Page MenuHome GnuPG
Create Task
Maniphest T6151

limit-card-insert-tries is not doing anything, "insert card" is still shown
Closed, WontfixPublic
Actions

Description

The above command line argument limit-card-insert-tries n (or the version in the config file) should limit the number of times a smart card is being asked for to n-1.
The option has no effect at all.

This effects me in the following usage pattern: I have a file encrypted with two different public keys. One of those is on a yubikey (smartcard). The other key is on a tpm. When the yubikey is missing, I do not want to be asked to insert it. I want to be asked only about the second private key password.

Alternatively, I'd be happy if the file will be decrypted without a pinentry dialog if any key is already available to decrypt.

Details

Version
2.3.4

Event Timeline

choener created this task.Aug 24 2022, 10:51 AM
choener updated the task description. (Show Details)
ikloecker added a subscriber: ikloecker.Aug 24 2022, 2:42 PM

Looks like this option has been merged 16 years ago from gpg 1.4.3. My guess is that it was never used in gpg 2.x.

werner added a subscriber: werner.Aug 24 2022, 6:20 PM

We have a cancel button and an cancel-all button (Window close button). The former skips the current key the latter should cancel the entire decryption process.

werner closed this task as Wontfix.Aug 24 2022, 6:40 PM
werner claimed this task.

I added this option on 2005-07-19 and iirc this was planned for the FSFE's rig to produce their membership cards. I kept that option in 2.0 for backward compatibility but it does not make any sense because its gpg-agent's duty to ask for cards - gpg does not known about it.

With forthcoming changes we will eventually be able to make use of an already inserted card.

choener added a comment.Aug 24 2022, 9:45 PM

Thanks for the information.
As a follow-up: Is it possible to tell gpg-agent to

  • not ask to insert a missing smartcard (and behave as if cancel had been clicked; after which the next private key is used)
  • but to ask for the pin, if the smartcard happens to be inserted?
gniibe added a subscriber: gniibe.Aug 25 2022, 3:30 AM

I think that for GnuPG 2.3.7 or later, you can add "Prompt: no" in your private key, which helps your interactions.
https://dev.gnupg.org/source/gnupg/browse/master/agent/keyformat.txt$138?as=source&blame=off

For example, I do:

gpg-connect-agent "KEYATTR 7C543D3166DDE33EF9797FD176C4B4B24B4B70D3 Prompt: no" /bye

for my decryption key (with the keygrip 7C54...) to stop prompting insertion.