Storing key on multiple smartcards

NIIBE Yutaka gniibe at
Tue Apr 23 23:17:05 CEST 2019

NIIBE Yutaka <gniibe at> wrote:
> (2) scdaemon modification

I have started this part in master.

> Now, the way to specify a key is:
> 	serial number + id_string
> or
> 	serial number +  "/" + fingerprint
> where id_string is "OpenPGP.1", "OpenPGP.2", and  "OpenPGP.3".

Sorry, the description above is not correct.  It is either:

        serial number
        serial number +  "/" + fingerprint

I pushed the change supporting keygrip here.

Matching card with the serial number should be selected beforehand, when
the PKSIGN, PKDECRYPT or PKAUTH commands are used.  Note that scdaemon
has support of having multiple cards (by internal CCID driver), a card
is selected by the SERIALNO command.

gpg-agent uses the sequence of SERIALNO and then
PKSIGN/PKDECRYPT/PKAUTH with the context of serial number.

We need a way to ask crypto operations with no-context-of-serial-number
(the specific card) but with the keygrip.

For crypto operations with the keygrip, I'm going to add new commands to

	KEYINFO [--list]

(Perhaps, there are better names for PKSIGN_DIRECT, PKDECRYPT_DIRECT,
and PKAUTH_DIRECT.  Please let me know your comments.)

The KEYINFO command is just like the one of gpg-agent.  It gives us
key information with keygrips.

gpg-agent/gpg will use scdaemon's KEYINFO command to get the information
of available keys by scdaemon.  Then, do *_DIRECT.

The *_DIRECT commands are not with a specific card context, scdaemon
internally selects a card context automatically.  It is scdaemon which
determines card context by keygrip,

This is the thing I call keygrip-centric.

I'm going add KEYINFO to master this week.

Since I'm not that confident yet, for *_DIRECT, I will have a topic
branch, in next month.  Then, merge into master.

More information about the Gnupg-devel mailing list