Do smartcards stay unlocked forever by design?

Werner Koch wk at
Tue Jan 18 23:45:27 CET 2011

On Mon, 17 Jan 2011 22:03, kgo at said:

> 1) Once I enter my pin, the card is unlocked as long as it's connected.

It depends on the card application.  For the OpenPGP card it is true for
key 2 and 3.  For key 1 see below.  A reset operation locks the keys
again. (Try: gpg-connect-agent 'scd reset' /bye)

> 2) I get prompted when making a signature because the sig counter gets
> incremented, and that's a write operation to the card.  Decrypting and

No, that is because the forcesig flag is set; this requires a verify
command before a crypto command with key 1.  "gpg --edit-key", then
"admin" and then "forcesig" toggles this flag.

> 3) The proper way to 'lock' the card is to remove it from the reader.

Yeah, powering it down is a pretty reliable way to lock all keys.
Recall that the card is a regular computer - a bit small by todays
desktop standards, but still a fully working CPU with RAM, ROM and I/O.
Removing it from the readers is like pulling out the mains plug.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list