gpg --card-status always create proxy private keys

Alon Bar-Lev alon.barlev at
Mon Feb 13 12:32:46 CET 2017

On 13 February 2017 at 10:03, NIIBE Yutaka <gniibe at> wrote:
> Alon Bar-Lev <alon.barlev at> writes:
> > This is a change in behaviour, I believe resulted by this[1] commit.
> > Everytime gpg --card-status is executed the proxy private keys at
> > ~/.gnupg/private-keys-v1.d/ are created, also if no matching public
> > key in gpg.
> >
> > It has the side effect of having duplicate keys when trying to
> > generate keys using gpg --card-edit without actually re-generate the
> > key on the card (return the same keygrip).
> >
> > As a result usage of scd which only capable of reusing keys such as
> > PKCS#11 is now broken.
> I don't understand your description above.  Could you elaborate?

There are cases in which the card daemon (not the one gpg provides)
will come with pre-defined generated keys. In this case the "generate"
will actually return these keys instead of generating new ones.
It has been working for about 10 years :)
I do not mind if we cache these shadows, as long as after generate the
cache will be rewritten with the new keys even if these already exist
in the cache.
However, I do not understand what is the point of caching keys that
have no associated public key in the keyring (ether locally or
obtained using the URL fetch).

Assuming we would like to shadow everything, can we please rewrite
when writing the shadow keys after generate (and in general)?

> BTW, the change which introduce creating a shadow key by --card-status
> is this (not the one you addressed):
> commit f3f9f9b2844c35f7942ee904d5222523615cdad4
> Author: Werner Koch <wk at>
> Date:   Fri Dec 12 12:35:45 2014 +0100
>     gpg: Let --card--status create a shadow key (card key stub).
> --

Thanks for the reference!


More information about the Gnupg-devel mailing list