Is limit-card-insert-tries a working option?
Tony Lane
codeguro at gmail.com
Wed May 29 19:55:32 CEST 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
When encrypting or signing or decrypting with a specific key, if you have a set of keys (say, a master key and 3 encryption subkeys etc), GPG may try to try each key until it finds a match.
However, you can do something like:
gpg -u <key-id>!
to tell GPG to use that specific key. Note the exclamation mark. When using gpg an exclamation mark (!) may be appended to force using the specified primary or secondary key and not to try and calculate which primary or secondary key to use.
You can take a peek at the documentation here for more info: https://www.gnupg.org/documentation/manuals/gnupg/Specify-a-User-ID.html
There is also a manual here, with more options if it helps: https://gnupg.org/documentation/manpage.html
On 5/29/19 10:56 AM, Chip Senkbeil wrote:
> Hey folks, I'm trying to figure out if
>
> a) the gpg option --limit-card-insert-tries is currently functioning (I'm assuming it is)
> b) setting --limit-card-insert-tries=1 does what I expect
>
> My current setup is that I have my passwords stored using the pass tool from passwordstore.org. Each password is encrypted as a separate file and the encryption/decryption is handled by one of several of my encryption subkeys.
>
> I've made multiple encryption subkeys from a master key after reading around best practices and other tidbits from other GPG users. My subkeys are each individually stored on a separate Yubikey from Yubico.com.
>
> The encryption and decryption works great. For my multiple devices, I can have different keys inserted and encrypt/decrypt just like I would if the same master key was on each device. This is by using the `pass` tool initialized with each subkey's 0xid with an ! added to the end.
>
> The annoyance comes from the pinentry prompt I'm using with the gpg agent. When needing to refresh the cache, the agent prompts me multiple times to insert my other smart cards before it reaches the smart card that is currently plugged into my device. This happens on both OSX and Fedora using version 2.2.15 of gpg and gpg-agent.
>
> I've read about the --limit-card-insert-tries option and that, if specified as 1, the prompt shouldn't appear to insert the card. To my understanding, it should fail and move on to the next subkey silently. Am I reading the option correctly?
>
> If I am, I currently have `limit-card-insert-tries 1` within my gpg.conf config, but it isn't having any impact. I can confirm that other settings within my gpg.conf are being read and utilized.
>
> I pulled down the latest copy of gpg from git://git.gnupg.org/gnupg.git and tried to follow the path from when the --limit-card-insert-tries is provided, but I'm getting lost with where the setting goes. I'm sure it's used somewhere, but I seem to hit a dead end following the program's usage of the option.
>
> Can anyone give me guidance as to what I'm doing wrong? Did I misunderstand the usage of the option? Is there some alternative I could do instead?
>
> I love the setup I have, but I'm fairly new to gpg and smart cards; so, not sure if I've made some mistake along the way.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-----BEGIN PGP SIGNATURE-----
iLkEARMKAB0WIQQWZv6JZKxO310TWtXo8fj9gx4T0wUCXO7HkwAKCRDo8fj9gx4T
09NuAgkBlT+FUIQ8k6a18fmrFfi7dRcRDOm4yv3unMtVwfp/bMe0mszMeaGDV2hN
CQgiiGCLNhmEsLLUITvK28mL4zlLHssCCQFR2gIqWKdOZauXO0gtJeVTkLtk4DgW
hcNLKSP6cBn42hgp/tZGKfQWvN6ZbvQaly4fWkgeF/s2zONCzDxS+fJ5Ug==
=hC3D
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list