smartcard key change

Fabio Coatti fabio.coatti at
Wed Jan 2 11:05:47 CET 2013

Hi All,
I'm playing a bit with a fsfe fellowship card, and I've noticed an
issue but I can't say if in gpg or in me :)

basically, the card works as expected (signing, encryption, etc..)
with a subkey only setup; I've then changed the sign subkey  with a
new one, but I noticed that I mistakenly loaded a 4096bit  subkey (out
of spec, IIRC, it works but it is failry slow :) ). I then tried to
place the previous sign key... and gnupg fails with this error:

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Cosa scegli? 1

gpg: WARNING: such a key has already been stored on the card!

Replace existing key? (y/N) y
gpg: secret key already stored on a card

but the card as the 4096 key on it; so it seems that gnupg flags every
key that has loaded on card as "on card", but it is impossible to tell
gnupg that a key has been removed from card.
Interesting enough, gpg --card-status (or gpg --edit key /toggle/list)
shows that 4 keys are on card :)
i.e. the secret key description reports "card-no: 0000 00000XXX" below
4 keys and not only three.

My guess is that gpg flags every subkey sent to card with the card
number and checks the number when requested to install it again... but
is there any way to tell gpg to clear that card number field?


More information about the Gnupg-users mailing list