Primary and Signing Key on Different Smart Cards
peter at digitalbrains.com
Tue Jan 17 12:10:53 CET 2017
> 1. I have gpg 2.1.11. What is your gpg2 --version ?
I did that with Debian package 2.1.11-7.
> 2. Since YubiKey is a usb token and my primary card is a plastic
> smartcard from ZeithControl they are in fact located in two different
Ah, that sounds like a likely culprit to me. I've thought more often
that scdaemon would be improved if it handled missing and changed
readers exactly the same as missing or changed smartcards.
I can't think of a way to solve this right now.
> I found that gpg is not able to locate card if more than one
> reader is present and somehow always default to some first card it
Yes, multiple reader support is a work in progress.
> 3. Any other thoughts? Any debug logs I can enable?
added to $GNUPGHOME/scdaemon.conf could help. But note that it may
contain the card PIN in the APDU dumps! The easiest way, IMHO, to
prevent leaking private data is to use a PIN like 123456 for your tests,
and only when you've got it working do it all for real with a real PIN
and real OpenPGP keys and *no more logs*. This also prevents leaking
your PIN to your storage or your backups for instance, which could be a
problem depending on your threat model.
I've never had any luck with anything other than a plain absolute path
for the log-file directive, so I'm always just writing them out completely.
(Similar debug log directives are available for other components)
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users