OpenPGP card and gpg-agent TTL

Werner Koch wk at
Tue Nov 2 18:34:16 CET 2021

On Sat, 30 Oct 2021 15:50, Matthias Apitz said:

> I just withdraw the USB dongle after the operation. I was thinking that
> the gpg-agent.conf entry 'max-cache-ttl' will also expire the unlocked
> state of the OpenPGP card, which it does not. How could I do this? 

No, it does not because it is the decision of the card how long the
VERIFY command send to the card allows the use of the key.  For most
cards and keys the keys are unlocked by VERIFY until the card is powered
down.  The OpenPGP cards allow to limit the VERIFY command for the first
key to one signing operation ("forcesig" toggles this).

As a workaround use "gpgconf --reload scdaemon" to power down the card.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list