Page MenuHome GnuPG

Support multiple cards (not just readers)
Open, WishlistPublic

Details

Version
2.1.13

Event Timeline

jbash set Version to 2.0.22.
jbash added a subscriber: jbash.
sedrubal changed Version from 2.0.22 to 2.1.13.Feb 28 2017, 11:43 PM
sedrubal added a subscriber: sedrubal.

I was actually surprised to find out this doesn't already work...

I would like to be able to have two or more GnuPG cards inserted at the same
time, and have gnupg/gpg-agent/scdaemon notice all of them and use whichever one
was appropriate for the operation at hand, without my having to switch them in
and out.

My personal application for this is that I have a personal key and a work key,
and I want to be able to sign with either of them without having to swap
hardware around. It's pretty easy to set up all the other parts of this to be
seamless with Thunderbird/Enigmail/gnupg2... it works fine until you move the
keys to cards, at which point gnupg's inability to automatically choose the card
it needs really shows up.

In an ideal world, this would also work with gpg-agent as a backend for ssh.

Simple workaround is having multiple readers...

Most card readers only support a single card.
(This is the reason why it is not yet implemented.)
Could you please let us know the reader which supports multiple cards?

gniibe lowered the priority of this task from Normal to Wishlist.Apr 11 2017, 3:18 AM

I do have multiple readers. If I insert one card in each of my two readers, GnuPG doesn't choose the one it needs for any given operation. It's been three years, so I don't remember exactly what DOES happen. I think it just acts as if one of the two cards were inserted, and totally ignores the existence of the other. What I want is for it to dynamically use keys from whatever cards happen to be inserted.

If this is "supposed to work", then I can try to further characterize how it fails. But I got the really strong impression that it was NOT supposed to work.

There are definitely no command line options to choose which card you want for things like "--card-status" or "--card-edit".

For your information.
Since 2.1.18, multiple readers are supported by internal CCID driver. PC/SC driver is not yet.
Since 2.1.20, gpg --card-status can have "all" or specific serialno of the card.
Perhaps, gpg --card-edit should support SERIALNO command as well.

Yes, if it supports --card-edit it would help a lot.

But I have gpg2 2.1.21 and

  • the behavior you mentioned is not documented in man page
  • --card-status does only view one card by default
  • --card-status does not display any information when I pass a serial number:
$> gpg2 --version
gpg (GnuPG) 2.1.21
libgcrypt 1.7.6
[...]
$> gpg2 --card-status

Reader ...........: 20A0:4108:00003D590000000000000000:0
Application ID ...: D276000124010201000500003D590000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 00003D59
[...]
$> gpg2 --card-status all

Reader ...........: 20A0:4108:000038EC0000000000000000:0
Application ID ...: D2760001240102010005000038EC0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 000038EC
[...]
Reader ...........: 20A0:4108:00003D590000000000000000:0
Application ID ...: D276000124010201000500003D590000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 00003D59
[...]
$> gpg2 --card-status 00003D59
$>

I connected 2 Nitrokey Pro USB sticks, so I have multiple readers and one card in each reader...

BTW: this issue was not opened by me and I didn't wrote the first message. There was a bug in the old issue tracker...

I also struggled to get two cards running at the same time. Host system is Fedora 26 with gnupg 2.2.4.

After turning on the scdaemon debug log and comparing the "xyz reader detected" messages, I found the issue: The pcscd daemon was running by default and claiming the card readers. scdaemon will issue a harmless looking "ccid open error: skip" message in the logfile with gnupg 2.2.4. It then falls back to the pcsc driver.

Log messages when pcsc driver is active:
scdaemon[xx] detected reader 'SCM Microsystems Inc. SPR 532 [Vendor Interface] (xxxx) 00 00'
scdaemon[xx] detected reader 'REINER SCT cyberJack go (yyyy) 01 00'

-> if you see "detected reader", then it's not using the internal CCID driver.

The pcsc driver supports one card reader at a time only, though you can use the "reader NAME" config switch in scdaemon.conf to select the active one.

@gniibe: What do you think of adding a warning to scdaemon if all card readers were skipped by the internal CCID driver? Or an easy change like "detected reader" to "detected reader using pcsc: "?

tl;dr: Switch to the internal CCID driver (=in my case kill pcscd) and both cards appear with "gpg2 --card-status all".

Hi!

Could you tell what is the status of this ticket? Is it planned for the development?
For some users usage is problematic when there are other readers recognized, provided by the OS or hardware platform, and ordered before the target device which in turn blocks access to it.