Using a GnuPG CCID card in another computer (follow-up)

Peter Lebbing peter at digitalbrains.com
Tue May 16 11:12:18 CEST 2017


On 16/05/17 07:55, Matthias Apitz wrote:
> The question remains: Why I do have to move the files below .gnupg/ to
> the other workstation?

The card only holds the basic cryptographic material. But a certificate
("public key") holds much more information: your name, the relations
between the cryptographic keys and how they are used, your preferences
with regard to algorithms, how long the key is valid, and certifications
by other users who have signed your key, to name some important ones.

So before you can use the smartcard, you need to import your
certificate/public key. You could publish this to the keyserver network,
or put it on the web. If the latter, you /can/ enter the URL in a data
field on the smartcard, enabling you to use the "fetch" command of
--card-edit.

> And, what are the files below .gnupg/private-keys-v1.d
> are exactly?

Either the real cryptograhic material for a private key, or simply a
note telling GnuPG "that key is on card X". However, I'm surprised by
the size of these files you show. All my "notes saying card X", stubs,
on this laptop are around a mere 360 bytes. I know these files are
S-Expressions, but I haven't checked the exact construction. I would
expect OpenPGP smartcard stubs to generally come down to very comparable
sizes.

You can ask GnuPG to list all the OpenPGP private keys it knows about
along with the keygrip. The keygrip corresponds to the file name in
private-keys-v1.d. It will also indicate when a key is on a card:

> $ gpg2 --with-keygrip -K
> /home/peter/.gnupg/pubring.kbx
> ------------------------------
> sec>  rsa2048 2009-11-12 [C] [expires: 2017-10-19]
>       8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E
>       Keygrip = 13790148EEE34BC5140DD31B6F95EABA8A19E419
>       Card serial no. = 0005 00000274
> uid           [ultimate] Peter Lebbing <peter at digitalbrains.com>
> ssb>  rsa2048 2009-11-12 [S] [expires: 2017-10-19]
>       Keygrip = 46E61BB13BF429980D89B6B7BDE0F70E55E41A03
> ssb>  rsa2048 2009-11-12 [E] [expires: 2017-10-19]
>       Keygrip = A9C7C73653BEDAF478E4956FCF4C3AFC7CB9A00C
> ssb>  rsa2048 2009-12-05 [A] [expires: 2017-10-19]
>       Keygrip = 2DD5CC89FE601845C8C4F74F9643724A08D878FD
> 
> sec   rsa1024 2012-03-17 [SC] [expired: 2017-03-29]
>       825472F37172B95ADC7349BE98B67DE4DCDFDFA4
>       Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A
> uid           [ expired] Test Teststra <test at work.invalid>
> uid           [ expired] Test Teststra (Koning van Wezel) <test at example.invalid>
> ssb   rsa1024 2012-03-17 [E] [expired: never     ]
>       Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D
> ssb   rsa2048 2016-01-12 [A] [expired: never     ]
>       Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63
> ssb   rsa1024 2017-03-22 [S] [expired: 2017-03-29]
>       Keygrip = B93CA4F1A44FAD92D45DC836DEC653769421E703

A '>' after 'sec' or 'ssb' indicates it is on a card. A '#' indicates
the key is unavailable.

You could do this to check what GnuPG thinks those files represent.

Note it only mentions the card serial number for the primary key, even
though the E and S subkeys are on a different card.

I have to admit I cheated a bit for the above output; I had to specify
"--list-options show-unusable-subkeys" because the test key was expired,
and I removed an awful lot of test keys from the output.

private-keys-v1.d also contains keys for gpgsm, which will not show up
when invoking "gpg2 -K" as above.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170516/385dffae/attachment.sig>


More information about the Gnupg-users mailing list