gnupg 'signing server'? Looking for advice on key management/security

Daniel Cerqueira dan.list at
Mon Nov 13 12:46:19 CET 2023

Jacob Bachmeyer <jcb62281 at> writes:

> The problem here is that, while the key never leaves the smartcard,
> the /entire/ device that accesses the smartcard must be trusted, as a
> backdoor on the device could steal plaintext or submit extra items for
> signing.  A PIN does not solve the problem, since the PIN is entered
> on the device, which could be backdoored to store the PIN and submit
> it along with Mallory's messages for the smartcard to sign---and the
> card will sign it, since the PIN checks out...
> Smartcards make silently duplicating the key difficult (supposedly
> infeasible) but do not solve the general problems with
> network-connected devices.

If you don't trust pinentry, maybe you should also not trust gnupg. They
are from the same project (

I believe is best for you not to use gnupg and pinentry, until you
review it.

More information about the Gnupg-users mailing list