Obtaining Key Stubs From Smartcard

Peter Lebbing peter at digitalbrains.com
Sat Jan 6 13:15:07 CET 2018 

On 04/01/18 17:56, Bagel Alderman wrote:
> Please let me know if there's anything else I can check that'd be useful
> for diagnosing this. I appreciate your help.

You don't show the process, just the end result.

I'm thinking more along the line of:

gpg2 --with-subkey-fingerprint -K

shows the private key is known, primary is offline and subkeys are on a
card. The # in sec# indicates the primary is offline, the > in ssb>
indicates the subkeys are on card. A mocked up output is like this:

--8<---------------cut here---------------start------------->8---
sec#  rsa2048 2009-11-12 [C] [expires: 2019-10-13]
      [fingerprint]
uid           [ultimate] Itsa me <mario at nintendo.co.jp>
ssb>  rsa2048 2009-11-12 [S] [expires: 2019-10-13]
      [fingerprint]
      Card serial no. = FFFE 87061340
ssb>  rsa2048 2009-11-12 [E] [expires: 2019-10-13]
      [fingerprint]
      Card serial no. = FFFE 87061340
--8<---------------cut here---------------end--------------->8---

(It would be nice if the documentation indicates that
--with-subkey-fingerprint also lists the card serial no. I had a
suspicion it might work and it did.)

But, we're discussing how to change to a different smartcard. So let's
do that. The primary is already offline, we lose nothing there, and the
stubs we're trying to lose. Let's delete the secret key. It would be a
good idea to keep a backup of the whole .gnupg dir in any case, but I'm
not showing that.

gpg2 --delete-secret-keys mario

--8<---------------cut here---------------start------------->8---
sec  rsa2048/[keyid] 2009-11-12 Itsa me <mario at nintendo.co.jp>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
--8<---------------cut here---------------end--------------->8---

Check it's gone:

gpg2 -K

gpg: error reading key: No secret key

Stick in the smartcard we want to bind; and lo and behold:

gpg2 --card-status

--8<---------------cut here---------------start------------->8---
General key info..: sub  rsa2048/[keyid] 2009-11-12 Itsa me
<mario at nintendo.co.jp>
sec#  rsa2048/[keyid]  created: 2009-11-12  expires: 2019-10-13
ssb>  rsa2048/[keyid]  created: 2009-11-12  expires: 2019-10-13
                                card-no: FFFE 12345678
ssb>  rsa2048/[keyid]  created: 2009-11-12  expires: 2019-10-13
                                card-no: FFFE 12345678
--8<---------------cut here---------------end--------------->8---

For good measure, do a:

gpg2 --with-subkey-fingerprint -K

This is the level of detail I meant. It works for me. Where does it go
wrong for you?

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180106/c1901497/attachment-0001.sig>

More information about the Gnupg-users mailing list