Multiple Yubikeys/Smartcards and Thunderbird email client

Wed, 14 Jul 2021 18:24:36 -0700

I have several Yubikeys and smartcards in my setup, each with its own signing subkeys, and I use these, among other things, to sign email messages. Whenever I want to send an email on thunderbird, it demands a specific smartcard by serial number for email signing and will refuse to use the smartcard/Yubikey plugged into the system. At first, I thought this was a thunderbird problem; however, according to the thunderbird docs, for smartcard signing, it sends the requests directly to GPG. When I rebooted my system and issued the command `gpg --clearsign` followed by some test data to sign, it also demanded the same specific smartcard for digital signing rather than the smartcard that was plugged into the system and had a valid subkey for signing. This behavior would go away, and gpg would pick the first valid signature subkey for which it had access after I ran the command `gpg --card-status`, but the issue does not clear on thunderbird. My public key is viewable here https://keyserver.ubuntu.com/pks/lookup?search=0xAA35E492383D0F8A2E145261255837AEF812E87E&fingerprint=on&op=index. Normally, I have my desktop Yubikey with the signature subkey ed25519/CC3C9B2F10BCED15, but thunderbird and gpg on boot (before `gpg --card-status`) refuse to sign with any other key than ed25519/5A55707CAA63F689 even when the smartcard for that key is not on the system and the smartcard for the other key is.
Interestingly, thunderbird has no issue decrypting a message with the smartcard normally used on my system; it just refuses to sign if not with a specific smartcard. The fact that on-system boot gpg is exhibiting the same behavior and that thunderbird is supposedly directly using gpg for smartcard-related actions makes me think this is something I have misconfigured. Any idea what I should be doing differently? 

Sincerely,

Brandon Anderson




Attachment:
OpenPGP_0x255837AEF812E87E.asc

Description: OpenPGP public key



Attachment:
OpenPGP_signature

Description: OpenPGP digital signature


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users





















					Reply via email to