.
cocolino@Iskra:~$ systemctl status pcscd
● pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: disabled)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: active (running) since Thu 2025-09-25 15:50:24 BST; 49min ago
Invocation: 5dbc6ab390d34432a450bc8f9fea2114
TriggeredBy: ● pcscd.socket
Docs: man:pcscd(8)
Main PID: 25331 (pcscd)
Tasks: 9 (limit: 38000)
Memory: 1.8M (peak: 3.2M)
CPU: 467ms
CGroup: /system.slice/pcscd.service
└─25331 /usr/bin/pcscd --foreground --auto-exit
Sep 25 15:50:24 Iskra systemd[1]: Started pcscd.service - PC/SC Smart Card Daemon.
But gpg --card-status still returns:
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
Hello, still no progress on this. If anyone has an idea of what I could try let me know.
I am following the Fedora guide for setting up PGP with the NitroKey.
=> NitroKey firmware version: 1.8.2
=> lsusb reports: Bus 001 Device 011: ID 20a0:42b2 Clay Logic Nitrokey 3A Mini/3A NFC/3C NFC
=> pcsc-lite is installed and running
=> I have run the command: systemctl enable pcscd.socket pcscd.service && systemctl start pcscd.socket
=> I have connected libpcsclite to pcscd and shared access to `pcscd`, I have cat ~/.gnupg/scdaemon.conf:
pcsc-driver /usr/lib64/libpcsclite.so.1
pcsc-shared
=> gpg –card-status reports that no card is found.
P.S. Links to docs [dot] nitrokey [dot] com are not allowed? o.O What? Why? I wanted to show what guide I am following.
P.S.S. My post was flagged as spam by “the community“. What did I do wrong…?
P.S.S. My post was flagged as spam by “the community“. What did I do wrong…?
Discourse, the software running this support portal, thinks if you post a link in your first post you might be spammer. Sorry for that… I think the moderators have published your post now for everyone to see.
If you install opensc, do pkcs11-tool -T or openpgp-tool -C show something?
Sometimes I start pcscd with the pcscd -adf flags in the foreground to see what is wrong, but you would need to tell systemd not to interfere with that.
Also please check pcsc-lite and polkit | Ludovic Rousseau's blog - depending on your Fedora and/or pcscd version you might need to allow the user you are using to access the smartcards.
(If pkcs11-tool -T can see the USB key as root, but not as an unprivileged user, this is a polkit issue).
Hello, thank you for your time.
I did made some slight progress on this issue since. The problem has something to do with permissions, I can do `gpg –card-status` as root:
cocolino@Iskra:~$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
cocolino@Iskra:~$ sudo gpg --card-status
[sudo] password for cocolino:
Reader ...........: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Application ID ...: D276000124010304000FBA82BE340000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Nitrokey
Serial number ....: BXXXXXX4
Name of cardholder: Mircea Arva
Language prefs ...: en
Salutation .......: Mr.
URL of public key : https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xd8e70dac2cb9f4de272800d58ccaf633b6859e80
Login data .......: cocolinofan
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 10
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: 9C63 E625 D682 4636 EBC4 C897 C1B1 AA54 34C7 55A0
created ....: 2024-01-26 19:50:12
Encryption key....: B8C7 68A7 5BB3 EB6D 9603 31E8 BB39 FA2D 78C5 8B67
created ....: 2024-01-26 19:52:50
Authentication key: F14D 2F7D 0FD7 82B7 316F B2DE 5EF0 4E40 6E0C 0E1D
created ....: 2024-01-26 19:54:22
General key info..: [none]
pkcs11-tool -T results:
cocolino@Iskra:~$ pkcs11-tool -T
Available slots:
No slots.
cocolino@Iskra:~$ sudo pkcs11-tool -T
Available slots:
No slots.
My udev rules are identical between the two Fedora computers (I can do gpg --card-status as the user on one, but not the other):
cocolino@Iskra:~$ getfacl /dev/hidraw0
getfacl: Removing leading '/' from absolute path names
# file: dev/hidraw0
# owner: root
# group: root
user::rw-
group::---
other::---
Solved it! 
I will live the rest of the message maybe it will help someone in the future.
There was an extra line in my .gnupg/scdaemon.conf: reader-port 20A0:42B2:X:0 , My old config looked like this:
###+++--- GPGConf ---+++###
reader-port 20A0:42B2:X:0
###+++--- GPGConf ---+++### Thu 28 Aug 2025 12:37:04 BST
# GPGConf edited this configuration file.
# It will disable options before this marked block, but it will
# never change anything below these lines.
pcsc-driver /usr/lib64/libpcsclite.so.1
card-timeout 5
disable-ccid
don’t know how it got there but after I commented it out everything works as expected.
Steps to fix:
→ edit .gnupg/scdaemon.conf
→ make sure that everything that’s in there is:
pcsc-driver /usr/lib64/libpcsclite.so.1
card-timeout 5
disable-ccid
→ run gpgconf --kill gpg-agent and sudo systemctl restart pcscd