1

I am new to OpenPGP and SmartCards but I cannot find how to do a fairly straight-forward task.

I am trying to sign a file with a private key stored on a YubiKey device.

Here is my session:

$ gpg --card-status
Reader ...........: Yubico Yubikey 4 OTP U2F CCID 00 00
Application ID ...: D2760001240102010006096334120000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 09633412
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 3
Signature key ....: B692 4360 F06A AB92 1B9A  3E6D 3850 24E1 EE26 F6D9
  created ....: 2019-05-14 14:44:27
Encryption key....: [none]
Authentication key: B692 4360 F06A AB92 1B9A  3E6D 3850 24E1 EE26 F6D9
  created ....: 2019-05-14 14:44:27
General key info..: [none]
$
$ gpg -K
$
$ gpg --list-keys
$
$ gpg --with-subkey-fingerprint -K
$
$ gpg --refresh-keys
$ gpg --list-keys
$

I looked at some posts like this one: Create backup Yubikey with identical PGP keys but I am still not sure what I am doing wrong.

All I need to is somehow use the signature key to sign a file via

gpg --sign -u <key-id> somefile.txt

I need to somehow create a pointer in my local keyring to the Signature key and figure out its id.

I am using gpg (GnuPG) 2.2.12 and libgcrypt 1.8.4

Any suggestions?

Samuel Philipp
  • 640
  • 6
  • 18
Alex Gdalevich
  • 111
  • 2

1 Answers1

0

The card needs to be referenced from the secret keyring. The card is not a substitute for your keyring just a safer (in theory) place to keep the secret keys.

When you initially told gnupg to generate a (sub)key on the card or move an existing key to the card it will have manipulated your secret keyring on disk to contain a stub pointing to the card and slot where the key is stored. You need your secret keyring from wherever you were when you initially set up the key on the card. This should enable gnupg to find the key in its current location.

If you only have subkeys on the card and not the primary key then the primary key will still be in this secret keyring which would mean that anyone with access to it who can guess the password could generate new subkeys which defeats the purpose of the card. If this is the case then keep the copy of the key with the real secret key somewhere safe. To make a safe version of your secret keyring (where the primary key is inaccesible) you can use gpg2 --export-secret-subkeys then import the file wherever you need access to the secret subkeys (including the ones on the card).

William Hay
  • 592
  • 2
  • 10