Primary and Signing Key on Different Smart Cards

Anton Marchukov anton at
Sun Jan 15 20:54:12 CET 2017

Hello Peter.

Thanks for your detailed instructions. As FOSDEM keysigning is
approaching I finally found some time to test it with my setup.
Unfortunately I am unable to pass through the step when you need to
swap the cards during subkey generation:

> Now let's add subkeys on the other card. GnuPG 2.1 totally does the right thing
> here! Insert a new blank smartcard and do:
> $ gpg2 --edit-key 367D1BCF
> At this point the pinentry will prompt:
> ---------------------------8<--------------->8---------------------------
>         Please remove the current card and insert the one with serial number:
> Note that that is our card with the primary key.

Here when I remove the "subkey" card and insert the primary card and
then confirm the prompt I immediately have gpg fail with the following

gpg: signing failed: End of file
gpg: make_keysig_packeto failed: End of file
gpg: Key generation failed: End of file

Now not sure what might be the difference between your setup and mine,
let's try to spot the difference:

1. I have gpg 2.1.11. What is your gpg2 --version ?
2. Since YubiKey is a usb token and my primary card is a plastic
smartcard from ZeithControl they are in fact located in two different
readers. I found that gpg is not able to locate card if more than one
reader is present and somehow always default to some first card it
sees. To mitigate this I had to always remove the reader along with
the card. And then of cause have to reinsert it back. May it be that
gpg expects cards to be in the same reader?
3. Any other thoughts? Any debug logs I can enable?

I also kept detailed steps and output so far and hope to publish an
article somewhere if manage to get everything working properly.


More information about the Gnupg-users mailing list