gpg-agent only checks for smartcard not for local keys

Werner Koch wk at
Mon Nov 4 12:46:03 CET 2019

On Sat,  2 Nov 2019 12:20, Horst Skatmus said:

> I do not understand how the gpg-agent determines where to look for the
> private key (disk or smartcard) and where this is configured. I can switch
> off the scdaemon via --disable-scdaemon but this has no effect.

At the time you use ssh-add (putty has a similar feature iirc) the key
is copied to GnuPG's private key store and added to the file sshcontrol
in GnuPG home directory ("gpgconf --list-dirs" shows this).

You can add the key also manuualy to the file.  An entry there looks

  # Ed25519 key added on: 2016-11-29 10:28:00
  # MD5 Fingerprint:  b5:f9:23:5f:b2:8c:b2:58:7d:b3:1e:f4:7e:26:33:7c
  1934563577D9EDA59D3CC74B0CF9C630EA3F302D 0

The header of the sshcontrol file has comments on the syntax.
In short you put the keygrip (as show in the KEYINFO lines or in
"gpg -k --with-keygrip") followed by the TTL for the cache
(0 for the default).

gpg-agend access the smartcard because the authenticstion key of an
inserted card is implicitly enabled for ssh.  Which key this is depends
on the card and gpg-agent knows how to query this.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list