gpg doesn’t see my nitrokey,
gpg -vvv --card-status gpg: using character set 'utf-8'
gpg: enabled compatibility flags:
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
while pscs_scan detects it:
pcsc_scan
PC/SC device scanner
V 1.6.2 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
Using reader plug'n play mechanism
Scanning present readers...
0: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Wed May 10 09:03:29 2023
Reader 0: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Event number: 0
Card state: Card inserted,
Am I missing some setup element?
I am already using nitrokey FIDO2 in my browsers and pam with no issues, so device setup should be ok.
gpg --version
gpg (GnuPG) 2.2.41
libgcrypt 1.10.2-unknown
After reading release notes I have discovered that GPG is only supported in 1.4 firmware. After upgrade it’s now recognized!
I continue to set is up following this guide
https://docs.nitrokey.com/storage/windows/ecc.html?highlight=gpg
however it doesn’t work:
gpg-connect-agent "SCD SETATTR KEY-ATTR --force 1 19 brainpoolP256r1" /bye
ERR 100663383 Bad PIN <SCD>
I was trying my usual PIN that works for test command.
I can read in one for the screen copies:
Please note that the factory settings of the PINs are
PIN = '123456' Admin PIN = '12345678'
Are this different from FIDO2 PIN? How to change them? The screenprint is proposing something like
You should change them using the command --change-pin
gpg/card> admin
Admin commands are allowed
gpg/card> command --change-pin
Invalid command (try "help")
After some research I’ve found the change pin command.
gpg --change-pin
I’ve changed both normal and Admin pin. Still I am getting error about invalid pin:
gpg-connect-agent "SCD SETATTR KEY-ATTR --force 1 19 brainpoolP256r1" /bye
ERR 100663383 Bad PIN <SCD>
Now I guessed that the new admin pin must be at least 8 digits. It was not mentioned in any guide/doc.
SETATTR commands now passed, but with no effect:
Key attributes ...: rsa2048 rsa2048 rsa2048
I definitely don’t want rsa2048 keys…
I have the same problem, but with firmware 1.4.
pcsc_scan will detect it, but gpg not.
pcsc_scan:
PC/SC device scanner
V 1.6.2 (c) 2001-2022, Ludovic Rousseau ludovic.rousseau@free.fr
Using reader plug’n play mechanism
Scanning present readers…
0: REINER SCT cyberJack RFID komfort (5033634424) 00 00
1: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Wed May 10 06:49:33 2023
Reader 0: REINER SCT cyberJack RFID komfort (5033634424) 00 00
Event number: 0
Card state: Card removed,
Reader 1: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Event number: 0
Card state: Card inserted, Shared Mode,
ATR: 3B 8F 01 80 5D 4E 69 74 72 6F 6B 65 79 00 00 00 00 00 6A
gpg -vvv --card-status:
LANG=C gpg -vvv --card-status
gpg: using character set 'utf-8'
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
GPG:
LANG=C gpg --version
gpg (GnuPG) 2.3.8
libgcrypt 1.10.1-unknown
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/XXXXX/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
I think I have found all answers for my questions. The remaining part about keys management is here
Hope it will all go to a Nitrokey 3 guide on the main documentation site 
Per default, gnupg uses its own CCID driver, not pcscd. If the card is detected by pcscd, gnupg can no longer access it. There are two solutions:
- Instruct GnuPG to use pcscd by adding
disable-ccid to ~/.gnupg/scdaemon.conf and restart scdaemon with gpg-connect-agent 'SCD KILLSCD' /bye
- Stop pcscd and re-connect the device (make sure that pcscd is not activated again by a socket or similar)
See this guide for more information: Ludovic Rousseau's blog: GnuPG and PC/SC conflicts
Hm, this will not really fix it, because now gpg will take an exclusive lock to the NK3.
So only gpg can use it and no other applications. 
pcsc_scan:
Reader 1: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Event number: 0
Card state: Card inserted, Exclusive Mode,
ATR: 3B 8F 01 80 5D 4E 69 74 72 6F 6B 65 79 00 00 00 00 00 6A
pkcs11-tool --list-slots:
Available slots:
Slot 0 (0x0): REINER SCT cyberJack RFID komfort (5033634424) 00 00
(empty)
Slot 1 (0x4): (GetSlotInfo failed, CKR_DEVICE_ERROR)
Unfortunately, this is a limitation of GnuPG/scdaemon. With more recent releases, you can try to use the --pcsc-shared option for scdaemon so that it no longer requires an exclusive lock. But it still caches some card state, so using it with other applications may cause problems.
An alternative approach could be to use Sequoia PGP and their openpgp-card tools instead which does not require exclusive access to the card.
