OpenPGP Smartcard + signing email = two signatures?

Peter Lebbing peter at
Tue Oct 1 19:48:16 CEST 2013

On 30/09/13 23:10, Pete Stephenson wrote:
> Has anyone else observed this behavior? If so, is there an explanation?

It's probably a benign bug, but it would obviously also be a reasonably good way
to get signatures if somebody had compromised your PC. Put a payload in GnuPG
such that when you try to sign something, it will first sign the attackers
message with your first pinentry prompt, and then just prompt again for your
signature. People who work with computers generally just try again if the first
time mysteriously failed.

This does presume that you enter your PIN on the cardreader, because otherwise
it would be simpler to just use the PIN you give to the PC :).

But I think it's more likely there's a little bug somewhere that loses the message.


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list