gpg --card-status always create proxy private keys

Alon Bar-Lev alon.barlev at
Tue Feb 14 21:49:51 CET 2017

On 14 February 2017 at 21:39, Peter Lebbing <peter at> wrote:
> On 14/02/17 20:31, Alon Bar-Lev wrote:
>> This worked so far, as "card-edit/generate" returned existing key
> I think that was not a GnuPG design decision but rather somewhat of a "hack" to
> enable this use case? I don't think you can obtain this behaviour with a real
> OpenPGP card, it's just something the emulation layer decided to do, right?

Functionality of gnupg is required also for other types of cards,
however, there is no real way to integrate with gnupg as the
interfaces are not stable, the last 10 years I modified solution over
and over in order to provide a service to users that requires
integration with other devices, here I found a dead end.
Of course I can simulate empty token and return a key only after
generate... before I do that I thought that maybe the existing
behavior of caring what generate returns while there is nothing in
keychain that relates to the key is intentional, I still believe that
this is not.

>> The difference is that edit-key uses existing primary key and manage
>> subkeys, while I need to support primary keys as well.
> Right, yes, of course, silly of me.
>> Yes, this should generate a primary key using existing private key.
>> If this is acceptable it will be very nice.
> And it would support this behaviour for real OpenPGP cards as well, not just for
> the emulation layer interfacing to PKCS#11 cards. Plus, it makes the behaviour
> obvious. It would not be obvious to me that "generate" actually didn't...
> well... generate keys ;-).

Great, how can we push that?

> Cheers,
> Peter.
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <>

More information about the Gnupg-devel mailing list