One Key, multiple Smartcards not working anymore

NIIBE Yutaka gniibe at
Wed Jul 29 02:25:01 CEST 2015


Thank you for the report describing complicated issue.  Your
detailed description helps me understand the situation.

On 07/28/2015 04:09 AM, Josef Schneider wrote:
> I have a problem with my Key. I have a 4096bit RSA key since 2012 and it
> is stored on a OpenPGP smartcard.
> Recently I added three new 2048bit subkeys, because I bought a Yubikey
> NEO device and want to use PGP on my phone/tablet with Android and NFC.
> This worked as expected. I created the new subkeys on my PC, saved a
> backup and then moved them to the card.
> PGP showed me correctly that the first three keys are on card 1 and the
> second three are on card 2. If the wrong card was inserted, it asked me
> to insert the correct one.
> I then wanted to create one key backup with all six private keys to
> print using PaperBack and store in a safe place. I was able to merge all
> the private keys with gpgsplit and moving/renaming files and created
> that backup.
> After that, I deleted the whole key, got my public key from the
> keyservers and tried to use it with the card (after gpg2 --card-status).
> Here is now my problem:
> GPG adds the key stub for the smartcard keys only for the first card! If
> I delete the key, import, use card-status, then I can usse the three
> keys from that smartcard. If I insert the second smartcard and do a
> card-status, nothing changes!
> If I import the full key with all private keys, I can then replace the
> keys on the card and move all keys to smartcards. Then I get a key
> working with both smartcards again. But of course I don't want to touch
> the key backup. It's printed on paper and stored in a safe location for
> a reason.
> Am I doing something wrong, or is that a bug?
> All with gpg (GnuPG) 2.0.28 (Gpg4win 2.2.5)

This is a bug in 2.0.  (I think it works well (or better) on 2.1.)

In gnupg/g10/card-utilc, we have a function card_status, which
corresponds --card-status option.  It goes to the block of line 590,
when there is no secret keys available but public key is available
(let's call THE CONDITION).  In this specific case, the function
auto_create_card_key_stub will be called to create the stub.

In your case, secret key stub is not available but public key is
available.  The calculation of THE CONDITION is somehow wrong
for subkeys sharing primary key when the subkey is not available
but another subkey is available.  This is because of the lookup
is basically based on primary key.

I'm going to look in detail, and I will fix.

More information about the Gnupg-users mailing list