Quick tip on using the PIV and PGP applets simultaneously on a YubiKey on macOS.

We use YubiKeys for a variety of purposes, and as this involves using different functionality, we often have to switch between the PGP and PIV applets.

PGP, or "Pretty Good Privacy", is a format for encrypted messages, cryptographic signatures and keys. Initially developed in 1991 by Phil Zimmermann, it was later standardised in RFC4880 as the OpenPGP format. We use PGP to sign git commits, for encrypted email, for code and release signing, and so on. The PGP trust model is based on a web of trust.

PIV, which stands for "Personal Identity Verification" is another format, originally created to authenticate United States federal employees and contractors. It's based on X.509 certificates and is commonly interfaced with through smart cards, with the latest standard being FIPS 201-2. We use the PIV applet for client-side TLS authentication to some security-critical sites, as well as for our internal X.509 public key infrastructure.

However, after starting to use the YubiKey with OpenSC, we quickly found out that there's a few issues with it unless you set it up right.

After a bit of digging around, we found a fix for this issue.

Installation

Make sure you have installed and are using GPG from GPG Suite. They have integrated a patch that allows GnuPG to share access to the YubiKey, not locking it up.

Now add the line shared-access to ~/.gnupg/scdaemon.conf, for instance by running:

echo "shared-access" >> ~/.gnupg/scdaemon.conf

Switching between the PIV and PGP applets

Now to switch between the applets, just use either of the two commands:

# To use PIV
yubico-piv-tool -astatus
# To use PGP
gpg --card-status

Why this works

The upstream version of GPG does not allow sharing the security device, and holds a lock on it. This was reported to the GPGTools team here, and they patched it to add the configuration flag as explaiend here.

See also this discussion on the OpenSC issue tracker.