GPG not letting me specify which key I want to use for decryption is driving me nuts. You'd expect that to be one of the most basic operations, but GPG's user-unfriendliness apparently knows no bounds.
Theoretically, but it could decrypt this with 5 different smartcards, only one of which I currently have on me. As luck will have it, it typically asks me to insert the other 4 smartcards first before it finally realizes "oh, there's a smartcard plugged in that just works".
@lanodan You can have a so-called "--hidden-recipient" (message is encrypted for the key ID, but the ID itself isn't included in the final message) and may use "--try-secret-key name" to shorten the guessing phase where you may have to decrypt a lot of secret keys until a match is found.
But I'm not sure if that would ease the smartcard selection.
@fribbledom@mastodon.social the state of gpg for decades 
@fribbledom Er... GPG normally selects the decryption key based the public key that was used to encrypt. There should be no *need* to specify a decryption key.
I have something encrypted for 5 different smart cards. I only have one of them on me at any given time. GPG will ask me to insert the other 4 smartcards first, before it finally tries to decrypt it with the one present. So there is a *need* to specify it, or GPG needs to become much smarter about such situations.
@fribbledom Ah, ok, I see. I've never used GPG, so I'm guessing here that GPG does not have a "lazy" mode where it would just try the smartcard(s) present rather than ask for all the smartcards it knows.
Not that I'm aware of :(
@fribbledom @aaribaud Are they smartcards with different, independent keys? I use this kind of setup (luckily only two) and usually it seems it asks in reverse order than I added keys to "list" during encryption. Maybe I should examine it further... Still not much user-friendly :/
@madargon
Unless the order is documented, I would not rely on it.
@fribbledom
@fribbledom it seems like GPG was written with a "be smarter than the user" mindset
Absolutely. The interface, the documentation, the mailing lists... everything radiates this very attitude.
@fribbledom yeah.
And like, I can see some arguments why in case of cryptographic software, this approach is justified, but that only works when the software's smartness is properly maintained
@fribbledom GPG has a horrible UI and an overall horrible UX. Whenever I get the chance ot not use it, I do so and choose an appropriate alternative.
@fribbledom Are you familiar with "Why Johnny Can't Encrypt" https://people.eecs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf
@fribbledom Maybe create a separate keyring? If you leave it in the ~/.gnupg dir, then the commands stay relatively sane.
ie. import and the decrypt with the --no-default-keyring and --keyring otherkeyring.gpg options.
@tobtobxx @fribbledom Insert the other smartcard (which has a different serial number) and run the following command: gpg-connect-agent "Serial number" "learn --force" /bye Set an alias in dotfiles for each key to switch. Serial number can be found under gpg --card-status
h/t liberty 5.3042
Pretty much this experience here, yep.
This sucks, but works for me (also multiple yubikeys and encountering the same problem). Yes, GPG has got a horrible UX, I mean messing around with private keys (stubs) just to use more than one smartcard..
Thanks, this looks really helpful!