Primary and Signing Key on Different Smart Cards

Peter Lebbing peter at
Tue Jan 17 12:10:53 CET 2017

Hello Anton,

> 1. I have gpg 2.1.11. What is your gpg2 --version ?

I did that with Debian package 2.1.11-7.

> 2. Since YubiKey is a usb token and my primary card is a plastic
> smartcard from ZeithControl they are in fact located in two different
> readers.

Ah, that sounds like a likely culprit to me. I've thought more often
that scdaemon would be improved if it handled missing and changed
readers exactly the same as missing or changed smartcards.

I can't think of a way to solve this right now.

> I found that gpg is not able to locate card if more than one
> reader is present and somehow always default to some first card it
> sees.

Yes, multiple reader support is a work in progress.

> 3. Any other thoughts? Any debug logs I can enable?

Something like:

debug-level expert
log-file /home/<you>/scdaemon.log

added to $GNUPGHOME/scdaemon.conf could help. But note that it may
contain the card PIN in the APDU dumps! The easiest way, IMHO, to
prevent leaking private data is to use a PIN like 123456 for your tests,
and only when you've got it working do it all for real with a real PIN
and real OpenPGP keys and *no more logs*. This also prevents leaking
your PIN to your storage or your backups for instance, which could be a
problem depending on your threat model.

I've never had any luck with anything other than a plain absolute path
for the log-file directive, so I'm always just writing them out completely.

(Similar debug log directives are available for other components)



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list