Mailing List Archive: GnuPG: users

Signing with a key on a smart card

Index | Next | Previous | View Threaded

jerome.blanc at nerim

Aug 4, 2009, 1:01 PM

Post #1 of 3 (623 views)
Permalink

Signing with a key on a smart card

Hello,

I'm currently toying with an OpenPGP smart card, but I meet some
difficulties getting how this works.

I have the Smart Card properly set up (at least I do think so ;-)) :

[gemini [at] Gemin ~]$ gpg --card-status

gpg: detected reader `Gemplus GemPC Twin 00 00'
[…]
Signature key ....: 5898 DBEA 1139 733B ACFD 7880 E8B6 F7C5 2B20 7AEF
created ....: 2009-08-02 11:34:17
Encryption key....: A52C FAAC D39F 252D A2C4 0149 2B0F 7310 7C9E D800
created ....: 2009-08-02 11:37:25
Authentication key: D179 47D8 3B01 87A3 3C86 1AB0 2E8D 6DE6 F8D5 6EFC
created ....: 2009-08-04 19:22:04
In the keyring, I have 3 private master keys, for handling 3 different
identities.

In the gpg.conf, the default key is the master key that generated the
subkeys that are on the smart card.

I can cipher and decipher using the keys on the smart card. However,
when I try to sign a file, then I have the following :

[gemini [at] Gemin ~]$ gpg --sign -u 2B207AEF test.txt
Le fichier `test.txt.gpg' existe. Réécrire par-dessus ? (o/N)
gpg: detected reader `Gemplus GemPC Twin 00 00'
gpg: la signature a échoué: mauvaise clé secrète utilisée
gpg: signing failed: mauvaise clé secrète utilisée

which means => signing failed: wrong secret key used

Signing works with the two other master keys. As well, using the same
card on another computer works, with an empty gpg keyring but the
public keys related to it.

Does this mean I have no other choice but to remove master keys of that
"identity" in order to be able to use the card with my computer ?

Thanks !

Regards,
--
Jérôme Blanc
OpenPGP : 1024D/F44DB96C

Attachments:

signature.asc (0.19 KB)

jerome.blanc at nerim

Sep 2, 2009, 1:55 AM

Post #2 of 3 (428 views)
Permalink

Re: Signing with a key on a smart card [In reply to]

Hello,

anyone that could explain me how gpg chooses which secret key to use or
how I could tell gpg which one to use ?

Or maybe a way I can tell gpg not to use the smart card while on a
certain computer.

I still don't get why it doesn't manage to use the proper secret key
and google is definitely not my friend.

Thanks

Le mardi 04 août 2009 à 22:01, Jérôme Blanc
<jerome.blanc [at] nerim> a écrit :

> Hello,
>
> I'm currently toying with an OpenPGP smart card, but I meet some
> difficulties getting how this works.
>
> I have the Smart Card properly set up (at least I do think so ;-)) :
>
> [gemini [at] Gemin ~]$ gpg --card-status
>
> gpg: detected reader `Gemplus GemPC Twin 00 00'
> […]
> Signature key ....: 5898 DBEA 1139 733B ACFD 7880 E8B6 F7C5 2B20 7AEF
> created ....: 2009-08-02 11:34:17
> Encryption key....: A52C FAAC D39F 252D A2C4 0149 2B0F 7310 7C9E D800
> created ....: 2009-08-02 11:37:25
> Authentication key: D179 47D8 3B01 87A3 3C86 1AB0 2E8D 6DE6 F8D5 6EFC
> created ....: 2009-08-04 19:22:04
> In the keyring, I have 3 private master keys, for handling 3 different
> identities.
>
> In the gpg.conf, the default key is the master key that generated the
> subkeys that are on the smart card.
>
> I can cipher and decipher using the keys on the smart card. However,
> when I try to sign a file, then I have the following :
>
> [gemini [at] Gemin ~]$ gpg --sign -u 2B207AEF test.txt
> Le fichier `test.txt.gpg' existe. Réécrire par-dessus ? (o/N)
> gpg: detected reader `Gemplus GemPC Twin 00 00'
> gpg: la signature a échoué: mauvaise clé secrète utilisée
> gpg: signing failed: mauvaise clé secrète utilisée
>
> which means => signing failed: wrong secret key used
>
> Signing works with the two other master keys. As well, using the same
> card on another computer works, with an empty gpg keyring but the
> public keys related to it.
>
> Does this mean I have no other choice but to remove master keys of
> that "identity" in order to be able to use the card with my computer ?
>
> Thanks !
>
> Regards,

--
Jérôme Blanc
OpenPGP : 1024D/F44DB96C

Attachments:

signature.asc (0.19 KB)

wk at gnupg

Sep 2, 2009, 4:12 AM

Post #3 of 3 (428 views)
Permalink

Re: Signing with a key on a smart card [In reply to]

On Wed, 2 Sep 2009 10:55, jerome.blanc [at] nerim said:

> anyone that could explain me how gpg chooses which secret key to use or
> how I could tell gpg which one to use ?

Without an option, gpg uses the first available secret key for signing.
This is usually not desired, thus you can use "default-key" in gpg.conf
to select a different one. If you want to use another than the default
key, you may give it on the command line with "-u USERID". You may even
give several "-u" options to sign the data with several keys.

An OpenPGP keys consists of a primary key and optionally several
subkeys. Gpg uses the latest subkey capable of signing to create a
signature, if no such subkey is available, the primary key is used.
This happens even if you speicify the keyid of a subkey. If you want to
force the use of a specific signing subkey, you need use the ! suffix to
the keyid. Example:

pub 1024D/5B0358A2 created: 1999-03-15 expires: 2011-07-11 usage: SC
sub 2048R/B604F148 created: 2004-03-21 expired: 2005-12-31 usage: E
sub 2048R/C3680A6E created: 2006-01-01 expired: 2007-12-31 usage: E
sub 1024D/3D52C282 created: 2007-12-31 expires: 2010-07-11 usage: S
sub 2048R/F409CD54 created: 2007-12-31 expires: 2011-07-10 usage: E
sub 2048R/12345678 created: 2009-06-30 expires: 2010-07-10 usage: S

Using:

-u 0x5B0358A2 ==> Subkey 0x12345678 is used.
-u 0x12345678 ==> Subkey 0x12345678 is used.
-u 0x3D52C282 ==> Subkey 0x12345678 is used.
-u 0x3D52C282! ==> Subkey 0x3D52C282 is used.

Due to the key expiration, this will chnage in one year to:

-u 0x5B0358A2 ==> Primary key 0x5B0358A2 is used.
-u 0x12345678 ==> Primary key 0x5B0358A2 is used.
-u 0x3D52C282 ==> Primary key 0x5B0358A2 is used.
-u 0x3D52C282! ==> Primary key 0x5B0358A2 is used.

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads