Using a GnuPG CCID card in another computer (follow-up)

Matthias Apitz guru at unixarea.de
Tue May 16 11:56:59 CEST 2017 

El día martes, mayo 16, 2017 a las 11:12:18a. m. +0200, Peter Lebbing escribió:

> On 16/05/17 07:55, Matthias Apitz wrote:
> > The question remains: Why I do have to move the files below .gnupg/ to
> > the other workstation?
> 
> The card only holds the basic cryptographic material. But a certificate
> ("public key") holds much more information: your name, the relations
> between the cryptographic keys and how they are used, your preferences
> with regard to algorithms, how long the key is valid, and certifications
> by other users who have signed your key, to name some important ones.
> 
> So before you can use the smartcard, you need to import your
> certificate/public key. You could publish this to the keyserver network,
> or put it on the web. If the latter, you /can/ enter the URL in a data
> field on the smartcard, enabling you to use the "fetch" command of
> --card-edit.

Thanks for the two tips re/ the pub key; I did so and now it works:

I exported the pub key with:

$ gpg2 --export --armor > ccid--export-key-guru.pub

placed it on my webserver and configured its URL with the card's url-command
as

URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub

On the 2nd workstation I moved away the GNUPGHOME:
$ env | grep GNU
GNUPGHOME=/home/guru/.gnupg-ccid
$ mv .gnupg-ccid .gnupg-ccid-saved

gpg2 is unwilling to start due to missing dir and I have had
to create it with mkdir:

$ gpg2 --card-status
gpg: keyblock resource '/home/guru/.gnupg-ccid/pubring.kbx': No such file or directory
gpg: failed to create temporary file '/home/guru/.gnupg-ccid/.#lk0x0000000802616210.r314251-amd64.65213': No such file or directory
gpg: can't connect to the agent: No such file or directory
gpg: OpenPGP card not available: No agent running

$ mkdir /home/guru/.gnupg-ccid
$ chmod 0700 /home/guru/.gnupg-ccid

As you can see the keys are completely missing in the card's status:

$ gpg2 --card-status
gpg: keybox '/home/guru/.gnupg-ccid/pubring.kbx' created
Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
      created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
      created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D  EA4B 6AA5 C5C4 51A1 CD1C
      created ....: 2017-05-14 18:20:07
General key info..: [none]

but after fetching the pub key, all is fine:

[guru at r314251-amd64 ~]$ gpg2 --card-edit  

Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
      created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
      created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D  EA4B 6AA5 C5C4 51A1 CD1C
      created ....: 2017-05-14 18:20:07
General key info..: [none]

gpg/card> fetch
gpg: requesting key from 'http://www.unixarea.de/ccid--export-key-guru.pub'
gpg: /home/guru/.gnupg-ccid/trustdb.gpg: trustdb created
gpg: key 47CCF7E476FE9D11: public key "Matthias Apitz (GnuPG CCID) <guru at unixarea.de>" imported
gpg: Total number processed: 1
gpg:               imported: 1


gpg/card> list

Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
      created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
      created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D  EA4B 6AA5 C5C4 51A1 CD1C
      created ....: 2017-05-14 18:20:07
General key info..: pub  rsa4096/47CCF7E476FE9D11 2017-05-14 Matthias Apitz (GnuPG CCID) <guru at unixarea.de>
sec>  rsa4096/47CCF7E476FE9D11  created: 2017-05-14  expires: never
                                card-no: 0005 0000532B
ssb>  rsa4096/6AA5C5C451A1CD1C  created: 2017-05-14  expires: never
                                card-no: 0005 0000532B
ssb>  rsa4096/61F1ECB625C9A6C3  created: 2017-05-14  expires: never
                                card-no: 0005 0000532B

> > And, what are the files below .gnupg/private-keys-v1.d
> > are exactly?
> 
> Either the real cryptograhic material for a private key, or simply a
> note telling GnuPG "that key is on card X". However, I'm surprised by
> the size of these files you show. All my "notes saying card X", stubs,
> on this laptop are around a mere 360 bytes. I know these files are
> S-Expressions, but I haven't checked the exact construction. I would
> expect OpenPGP smartcard stubs to generally come down to very comparable
> sizes.

I run strings for these files and it shows for example:

$ strings -n8 314DE72F03D41683E06A504769970A1643825B38.key
(20:shadowed-private-key(3:rsa(1:n513:
)(8:shadowed5:t1-v1(16:
9:OPENPGP.2))))




> 
> You can ask GnuPG to list all the OpenPGP private keys it knows about
> along with the keygrip. The keygrip corresponds to the file name in
> private-keys-v1.d. It will also indicate when a key is on a card:
> 
> > $ gpg2 --with-keygrip -K
> > /home/peter/.gnupg/pubring.kbx

I did so and it seems that the keys are on the card:

$ gpg2 --with-keygrip -K
/home/guru/.gnupg-ccid/pubring.kbx
----------------------------------
sec>  rsa4096 2017-05-14 [SC]
      5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
      Keygrip = 937BA1F6A95F68222EC2C6F9573100E17EE9522E
      Card serial no. = 0005 0000532B
uid           [ultimate] Matthias Apitz (GnuPG CCID) <guru at unixarea.de>
ssb>  rsa4096 2017-05-14 [A]
      Keygrip = 7E22A904DB3BE5A98F98AFDEED61DF1364DD949B
ssb>  rsa4096 2017-05-14 [E]
      Keygrip = 314DE72F03D41683E06A504769970A1643825B38


Thanks for your explanations and help. Maybe the FAQ should be expanded
with this.

	matthias
-- 
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/  ☎ +49-176-38902045

More information about the Gnupg-users mailing list