Is limit-card-insert-tries a working option?
chip.senkbeil at gmail.com
Wed May 29 16:56:31 CEST 2019
Hey folks, I'm trying to figure out if
a) the gpg option --limit-card-insert-tries is currently functioning (I'm assuming it is)
b) setting --limit-card-insert-tries=1 does what I expect
My current setup is that I have my passwords stored using the pass tool from passwordstore.org. Each password is encrypted as a separate file and the encryption/decryption is handled by one of several of my encryption subkeys.
I've made multiple encryption subkeys from a master key after reading around best practices and other tidbits from other GPG users. My subkeys are each individually stored on a separate Yubikey from Yubico.com.
The encryption and decryption works great. For my multiple devices, I can have different keys inserted and encrypt/decrypt just like I would if the same master key was on each device. This is by using the `pass` tool initialized with each subkey's 0xid with an ! added to the end.
The annoyance comes from the pinentry prompt I'm using with the gpg agent. When needing to refresh the cache, the agent prompts me multiple times to insert my other smart cards before it reaches the smart card that is currently plugged into my device. This happens on both OSX and Fedora using version 2.2.15 of gpg and gpg-agent.
I've read about the --limit-card-insert-tries option and that, if specified as 1, the prompt shouldn't appear to insert the card. To my understanding, it should fail and move on to the next subkey silently. Am I reading the option correctly?
If I am, I currently have `limit-card-insert-tries 1` within my gpg.conf config, but it isn't having any impact. I can confirm that other settings within my gpg.conf are being read and utilized.
I pulled down the latest copy of gpg from git://git.gnupg.org/gnupg.git and tried to follow the path from when the --limit-card-insert-tries is provided, but I'm getting lost with where the setting goes. I'm sure it's used somewhere, but I seem to hit a dead end following the program's usage of the option.
Can anyone give me guidance as to what I'm doing wrong? Did I misunderstand the usage of the option? Is there some alternative I could do instead?
I love the setup I have, but I'm fairly new to gpg and smart cards; so, not sure if I've made some mistake along the way.
More information about the Gnupg-users