Changing smartcard

Andrew Gallagher andrewg at
Tue Sep 13 14:02:22 CEST 2016

I recently decided to change my default smartcard on one machine
because it was easier to use and carry a flat card than one in a USB
reader, and that particular machine has a smartcard slot. I had two
smartcards anyway for testing purposes.

I thought it would be a simple matter of deleting the key stubs on the
machine in question and running gpg --card-status, but even after doing
this for both gpg and gpg2 (debian!) it still sometimes asked for the
old smartcard.

Things that worked: poldi (on login screen), enigmail
Things that didn't work: ssh, sudo/poldi (on command line)

The only thing that might explain why poldi works on the login screen
but not for sudo is the agent (which isn't running at login time, so
poldi must call scdaemon directly at that point).

Using gpg-connect-agent:

> keyinfo --list
S KEYINFO xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEDB763AD D - - - - - - -
S KEYINFO xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxCFEF4E2C T
D276000124010201000500003F990000 OPENPGP.1 - - - - -
S KEYINFO xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0EFB3577 T
D276000124010201000500003F990000 OPENPGP.2 - - - - -
S KEYINFO xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxD39C4ACA D - - - - - - -
S KEYINFO xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx20FE2863 T
D276000124010201000500002ED90000 OPENPGP.3 - - - - -

This seems to indicate that the agent is still looking for the old card
(the one ending "2ED90000") for the slot 3 key (auth), but is correctly
configured for E and S (hence why enigmail works).

I found keystub entries that corresponded to these in
private-keys-v1.d. The offending keystub file had a modification date
earlier than the other two, so I deleted it and ran gpg --card-status
once more. The keystub file was regenerated and gpg-connect-agent now
reports the correct card ID. I didn't even have to log out and in.

So I'm happy now, but have two questions:

1. Why was the A keystub not deleted and regenerated when I did gpg
--delete-secret-keys; gpg --card-status, like the E and S ones
apparently were?

2. What do these fingerprint-like IDs in the agent and v1.d refer to?
They don't correspond to anything that --with-colons produces.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160913/430383ab/attachment.sig>

More information about the Gnupg-users mailing list