Is limit-card-insert-tries a working option?

Chip Senkbeil chip.senkbeil at gmail.com
Thu May 30 18:00:01 CEST 2019 

Thanks for the info, Tony! I'm trying to make sure I understand the exclamation mark setup as well as still figure out the --limit-card-insert-tries.

>From what I've seen from the `pass` tool, if I'm editing an already-encrypted file, it decrypts the file - producing a copy that I can edit - and then re-encrypts the file. Here's an example from my multiple subkey setup:

    gpg2 -e -r keyid1! -r keyid2! -r keyid3! -o content.gpg --quiet --yes --compress-algo=none --no-encrypt-to --batch --use-agent /path/to/content.txt

Where keyid1, keyid2, etc. are in the long form of 0x0123456789ABCDEF

I added the exclamation mark because when I provided multiple subkeys to the tool originally as it appeared that gpg was selecting the first subkey in my list regardless of which smart card I had inserted (each has a different subkey) without the exclamation mark. This seems to follow gpg trying to figure out the appropriate primary or secondary key to use, I think.

If I didn't insert the smart card of the selected key, gpg would fail saying something along the lines of no secret key available.

To get around this, providing the exclamation mark for all subkeys appeared to force gpg to try each in turn. This worked in that gpg would eventually reach the subkey that I had available through the inserted smart card, prompt me through pinentry to enter the password for the smart card, and then encrypt (or decrypt).

I take it there's no way for gpg to know which subkey on a smart card is available and automatically pick it, right? If not, does me using the exclamation marks impact the --limit-card-insert-tries option? I would have thought that I could have used that option to suppress the "insert card" dialog and only have the dialog of an actively-inserted card appear.

Does the --limit-card-insert-tries option do as I've described? I'm still trying to figure out how/if it works because it seems to have no impact on the prompts I receive regarding inserting a smart card.

Also, based on your first link, would me providing a different user ID be an option I should pursue? Would using an exact match on the email address (given all of the subkeys have the same address) be an option? Would gpg be able to figure out the appropriate subkey that is available in that manner?

On Wed, May 29, 2019 at 01:55:32PM -0400, Tony Lane wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> When encrypting or signing or decrypting with a specific key, if you have a set of keys (say, a master key and 3 encryption subkeys etc), GPG may try to try each key until it finds a match.
> However, you can do something like:
> gpg -u <key-id>!
> to tell GPG to use that specific key. Note the exclamation mark. When using gpg an exclamation mark (!) may be appended to force using the specified primary or secondary key and not to try and calculate which primary or secondary key to use.
>
> You can take a peek at the documentation here for more info: https://www.gnupg.org/documentation/manuals/gnupg/Specify-a-User-ID.html
> There is also a manual here, with more options if it helps: https://gnupg.org/documentation/manpage.html
>
>
> On 5/29/19 10:56 AM, Chip Senkbeil wrote:
> > Hey folks, I'm trying to figure out if
> >
> >     a) the gpg option --limit-card-insert-tries is currently functioning (I'm assuming it is)
> >     b) setting --limit-card-insert-tries=1 does what I expect
> >
> > My current setup is that I have my passwords stored using the pass tool from passwordstore.org. Each password is encrypted as a separate file and the encryption/decryption is handled by one of several of my encryption subkeys.
> >
> > I've made multiple encryption subkeys from a master key after reading around best practices and other tidbits from other GPG users. My subkeys are each individually stored on a separate Yubikey from Yubico.com.
> >
> > The encryption and decryption works great. For my multiple devices, I can have different keys inserted and encrypt/decrypt just like I would if the same master key was on each device. This is by using the `pass` tool initialized with each subkey's 0xid with an ! added to the end.
> >
> > The annoyance comes from the pinentry prompt I'm using with the gpg agent. When needing to refresh the cache, the agent prompts me multiple times to insert my other smart cards before it reaches the smart card that is currently plugged into my device. This happens on both OSX and Fedora using version 2.2.15 of gpg and gpg-agent.
> >
> > I've read about the --limit-card-insert-tries option and that, if specified as 1, the prompt shouldn't appear to insert the card. To my understanding, it should fail and move on to the next subkey silently. Am I reading the option correctly?
> >
> > If I am, I currently have `limit-card-insert-tries 1` within my gpg.conf config, but it isn't having any impact. I can confirm that other settings within my gpg.conf are being read and utilized.
> >
> > I pulled down the latest copy of gpg from git://git.gnupg.org/gnupg.git and tried to follow the path from when the --limit-card-insert-tries is provided, but I'm getting lost with where the setting goes. I'm sure it's used somewhere, but I seem to hit a dead end following the program's usage of the option.
> >
> > Can anyone give me guidance as to what I'm doing wrong? Did I misunderstand the usage of the option? Is there some alternative I could do instead?
> >
> > I love the setup I have, but I'm fairly new to gpg and smart cards; so, not sure if I've made some mistake along the way.
> >
> > _______________________________________________
> > Gnupg-users mailing list
> > Gnupg-users at gnupg.org
> > http://lists.gnupg.org/mailman/listinfo/gnupg-users
> >
> -----BEGIN PGP SIGNATURE-----
>
> iLkEARMKAB0WIQQWZv6JZKxO310TWtXo8fj9gx4T0wUCXO7HkwAKCRDo8fj9gx4T
> 09NuAgkBlT+FUIQ8k6a18fmrFfi7dRcRDOm4yv3unMtVwfp/bMe0mszMeaGDV2hN
> CQgiiGCLNhmEsLLUITvK28mL4zlLHssCCQFR2gIqWKdOZauXO0gtJeVTkLtk4DgW
> hcNLKSP6cBn42hgp/tZGKfQWvN6ZbvQaly4fWkgeF/s2zONCzDxS+fJ5Ug==
> =hC3D
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

More information about the Gnupg-users mailing list