Technical understanding

Hello there.
Happy new Year!

After I recently get some success using the nk3(as root) I want to get the knowledge about how to get this working on my machine.
I still use Mageia 8. This is a Mandriva derivate and so a RPM based system.

What I so far understand reading this page is:

You need

  • scdaeomon with ccid >=1.5
  • pcsc-lite in a supported version>=1.9.8
  • mandatory lib-usb (Version min?)
  • mandatory gpg[2] (Version min?)

to access the nk3.

Last year I was able to install the ´pcsc-lite´ lib (1.9.8) which
gave me access as root to the key after I start the pcscd daemon.

Now my question(s).

  • Can I override the pcsc-lite lib with the recent (2.0.1) ?
  • Since I manually installed the pcsc-lite lib dnf did not recognize this. my linux knows the old 1.9.0 and the old 1.4.3 version of ccid. Is it a good idea to install other software like pcsc-tools via dnf if they did not match in version?
  • What should I prefer ? Using ccid when available (with Mageia9 ) or stay with pcsc-lite?
  • Are there other usefull applications to know (like pcsc-tools) to interact with the key or to get most functionality from the key?

Like @saper pointed to, the polkit service may block an ordinary user from accessing the key.

I guess it is not best way to use the nk3 only as admin.


Maybe we should keep it together with your another thread, please.

Sure, you can. There are few ways to do this, out of scope for this forum.
But I think this is not a solution to your problem, unless you build it with polkit integration disabled.


I think part of your problem is that those tools are not heavily maintained in the distribution of your choice. It is a well known problem with many Linux distributions and if you decide to you something less mainstream there is a chance that you will not get updates you need from the distribution.

Fortunately, you always have the following choices:

  • Use some different system. I use FreeBSD (a different beast), Alma Linux 8 and 9 and Red Hat Enterprise Linux 8 and 9.
  • Build everything from source and not use RPM packages
  • (advanced, not recommended for beginners) - rebuild your own RPM packages with updated versions and install with dnf

You need ccid and pcsc-lite can be very useful. It is not either/or. It is a set of tools that use each other.

It depends what you want to do with it. You might want to get openssl to work with it. You might try Mozilla’s NSS library and tools and integrate them with PKCS#11. You can use Mozilla Thunderbird to sign/encrypt email with S/MIME standard.

Please be aware that unless configured in a complicated way, GPG like to have smartcard “to itself”. If the scdaemon program is running, other tools like pkcs11-tool or Thunderbird will not get access to the token while scdaemon is running.

1 Like

Hello @saper
Thank you for the detailled answer.

You need ccid and pcsc-lite can be very useful. It is not either/or. It is a set of tools that use each other.

Reading this:
There are two common smartcard services on Linux systems: scdaemon, GnuPG’s smartcard daemon, and pcscd, a generic smartcard daemon. scdaemon has two drivers for accessing smartcards: Its integrated ccid driver tries to directly access the smartcard. The pcsc drivers uses the pcscd daemon instead.

I thought there is either or.

That is awkward. I bought a tool only useable as an linux expert for my linux system.

They should be fair and tell the user what kind of linux system is supported well.

Thank you.

If you tell scdaemon to disable-ccid, it will use pcscd infrastructure.

“You linux system” is Mageia with an out of date software. This might be a problem but as an expert you can overcome it by rebuilding the packages.