Claude Desktop on Linux opens PC/SC smartcard socket, destabilizes GnuPG signing
Summary
Claude Desktop on Fedora (and likely other Linux distros) launches as an unsandboxed Electron app with --no-sandbox. Chromium eagerly loads libpcsclite.so.1 and opens a persistent connection to /run/pcscd/pcscd.comm for WebAuthn/FIDO reader enumeration, even though Claude Desktop has no smartcard functionality. This destabilizes GnuPG's scdaemon, causing gpg: signing failed: Not supported errors during git commit -S and other signing operations.
Root cause
GnuPG's scdaemon has a known upstream bug where it caches the PC/SC card handle (hCard) without revalidation and doesn't use SCardBeginTransaction/SCardEndTransaction. When another PC/SC client (in this case, Claude Desktop's Chromium process) touches the reader, scdaemon's cached handle goes stale. The next signing attempt fails with Not supported until gpgconf --kill scdaemon is run.
While this is ultimately a GnuPG bug, Claude Desktop is the trigger on affected machines. The failure is reproducible: signing works reliably without Claude Desktop running, and breaks within hours of launching it.
Evidence
- Confirmed Claude Desktop (Electron/Chromium) holds an
ESTABLISHEDUnix socket connection to/run/pcscd/pcscd.commviass -x lsof//proc/PID/mapsconfirmslibpcsclite.so.1is mapped into the Claude Desktop process- Failures stop completely when Claude Desktop is not running
- Failures return when Claude Desktop is relaunched without mitigation
Environment
- Fedora 44, kernel 6.19.10
- Claude Desktop 1.569.0 (
claude-desktop-1.569.0-1.3.26.fc42) - GnuPG 2.4.9-5, pcsc-lite 2.4.1-2
- Nitrokey 3A Mini (also affects YubiKey users per upstream reports)
Workaround
Launching Claude Desktop via systemd-run with InaccessiblePaths=/run/pcscd blocks access to the PC/SC socket without affecting any Claude functionality.
1. Create a wrapper script
Save to ~/bin/claude-desktop-no-pcsc and chmod +x:
#!/usr/bin/env bash
set -euo pipefail
exec systemd-run \
--user \
--collect \
--same-dir \
--quiet \
-E DISPLAY \
-E WAYLAND_DISPLAY \
-E XDG_RUNTIME_DIR \
-E DBUS_SESSION_BUS_ADDRESS \
-E XAUTHORITY \
-p InaccessiblePaths=/run/pcscd \
/usr/bin/claude-desktop "$@"
2. Create a user-level .desktop override
Save to ~/.local/share/applications/claude-desktop.desktop — this overrides the system-wide .desktop file shipped by the RPM so that GNOME (and any other desktop environment) launches Claude through the wrapper:
[Desktop Entry]
Name=Claude
Exec=/home/YOUR_USER/bin/claude-desktop-no-pcsc %u
Icon=claude-desktop
Type=Application
Terminal=false
Categories=Office;Utility;
MimeType=x-scheme-handler/claude;
StartupWMClass=Claude
Replace YOUR_USER with your username, or use the full path to wherever you saved the wrapper script.
After saving, run update-desktop-database ~/.local/share/applications/ to refresh the desktop cache.
Suggested fix
Any of these would prevent Claude Desktop from being a PC/SC trigger:
- Ship the systemd unit /
.desktopfile withInaccessiblePaths=/run/pcscd— simplest, no code change - Pass
--disable-features=SmartCardWebAuthnor equivalent Chromium flag to prevent PC/SC enumeration at the Electron level - Enable Electron sandboxing (currently launched with
--no-sandbox) — the sandbox would block access to the pcscd socket by default
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗