Multiple Smartcards - Signing

Matthew Monaco matt at monaco.cx
Sat May 2 18:29:45 CEST 2015


On 05/01/2015 08:36 PM, Daniel Kahn Gillmor wrote:
> On Thu 2015-04-30 17:49:28 -0400, Matthew Monaco wrote:
>> Why isn't gpg smarter about selecting only from the /available/ keys
>> at the time of signing? BTW, I'm using 2.1.3
> 
> I think this is the crux of your issue.  It sounds like a bug to me.
> 
> I've opened a bug report about it:
> 
>  https://bugs.gnupg.org/gnupg/issue1967
> 
> hth,
> 
>         --dkg
> 

Ah, thanks! I ended up moving forward with separate signing keys on each
smartcard, filtering gpg.conf from rsync, and adding -u <subkey>!.

Conversely, I am using the same auth key on both smartcards. For me, managing
multiple SSH keys is more trouble then it's worth. Most notably, OpenStack will
only seed one key to a new instance and I don't want to deal with having to keep
track of which smartcard I'm using.

So this would be related, but maybe I'll file a second bug report to request
that the shadow copy of a key is automatically updated if its seen on a new
smartcard. This doesn't appear to be the case, however I may have broken it by
getting fancy: I moved my .key files to <alg><bits>-CAPS-8charkeyid-comment
(e.g. rsa2048-E-DDEC74FE-revoked) and then symlinked <keygrip>.key.

This is because sometimes I lose track of fingerprint <-> keygrip. It would be
nice if --list-packets <keygrip>.key or some such listed info about the key...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150502/23a751e8/attachment.sig>


More information about the Gnupg-users mailing list