Claude Desktop on Linux opens PC/SC smartcard socket, destabilizes GnuPG signing

Resolved 💬 2 comments Opened Apr 10, 2026 by jdoss Closed Apr 13, 2026

Summary

Claude Desktop on Fedora (and likely other Linux distros) launches as an unsandboxed Electron app with --no-sandbox. Chromium eagerly loads libpcsclite.so.1 and opens a persistent connection to /run/pcscd/pcscd.comm for WebAuthn/FIDO reader enumeration, even though Claude Desktop has no smartcard functionality. This destabilizes GnuPG's scdaemon, causing gpg: signing failed: Not supported errors during git commit -S and other signing operations.

Root cause

GnuPG's scdaemon has a known upstream bug where it caches the PC/SC card handle (hCard) without revalidation and doesn't use SCardBeginTransaction/SCardEndTransaction. When another PC/SC client (in this case, Claude Desktop's Chromium process) touches the reader, scdaemon's cached handle goes stale. The next signing attempt fails with Not supported until gpgconf --kill scdaemon is run.

While this is ultimately a GnuPG bug, Claude Desktop is the trigger on affected machines. The failure is reproducible: signing works reliably without Claude Desktop running, and breaks within hours of launching it.

Evidence

  • Confirmed Claude Desktop (Electron/Chromium) holds an ESTABLISHED Unix socket connection to /run/pcscd/pcscd.comm via ss -x
  • lsof//proc/PID/maps confirms libpcsclite.so.1 is mapped into the Claude Desktop process
  • Failures stop completely when Claude Desktop is not running
  • Failures return when Claude Desktop is relaunched without mitigation

Environment

  • Fedora 44, kernel 6.19.10
  • Claude Desktop 1.569.0 (claude-desktop-1.569.0-1.3.26.fc42)
  • GnuPG 2.4.9-5, pcsc-lite 2.4.1-2
  • Nitrokey 3A Mini (also affects YubiKey users per upstream reports)

Workaround

Launching Claude Desktop via systemd-run with InaccessiblePaths=/run/pcscd blocks access to the PC/SC socket without affecting any Claude functionality.

1. Create a wrapper script

Save to ~/bin/claude-desktop-no-pcsc and chmod +x:

#!/usr/bin/env bash
set -euo pipefail
exec systemd-run \
  --user \
  --collect \
  --same-dir \
  --quiet \
  -E DISPLAY \
  -E WAYLAND_DISPLAY \
  -E XDG_RUNTIME_DIR \
  -E DBUS_SESSION_BUS_ADDRESS \
  -E XAUTHORITY \
  -p InaccessiblePaths=/run/pcscd \
  /usr/bin/claude-desktop "$@"

2. Create a user-level .desktop override

Save to ~/.local/share/applications/claude-desktop.desktop — this overrides the system-wide .desktop file shipped by the RPM so that GNOME (and any other desktop environment) launches Claude through the wrapper:

[Desktop Entry]
Name=Claude
Exec=/home/YOUR_USER/bin/claude-desktop-no-pcsc %u
Icon=claude-desktop
Type=Application
Terminal=false
Categories=Office;Utility;
MimeType=x-scheme-handler/claude;
StartupWMClass=Claude

Replace YOUR_USER with your username, or use the full path to wherever you saved the wrapper script.

After saving, run update-desktop-database ~/.local/share/applications/ to refresh the desktop cache.

Suggested fix

Any of these would prevent Claude Desktop from being a PC/SC trigger:

  1. Ship the systemd unit / .desktop file with InaccessiblePaths=/run/pcscd — simplest, no code change
  2. Pass --disable-features=SmartCardWebAuthn or equivalent Chromium flag to prevent PC/SC enumeration at the Electron level
  3. Enable Electron sandboxing (currently launched with --no-sandbox) — the sandbox would block access to the pcscd socket by default

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗