El día martes, mayo 16, 2017 a las 11:12:18a. m. +0200, Peter Lebbing escribió:
> On 16/05/17 07:55, Matthias Apitz wrote: > > The question remains: Why I do have to move the files below .gnupg/ to > > the other workstation? > > The card only holds the basic cryptographic material. But a certificate > ("public key") holds much more information: your name, the relations > between the cryptographic keys and how they are used, your preferences > with regard to algorithms, how long the key is valid, and certifications > by other users who have signed your key, to name some important ones. > > So before you can use the smartcard, you need to import your > certificate/public key. You could publish this to the keyserver network, > or put it on the web. If the latter, you /can/ enter the URL in a data > field on the smartcard, enabling you to use the "fetch" command of > --card-edit. Thanks for the two tips re/ the pub key; I did so and now it works: I exported the pub key with: $ gpg2 --export --armor > ccid--export-key-guru.pub placed it on my webserver and configured its URL with the card's url-command as URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub On the 2nd workstation I moved away the GNUPGHOME: $ env | grep GNU GNUPGHOME=/home/guru/.gnupg-ccid $ mv .gnupg-ccid .gnupg-ccid-saved gpg2 is unwilling to start due to missing dir and I have had to create it with mkdir: $ gpg2 --card-status gpg: keyblock resource '/home/guru/.gnupg-ccid/pubring.kbx': No such file or directory gpg: failed to create temporary file '/home/guru/.gnupg-ccid/.#lk0x0000000802616210.r314251-amd64.65213': No such file or directory gpg: can't connect to the agent: No such file or directory gpg: OpenPGP card not available: No agent running $ mkdir /home/guru/.gnupg-ccid $ chmod 0700 /home/guru/.gnupg-ccid As you can see the keys are completely missing in the card's status: $ gpg2 --card-status gpg: keybox '/home/guru/.gnupg-ccid/pubring.kbx' created Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00 Application ID ...: D27600012401020100050000532B0000 Version ..........: 2.1 Manufacturer .....: ZeitControl Serial number ....: 0000532B Name of cardholder: Matthias Apitz Language prefs ...: en Sex ..............: unspecified URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa4096 rsa4096 rsa4096 Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 4 Signature key ....: 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11 created ....: 2017-05-14 18:20:07 Encryption key....: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3 created ....: 2017-05-14 18:20:07 Authentication key: E51D D2D6 C727 35D6 651D EA4B 6AA5 C5C4 51A1 CD1C created ....: 2017-05-14 18:20:07 General key info..: [none] but after fetching the pub key, all is fine: [guru@r314251-amd64 ~]$ gpg2 --card-edit Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00 Application ID ...: D27600012401020100050000532B0000 Version ..........: 2.1 Manufacturer .....: ZeitControl Serial number ....: 0000532B Name of cardholder: Matthias Apitz Language prefs ...: en Sex ..............: unspecified URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa4096 rsa4096 rsa4096 Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 4 Signature key ....: 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11 created ....: 2017-05-14 18:20:07 Encryption key....: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3 created ....: 2017-05-14 18:20:07 Authentication key: E51D D2D6 C727 35D6 651D EA4B 6AA5 C5C4 51A1 CD1C created ....: 2017-05-14 18:20:07 General key info..: [none] gpg/card> fetch gpg: requesting key from 'http://www.unixarea.de/ccid--export-key-guru.pub' gpg: /home/guru/.gnupg-ccid/trustdb.gpg: trustdb created gpg: key 47CCF7E476FE9D11: public key "Matthias Apitz (GnuPG CCID) <g...@unixarea.de>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg/card> list Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00 Application ID ...: D27600012401020100050000532B0000 Version ..........: 2.1 Manufacturer .....: ZeitControl Serial number ....: 0000532B Name of cardholder: Matthias Apitz Language prefs ...: en Sex ..............: unspecified URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa4096 rsa4096 rsa4096 Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 4 Signature key ....: 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11 created ....: 2017-05-14 18:20:07 Encryption key....: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3 created ....: 2017-05-14 18:20:07 Authentication key: E51D D2D6 C727 35D6 651D EA4B 6AA5 C5C4 51A1 CD1C created ....: 2017-05-14 18:20:07 General key info..: pub rsa4096/47CCF7E476FE9D11 2017-05-14 Matthias Apitz (GnuPG CCID) <g...@unixarea.de> sec> rsa4096/47CCF7E476FE9D11 created: 2017-05-14 expires: never card-no: 0005 0000532B ssb> rsa4096/6AA5C5C451A1CD1C created: 2017-05-14 expires: never card-no: 0005 0000532B ssb> rsa4096/61F1ECB625C9A6C3 created: 2017-05-14 expires: never card-no: 0005 0000532B > > And, what are the files below .gnupg/private-keys-v1.d > > are exactly? > > Either the real cryptograhic material for a private key, or simply a > note telling GnuPG "that key is on card X". However, I'm surprised by > the size of these files you show. All my "notes saying card X", stubs, > on this laptop are around a mere 360 bytes. I know these files are > S-Expressions, but I haven't checked the exact construction. I would > expect OpenPGP smartcard stubs to generally come down to very comparable > sizes. I run strings for these files and it shows for example: $ strings -n8 314DE72F03D41683E06A504769970A1643825B38.key (20:shadowed-private-key(3:rsa(1:n513: )(8:shadowed5:t1-v1(16: 9:OPENPGP.2)))) > > You can ask GnuPG to list all the OpenPGP private keys it knows about > along with the keygrip. The keygrip corresponds to the file name in > private-keys-v1.d. It will also indicate when a key is on a card: > > > $ gpg2 --with-keygrip -K > > /home/peter/.gnupg/pubring.kbx I did so and it seems that the keys are on the card: $ gpg2 --with-keygrip -K /home/guru/.gnupg-ccid/pubring.kbx ---------------------------------- sec> rsa4096 2017-05-14 [SC] 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11 Keygrip = 937BA1F6A95F68222EC2C6F9573100E17EE9522E Card serial no. = 0005 0000532B uid [ultimate] Matthias Apitz (GnuPG CCID) <g...@unixarea.de> ssb> rsa4096 2017-05-14 [A] Keygrip = 7E22A904DB3BE5A98F98AFDEED61DF1364DD949B ssb> rsa4096 2017-05-14 [E] Keygrip = 314DE72F03D41683E06A504769970A1643825B38 Thanks for your explanations and help. Maybe the FAQ should be expanded with this. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users