Re: Signing with a key on a smart card

2009-09-02 Thread Jérôme Blanc 
Hello, 

anyone that could explain me how gpg chooses which secret key to use or
how I could tell gpg which one to use ? 

Or maybe a way I can tell gpg not to use the smart card while on a
certain computer.

I still don't get why it doesn't manage to use the proper secret key
and google is definitely not my friend.

Thanks 

Le mardi 04 août 2009 à 22:01, Jérôme Blanc
jerome.bl...@nerim.net a écrit :

 Hello, 
 
 I'm currently toying with an OpenPGP smart card, but I meet some
 difficulties getting how this works. 
 
 I have the Smart Card properly set up (at least I do think so ;-)) : 
 
 [gem...@gemini ~]$ gpg --card-status
 
 gpg: detected reader `Gemplus GemPC Twin 00 00'
 […]
 Signature key : 5898 DBEA 1139 733B ACFD  7880 E8B6 F7C5 2B20 7AEF
   created : 2009-08-02 11:34:17
 Encryption key: A52C FAAC D39F 252D A2C4  0149 2B0F 7310 7C9E D800
   created : 2009-08-02 11:37:25
 Authentication key: D179 47D8 3B01 87A3 3C86  1AB0 2E8D 6DE6 F8D5 6EFC
   created : 2009-08-04 19:22:04
 In the keyring, I have 3 private master keys, for handling 3 different
 identities. 
 
 In the gpg.conf, the default key is the master key that generated the
 subkeys that are on the smart card.
 
 I can cipher and decipher using the keys on the smart card. However,
 when I try to sign a file, then I have the following : 
 
 [gem...@gemini ~]$ gpg --sign -u 2B207AEF test.txt
 Le fichier `test.txt.gpg' existe. Réécrire par-dessus ? (o/N)
 gpg: detected reader `Gemplus GemPC Twin 00 00'
 gpg: la signature a échoué: mauvaise clé secrète utilisée
 gpg: signing failed: mauvaise clé secrète utilisée
 
 which means = signing failed: wrong secret key used
 
 Signing works with the two other master keys.  As well, using the same
 card on another computer works, with an empty gpg keyring but the
 public keys related to it.
 
 Does this mean I have no other choice but to remove master keys of
 that identity in order to be able to use the card with my computer ?
 
 Thanks ! 
 
 Regards,


-- 
Jérôme Blanc
OpenPGP : 1024D/F44DB96C


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Signing with a key on a smart card

2009-09-02 Thread Werner Koch 
On Wed,  2 Sep 2009 10:55, jerome.bl...@nerim.net said:

 anyone that could explain me how gpg chooses which secret key to use or
 how I could tell gpg which one to use ? 

Without an option, gpg uses the first available secret key for signing.
This is usually not desired, thus you can use default-key in gpg.conf
to select a different one.  If you want to use another than the default
key, you may give it on the command line with -u USERID.  You may even
give several -u options to sign the data with several keys.

An OpenPGP keys consists of a primary key and optionally several
subkeys.  Gpg uses the latest subkey capable of signing to create a
signature, if no such subkey is available, the primary key is used.
This happens even if you speicify the keyid of a subkey.  If you want to
force the use of a specific signing subkey, you need use the ! suffix to
the keyid.  Example:

 pub  1024D/5B0358A2  created: 1999-03-15  expires: 2011-07-11  usage: SC  
 sub  2048R/B604F148  created: 2004-03-21  expired: 2005-12-31  usage: E   
 sub  2048R/C3680A6E  created: 2006-01-01  expired: 2007-12-31  usage: E   
 sub  1024D/3D52C282  created: 2007-12-31  expires: 2010-07-11  usage: S   
 sub  2048R/F409CD54  created: 2007-12-31  expires: 2011-07-10  usage: E   
 sub  2048R/12345678  created: 2009-06-30  expires: 2010-07-10  usage: S   

Using:

  -u 0x5B0358A2   == Subkey 0x12345678 is used.
  -u 0x12345678   == Subkey 0x12345678 is used.
  -u 0x3D52C282   == Subkey 0x12345678 is used.
  -u 0x3D52C282!  == Subkey 0x3D52C282 is used.

Due to the key expiration, this will chnage in one year to:

  -u 0x5B0358A2   == Primary key 0x5B0358A2 is used.
  -u 0x12345678   == Primary key 0x5B0358A2 is used.
  -u 0x3D52C282   == Primary key 0x5B0358A2 is used.
  -u 0x3D52C282!  == Primary key 0x5B0358A2 is used.



Salam-Shalom,

   Werner



-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users