smartcard stub not imported when migrating to gnupg 2.1

Werner Koch wk at
Wed Jul 10 13:22:46 CEST 2013

On Wed,  3 Jul 2013 18:40, alphazo at said:

> - One master key for signing with private key material not present
> - One subkey for signing protected by passphrase
> - One subkey for encryption with private key material stored on a
> cryptostick therefore there is a stub here.

> I only got prompted for the passphrase for the signing key.

Right.  This is because there is just one real secret key.

> Then when I list the private keys I can see them all with a (#) showing
> that the private key material is not there.

> sec#  4096R/C23D45E6 2010-11-07
> uid                  Test Key <test at>
> ssb   3072R/4BC5DE67 2010-11-07 [expire : 2014-11-03]
> ssb#  3072R/A45B67C8 2010-11-07 [expire : 2014-11-03]

What I see is that the secret key for 4BC5DE67 is there.  That seems to
be the signing subkey.

> However when trying to decrypt gnupg returns that there is no private key
> available for this key. It doesn't aks for the cryptostick as well.

What does "gpg2 --card-status" show?  Does it list A45B67C8 as the
second key of the card?  But wait.  Checking the code I see that there
is indeed something missing: gpg-agent does not know that a smartcard
with the given subkey exists.  Thus the internal HAVEKEY query send from
gpg to the agent can only return "no such key".  Thus what we need is a
way for gpg to ask gpg-agent to create a stub key if it is missing; we
do this with gpgsm but for whatever reason this has not yet been
implemented in 2.1.

So, please have some more patience; I need to add this for the next



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list