gpgsm --gen-key with key on smartcard

Thomas Jarosch thomas.jarosch at intra2net.com
Wed Feb 28 10:56:05 CET 2018 

Hello together,

gpgsm can be used to create X.509 certificates
for existing secret keys on a openpgp smartcard.


"gpg2 --card-status" looks like this:
*********************************************
..
Signature key ....: E642 8DAC 275A 3247 5B59  A16F A3E9 1268 663A 9918
      created ....: 2018-02-27 23:04:28
Encryption key....: 7BD4 D616 869A DABA 40EE  92CE 0B7C A078 D0C4 D69E
      created ....: 2018-02-27 23:04:28
Authentication key: 7DA6 B4FD 7E63 CA74 4BDC  CE17 A006 6D00 9AD9 3260
      created ....: 2018-02-27 23:04:28
sec>  rsa2048/A3E91268663A9918  created: 2018-02-27  expires: never
                                card-no: 0005 00003E6D
ssb>  rsa2048/A0066D009AD93260  created: 2018-02-27  expires: never
                                card-no: 0005 00003E6D
ssb>  rsa2048/0B7CA078D0C4D69E  created: 2018-02-27  expires: never
                                card-no: 0005 00003E6
*********************************************


When invoking

    gpgsm --armor --output public.pem --gen-key

one can choose (3) to use an existing key on a smartcard.

The next menu present is this:

*********************************************
Available keys:
   (1) C9CD95DDF9B6430274F55168DE39877474DA66EE OPENPGP.1
   (2) 9D81DD6BD19C9C13F9B03915344BCC6BBDFB8428 OPENPGP.2
   (3) 24983DADCC9C49692D6BB30675967DD4B003957D OPENPGP.3
*********************************************

To me it seems it shows the 'keygrip' instead of the smartcard key IDs?


Debug output from gpgsm before the "available keys" prompt:
*********************************************
gpgsm: DBG: chan_5 <- S KEY-FPR 1 E6428DAC275A32475B59A16FA3E91268663A9918
gpgsm: DBG: chan_5 <- S KEY-FPR 2 7BD4D616869ADABA40EE92CE0B7CA078D0C4D69E
gpgsm: DBG: chan_5 <- S KEY-FPR 3 7DA6B4FD7E63CA744BDCCE17A0066D009AD93260
gpgsm: DBG: chan_5 <- S KEY-TIME 1 1519772668
gpgsm: DBG: chan_5 <- S KEY-TIME 2 1519772668
gpgsm: DBG: chan_5 <- S KEY-TIME 3 1519772668
gpgsm: DBG: chan_5 <- S CHV-STATUS +0+32+32+32+3+0+3
gpgsm: DBG: chan_5 <- S SIG-COUNTER 4
gpgsm: DBG: chan_5 <- S KEYPAIRINFO C9CD95DDF9B6430274F55168DE39877474DA66EE OPENPGP.1
gpgsm: DBG: chan_5 <- S KEYPAIRINFO 9D81DD6BD19C9C13F9B03915344BCC6BBDFB8428 OPENPGP.2
gpgsm: DBG: chan_5 <- S KEYPAIRINFO 24983DADCC9C49692D6BB30675967DD4B003957D OPENPGP.3
gpgsm: DBG: chan_5 <- OK
*********************************************

I guessed which key is the correct one from the gnupg 2.2.4 debug output.


When using a smartcard, what about showing the openpgp key IDs
in the "Available keys" menu?

Cheers,
Thomas

More information about the Gnupg-users mailing list