Page MenuHome GnuPG

gnupg should used ccid card key material fingerprints and not serial number
Open, WishlistPublic


After thinking a bit, gnupg is doing wrong in asking to insert a card with a
particual serial number, it should actually look for which ccid card has the key
material with needed finger print and not look for which ccid card has a serial
needed serial number.

The serial key is creating problems with ccid backup tokens containing same
subkeys. Please fix this bug for gnupg be smart in handling multiple ccid tokens
with same subkeys.

Event Timeline

Please describe your bug including version numbers of the software and which
card you are using.

The serial number is printed on the card and thus the only useful thing a user
can be asked for.

I am not sure what you mean by ccid backup tokens. CCID is a commonly used
protocol between host and card reader

Thank you for thinking on this.

Can user be asked "Please insert hardware token containing 0xXXXXXXXX key". I
guess users are smart enough (considering they are using gnupg) and would write
the keyid on their tokens if needed. If they only own one token which is most of
the time they just insert that. If they own multiple they will recognize by
color or a persoanlized sticker on the key or a permanent marker markings on
their card.

Sorry, I used the word ccid just to mean a hardware token.

I believe many want to have backup hardware tokens. Again this allows a family
share a laptop and still own the shared key in their own hardware tokens.

Here is the version information:
gpg (GnuPG) 2.1.11
libgcrypt 1.6.5
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:


Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Please consider: not all hardware tokens have serial numbers printed on them,
consider gnuk or nitro key. It is smart to put a stiker or use permanent marker
to mark keyid on the token incase of having multiple tokens. Another plus about
gnuk is that choose/change my serial number at will.

So, Please ask for a card with a keyid than serial number.

Steps to reproduce:

  1. raspberry pi: create one master keypair(Certify) and three subkeys (Sign,

Encrypt, Authenticate). (I will still refer to these three subkeys as just subkeys)

  1. raspberry pi: backup ~/.gnupg
  2. insert hardware token yubikey1 and keytocard subkeys and eject the yubikey1
  3. raspberry pi: delete ~/.gnupg and restore ~/.gnupg from backup
  4. insert hardware token yubikey2 and keytocard subkeys and eject the yubikey2
  5. repeat steps 4, 5 for remaining gnuk, nitrokey or yubikeys.
  6. Now keep yubikey1 with you, give yubikey2 to your spouse, yubikey3 to your child.
  7. encrypt backup with gnupg using symmetric cipher.
  8. export public key.
  9. wipe ~/.gnupg
  10. Insert new formatted usb drive and copy public key.
  11. shared family laptop: import the public key from usb. insert yubikey1 and

fetch the subkeys to let gnupg know that the private keys are on hardware token.

  1. shared family laptop: encrypt and decrypt a file successfully with yubkey1.
  2. shared family laptop: insert spouses yubikey2 try decrypt the file encrypted

before. gnupg will not just ask but insist to insert card with a yubikey1 serial
number while you have yubikey2 which in this case also has the same subkeys that
can be used to decrypt the file.

Bug: gnupg does not let shared key usage while using hardware tokens on a shared

expected: gnupg should be able to decrypt using any of the yubikeys having
required subkeys.

werner lowered the priority of this task from Normal to Wishlist.Jan 2 2017, 1:54 PM
werner added a project: Feature Request.
werner removed a project: Bug Report.


And also this is excellent point.