Prefer a currently available signing subkey?

Danielle McLean dani at
Tue Apr 18 11:42:19 CEST 2017

Hi, I've set up two smartcards - a YubiKey NEO and a YubiKey 4,
specifically - with different subkeys of the same master key:

sec#  rsa4096/ACA7BABE 2017-04-03 [C] # in cold storage
ssb>  rsa4096/FF12EEC5 2017-04-04 [S] # on 4
ssb>  rsa4096/136A2F3E 2017-04-04 [A] # on 4
ssb>  rsa2048/3C6058F1 2017-04-05 [S] # on NEO
ssb>  rsa2048/336B08C1 2017-04-05 [E] # on 4 and NEO
ssb>  rsa2048/4F33D648 2017-04-05 [A] # on NEO

However with the YubiKey 4 connected, GnuPG still attempts to sign data
using 3C6058F1, which isn't currently available, rather than FF12EEC5,
which is. I'm aware I can manually select the subkey with -u FF12EEC5!,
but I can't easily sneak that switch in when I commit with Git, and I
still want to be able to sign with 3C6058F1 when the NEO is actually

So: Is there a way to reconfigure GnuPG so that it uses the currently
available subkey for signing, rather than always preferring the newest
one even when it's *not* available?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170418/049213b0/attachment.sig>

More information about the Gnupg-users mailing list