GPG: Import smartcard keystub into keychain

So, I kinda screwed my keychain last night (don't worry, I have back-ups of the public keys) and I had to re-import my smartcard's key into the keyring again.
So I did:

Card image cap


But something didn't go well when I tried to change the trust to ultimate...
I mean, it changed the trust alright but I couldn't do anything with it...
Card image cap

Card image cap


You probably have been in this situation as well and if you are here reading this post, you might even be in it right now.
Well, fear not, I managed to fix it and am here to share how I fixed it.
So let's dive into it!

Ok, first we need to import the key, which we've already done.
If you haven't done this, do this now.
Remember to change keyname.asc with your own keyname and be in the right directory (I store all my public keys on Y:\PGP\keys).

Y:\PGP\keys>gpg --import keyname.asc
gpg: key 738EE8DBC43F9861: public key "Aroop Roelofs <me@finlaydag33k.nl>" imported
gpg: Total number processed: 1
gpg:               imported: 1          


Alternatively, if you have setup a pubkey url, you can use this instead:
C:\Users\Finlay>gpg --card-edit
(...)
gpg/card> fetch
gpg: requesting key from 'https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0xc27fba8174a9c3ebfa5d512d738ee8dbc43f9861'
gpg: key 738EE8DBC43F9861: public key "Aroop Roelofs <me@finlaydag33k.nl>" imported
gpg: Total number processed: 1
gpg:               imported: 1          

Ok, now that we've imported our public key, we need to tell GPG that we have the private key on our card.
Fortunately, we can't just yank the secret of our card, that'd defeat their entire purpose now wouldn't it?
However, what we can do is make a reference in our keychain to our smartcard.
Basically this reference says: "I am not the private key, but you can find said private key on the card with the id 123456789098" (often labeled as "card number").
These "references" are called "stubs" or "keystubs".
You can do so simply by doing this:

C:\Users\Finlay>gpg --card-status
(...)          


Now, we need to edit our key.
As you can see, this time GPG says "Secret key is available."!
C:\Users\Finlay>gpg --edit-key 738EE8DBC43F9861
(...)

Secret key is available.

sec  rsa4096/738EE8DBC43F9861
     created: 2020-01-06  expires: never       usage: SC
     card-no: 0006 09237169
     trust: unknown       validity: unknown
ssb  rsa4096/30D722D046DE50AF
     created: 2020-01-06  expires: never       usage: A
     card-no: 0006 09237169
ssb  rsa4096/A7C771CFC304F071
     created: 2020-01-06  expires: never       usage: E
     card-no: 0006 09237169
[ unknown] (1). Aroop Roelofs <me@finlaydag33k.nl>          


Now we can do with it as we please!
Card image cap


Don't forget to change your trust!
Card image cap

Card image cap


That's it, folks, it was a lot easier than I thought.
I hope that it helped you out or maybe a friend or colleague of yours (hint: sharing is caring).

Dismissed.

Comments


Leave a comment


Please login to leave comment!