There is an ongoing battle between GnuPG and the rest of the world regarding exclusive access to the smart card. GnuPG's attitude is that they should have exclusive access to protect users from phishing and compromising the smart card. Everyone else wants to be able to use the smart card with multiple applications. In my case I am using poldi+gnupg to SUDO then trying to use the card to decrypt things. Since gpg has locked the card the decryption fails.
I--like everyone else--will work around this by unplugging the smart card, killing gnupg, etc to get what I want. I'm not sure that GnuPGs hard stance on this is making anyone safer...On the other hand GnuPG says that a shorter timeout should be used when launching it so why aren't the distros using a shorter timeout so that other apps can access the smartcard?
https://lists.gnupg.org/pipermail/gnupg-devel/2015-August/030246.html: discussion giving gpg argument for exclusive access
https://dev.gnupg.org/T3267: closed bug where gpg refuses to change behavior
https://github.com/OpenSC/OpenSC/issues/953:discussion opposing gpg's point of view
GnuPG grabs the smartcard with exclusive access and upstream refuses to change to shared access. It is very difficult to use multiple applications with gnupg being involved. Here are workarounds that I know of.
sometimes a simple unplug of the card will work because it resets things. If the right conditions are in place the second application may work after.
After I sudo and the credentials are cached in sudo I can unplug/replug the card so that the decrypt will work on the next attempt.
the mac program gpg suite patches gnupg to use shared access. the freebsd port of pgp includes this patch as well.
some projects are putting a layer in between gnupg and the card that handles the access to keep gnupg from blocking access.
I'm working on some custom code. Might try to kill pcscd/openscd after I call sudo to get it to release the card. will see if this works.
GnuPG says that a shorter timeout should be used when launching it so why aren't the distros using a shorter timeout so that other apps can access the smartcard? I have not been able to find info on setting the timeout for the gpg daemon but I've only done a little searching. This should be explored more.