Page MenuHome GnuPG

[SUGGESTION] Implement a function to re-generate public keys and(!) "stubs" from private keys stored on smartcard only
Closed, ResolvedPublic


User story and problem:

As a Smart Card user, your private keys is stored on your smart card, and the
secret keyring on your main computer has only a so-called "stub" (pointer) to
your secret key in it. When you decided not to store the public key [sic]
elsewhere, for example, when you have forgotten to store that when you generated
your private key, you cannot recreate the public key from the secret key on your

"Generating smart-card stubs on a clean computer?" [1] explains that you need
the public key plus a run of --card-status to generate the stubs.


current gnupg does not have a function to re-calculate the "stub" and the
"public key" from a secret key on your card.


A manual, but quite difficult, solution was proposed in [2].


Event Timeline

This shows up elsewhere too:


For some inexplicable reason, GnuPG cannot extract the public key from a
smartcard except during generation. That means that to use the key from
another computer, you either have to copy the public key from the original
computer's GnuPG keyring, or you need to set the URL attribute to a file
which contains the PGP public key block. Otherwise, the token is effectively
locked to a single computer, and unuseable if you happen to trash your
keyring unless you regenerate a key.

It would be nice to streamline this case.

gpg-agent now supports READKEY --card command which creates stub file when it's not yet available on host computer.
It was implemented by rG82cbab906a3e: agent: Add --card option for READKEY.

Further, gpg frontend now support --quick-gen-key with card option, which can be used to create OpenPGP key from card key.
It was implemented by rGd3f5d8544fdb: gpg: Extend --quick-gen-key for creating keys from a card..

So, closing this task.