Best practice to use several smartcards for a single key?

Ingo Klöcker kloecker at kde.org
Sun Dec 13 22:10:34 CET 2020


On Sonntag, 13. Dezember 2020 12:06:21 CET Nicolas Boullis wrote:
> > > As a bonus question: given that my “master” private key is also stored
> > > on a smartcard, is there a way to ask GnuPG to generate a signature
> > > subkey on a second smartcard, while signing it with the first smartcard?
> > 
> > Yes, but only with the unreleased development version of GnuPG. With
> > 2.2.25
> > trying to add a subkey from an existing key from card failed here. There
> > have been quite some fixes with regard to smartcard support in the
> > development version in the last few weeks.
> > 
> > What I did:
> > Remove the first smartcard. Insert the second smartcard. Then
> > $ gpg --edit-key master at example.net
[...]
> > -> "Please insert the card with serial number: [s/n of first card]"
> > -> "Please unlock the card" [s/n of first card]
> > -> "Please unlock the card" [s/n of second card]
> 
> Do these step work if I have both cards inserted (in 2 readers) or would
> I have to remove one card to insert the other one?

Both cards were inserted after I was asked to insert the first card. I have 
not tried the above with both cards inserted from the start. Even if it works, 
I think it's easier if at first you only insert the second card (i.e. the card 
with the key you want to add as signing subkey) because it will make the 
selection of the key from the list of available keys easier.

> > -> "Please insert the card with serial number: [s/n of first [sic] card]"
> > -> I insert the second (!) card
> 
> Hmmm… That’s a funny bug…
> You mean gnupg asks for the first card, but it needs and accepts the
> second one?
> Just curious, do you know how this is possible?
> I might understand that it could store the wrong s/n is the subkey stub,
> but why does it accept the card whose s/n does not match?

The request to enter a certain card is merely a hint (in this case a bogus 
hint) for the user. gpg will look for the key on any inserted card regardless 
of what card it asked for. The key is uniquely identified by its keygrip (use 
--with-keygrip to see it on --list[-secret]-keys), the s/n of the card doesn't 
matter.

> Can’t you then fix this by deleting the stub and then learning the
> second card?

Maybe, but I'd rather make sure that the bug is fixed. ;-)

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201213/81c0e6b9/attachment.sig>


More information about the Gnupg-users mailing list