Handling multiple subkeys on two SmartCards
Open, NormalPublic

Description

Setup:
One primary pgp key with two pgp subkeys - more exact, two distinct auth&signing (let's call them A1, S1 and A2, S2) keys, and one common encryption key (let's call em E) - using gpg2.

Hence the end-state of this setup shall be:

SC1 contains A1,S1,E
SC2 contains A2,S2,E

Writing the keys to the cards works fine:

Stage 1: Insert SC1, keytocard A1&S1, backup keystore, keytocard E
Stage 2: Insert SC2, restore keystore, keytocard A2&S2, keytocard E

The KeyGrips are different, so I'd expect gpg to ask for the correct card, but: After SC2 is written, the pgp db seems screwed up: it shows that ALL 5 subkeys are on SC2.

Thanks in advance,
Chris

Versions (on Fedora 29):
gpg (GnuPG) 2.2.11
libgcrypt 1.8.4

Details

Version
2.2.11

Related Objects

kaspro created this task.Sun, Dec 23, 5:01 AM
gniibe claimed this task.Thu, Dec 27, 4:30 AM
gniibe triaged this task as Normal priority.

Is it an issue when you share an decryption key E among two smartcards?
I think that when there are six distinct keys (three subkeys for one smartcard each), it works fine.
I'll try to make reproducible test case.

For my test, six distinct keys (three subkeys for each smartcard) works fine.
IIUC, you try to use same decryption key by two smartcards. Currently, it is not supported.

Please show us your output of gpg --card-status for each card, and tell us the reason why you think "the pgp db seems screwed up".

That's exactly the point: I do want one common encryption key between the two cards: So I can distinguish between the two, but en-/decrypt with both.
One is on the GnuPG SmartCard, the other on a YubiKey - output --card-status (some things xxx'ed out) :

SC1 (GnuPG SC):

Application ID ...: D276000xxx
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 00005xxx
Name of cardholder: My Name
Language prefs ...: de
Sex ..............: male
URL of public key : [not set]
Login data .......: myLogin
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: xxxx FA81
      created ....: 2018-09-20 08:01:32
Encryption key....: xxxx B3BD
      created ....: 2018-09-20 08:02:52
Authentication key: xxxx A2AB
      created ....: 2018-09-20 08:02:06
General key info..: [none]

SC2 (YubiKey SC):

Application ID ...: D276000xxx
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 07326xxx
Name of cardholder: My Name
Language prefs ...: de
Sex ..............: male
URL of public key : [not set]
Login data .......: myLogin
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: xxxx F7A7
      created ....: 2018-09-20 08:03:16
Encryption key....: xxxx B3BD
      created ....: 2018-09-20 08:02:52
Authentication key: xxxx 7203
      created ....: 2018-09-20 08:03:45
General key info..: [none]

Why I think it's screwed up: because, as mentioned in the post above, it shows that all subkeys are on SC2 - instead of them being divided between the two of them.
Hence, to be able to use SC1 as "default", I need to restore the .gnupg directory to the state before writing to SC2.

If anything fails: is there any way to manually adjust the database (to adjust which keys are on which card)?

Thanks in advance, Chris