'gpg -K' not seeing the keys on NK3A Mini

Hey guys, this has been nagging me for a while. I think it is GPG issue, but so far i have not found a solution.

Here’s the setup: NK3A Mini with ‘on-device’ generated keys. GPG is setup (the various files in ~/.gnupg/) so that i am able to SSH into remote machines using the auth key on NK3. How do i know? By using “ssh -v …” and verifying the signature of the accepted key, as well as the fact that i have to touch NK3 for the authentication to continue. ‘pinentry-curses’ also prompts me for the PIN, ‘ssh-add -L’ tells me what the public key is. Everything looks good.

The problem is that ‘gpg -K’ produces an empty list. I’ve tried both GPG’s scdaemon standalone setup as well as configuring it to use PCSC daemon with the proper magic in ~/.gnupg/scdaemon.conf. None of these configurations made any difference to ‘gpg -K’. While i can use NK3 to SSH, i totally can’t use it to encrypt a file or sign a message, for example.

I’m on Alpine Linux Edge so all software is fairly recent. GPG version is 2.4.1, pcsc-lite version 1.9.9. My theory is that there’s some sort of miscommunication between the generic GPG part and the smart-card backed, but i can’t tell what it is. Any ideas?


PS: i didn’t include any config file snippets in order to keep this post short, but these can be provided on request.

I don’t use a Nitrokey for SSH, just GPG. With GPG the public key needs to be on your local keyring with a stub to tell GPG that the private key is on a smartcard Nitrokey.

GPG knows where the private key is and is able to use it. Being able to SSH into remote machine is a proof of that. After a lot of searching i found (a possible) answer in StackOverflow:

OpenPGP smart cards do not store enough information to reconstruct a full OpenPGP public key. You must import the public key separately – sharing it on a key servers is one solution, but you can also gpg --export the key and later gpg --import it again for testing.

Why GPG can’t reconstruct its public key is beyond me. I find this very puzzling and is definitely the first cryptography suite, that i know of, which lacks this feature. WireGuard, SSH and pretty much everything else that i’ve used, don’t have any problems with that concept.

Not being able to use your private key (at least for signing or at least not easy) because you don’t have the public counterpart is plain stupid. GPG is such a mess…

I also found this:


With GPG smart-card it looks we have to be very careful about our public keys as well.