Multiple Yubikeys/Smartcards and Thunderbird email client

Brandon Anderson brandon753.ba at gmail.com
Thu Jul 15 03:22:47 CEST 2021


I have several Yubikeys and smartcards in my setup, each with its own 
signing subkeys, and I use these, among other things, to sign email 
messages. Whenever I want to send an email on thunderbird, it demands a 
specific smartcard by serial number for email signing and will refuse to 
use the smartcard/Yubikey plugged into the system. At first, I thought 
this was a thunderbird problem; however, according to the thunderbird 
docs, for smartcard signing, it sends the requests directly to GPG. When 
I rebooted my system and issued the command `gpg --clearsign` followed 
by some test data to sign, it also demanded the same specific smartcard 
for digital signing rather than the smartcard that was plugged into the 
system and had a valid subkey for signing. This behavior would go away, 
and gpg would pick the first valid signature subkey for which it had 
access after I ran the command `gpg --card-status`, but the issue does 
not clear on thunderbird. My public key is viewable here 
https://keyserver.ubuntu.com/pks/lookup?search=0xAA35E492383D0F8A2E145261255837AEF812E87E&fingerprint=on&op=index. 
Normally, I have my desktop Yubikey with the signature subkey 
ed25519/CC3C9B2F10BCED15, but thunderbird and gpg on boot (before `gpg 
--card-status`) refuse to sign with any other key than 
ed25519/5A55707CAA63F689 even when the smartcard for that key is not on 
the system and the smartcard for the other key is.

Interestingly, thunderbird has no issue decrypting a message with the 
smartcard normally used on my system; it just refuses to sign if not 
with a specific smartcard. The fact that on-system boot gpg is 
exhibiting the same behavior and that thunderbird is supposedly directly 
using gpg for smartcard-related actions makes me think this is something 
I have misconfigured. Any idea what I should be doing differently?

Sincerely,

Brandon Anderson

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x255837AEF812E87E.asc
Type: application/pgp-keys
Size: 15950 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210714/fde603e4/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210714/fde603e4/attachment-0001.sig>


More information about the Gnupg-users mailing list