Prefer a currently available signing subkey?
dani at 00dani.me
Tue Apr 18 11:42:19 CEST 2017
Hi, I've set up two smartcards - a YubiKey NEO and a YubiKey 4,
specifically - with different subkeys of the same master key:
sec# rsa4096/ACA7BABE 2017-04-03 [C] # in cold storage
ssb> rsa4096/FF12EEC5 2017-04-04 [S] # on 4
ssb> rsa4096/136A2F3E 2017-04-04 [A] # on 4
ssb> rsa2048/3C6058F1 2017-04-05 [S] # on NEO
ssb> rsa2048/336B08C1 2017-04-05 [E] # on 4 and NEO
ssb> rsa2048/4F33D648 2017-04-05 [A] # on NEO
However with the YubiKey 4 connected, GnuPG still attempts to sign data
using 3C6058F1, which isn't currently available, rather than FF12EEC5,
which is. I'm aware I can manually select the subkey with -u FF12EEC5!,
but I can't easily sneak that switch in when I commit with Git, and I
still want to be able to sign with 3C6058F1 when the NEO is actually
So: Is there a way to reconfigure GnuPG so that it uses the currently
available subkey for signing, rather than always preferring the newest
one even when it's *not* available?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users