age-plugin-openpgp-card identity file does not try multiple identities — waits for first card

[r08l]

summary
When I put multiple card identity entries (stubs/public keys) into the identity.txt file produced by age-plugin-openpgp-card, the plugin prompts only for the first card it finds in the file and blocks waiting for that card. It does not advance to the next entry if the first card is not present. This makes decrypting files with multiple possible hardware keys inconvenient.

---

commands

Encrypting (works fine):

age -r agepublickey1 -r agepublickey2 file.pdf > encrypted_file.pdf.age

Generate the identity file from the plugin:

$ age-plugin-openpgp-card | tee identity.txt
# Card ident 0006:15422467
# age1dkfzfyk58yvkf07n32nygkyuqxtnq2am427sy79gjkh6krf96frsucn0me
AGE-PLUGIN-OPENPGP-CARD-1XQCRQD36XY6NGV3JXSMRWAN88PC

Decrypt with the identity file:

age -d -i identity.txt encrypted_file.pdf.age > file.pdf

Example identity.txt with multiple entries (what I tried)

# Card ident 0006:30244371
# age1gh3xvmc8a72rzzzhpa52psn7vsmwx75fkj3v9420frg8qsea8cwsvnqmd2
AGE-PLUGIN-OPENPGP-CARD-111111116XVCRYDP5XVMNZYWMYAY

# Card ident 0011:76170487
# age1nleyug8an5gamrhw3lg0mtxzjnlw8uc9qskg5g5luse74e33cv5q2lj38e
AGE-PLUGIN-OPENPGP-CARD-111111116XUMRZDESXSURW30J9T2

---

Actual behavior

When running age -d -i identity.txt ... the plugin prints:

Please insert card 0006:30244371 (press enter for "OK")

and waits for that specific card to be inserted. It ignores the second (or any subsequent) entries in identity.txt and does not attempt them automatically.

---

Expected behavior

age-plugin-openpgp-card should try identities in identity.txt in sequence (or otherwise attempt to match any identity present) instead of blocking indefinitely on the first entry.
This change would let users keep a single identity.txt that contains stubs for several hardware devices and decrypt with whichever device they currently have inserted, without editing the file each time.

[wiktor-k]

Indeed. That should be handled the way you describe. Interestingly I'm annoyed by other plugins which hard-fail instead of trying the next one (e.g. for having two TPM identities for two computers).

Not promising any ETA though 😅

[r08l]

@wiktor-k Thanks for the answer. I’m looking forward to when this will be implemented. Would you consider the age-plugin-openpgp-card to be production ready? Can I rely on it for critical data?

Specifically, if I encrypt using keys stored on the hardware OpenPGP applet, I know I can always encrypt (that's just age with the public key)—but can I also rely on this plugin to still be able to interact with the key in order to talk to the smart card and decrypt it, even a few years from now?

[wiktor-k]

Well, I'm using it personally for my passwords (via passage), so I definitely want that to work in the future but if you want to get technical this software is provided "as is" without any kind of warranty.

If you have critical data then generally it's a good idea to have additional key kept offline (or in escrow) that you can use in case your token breaks. This is a general advice, not specific to this project.

I hope this doesn't sound bad (as I don't intend it to) but this is a common thing in open-source projects where users don't have support contracts with maintainers.

Have a nice day! 👋

[wiktor-k]

I've started work on this in #9 and it's already better. Due to how age asks plugins about identities there are limits on how "nice" I can make it: with this PR it asks for the first card and if you press "cancel" it will advance to the second one. Then, it tries to decrypt stanzas in order, so if that present card is second, it will ask for decryption twice (it will ask for PIN only once, but if you have touch-to-decrypt enabled you'll have to touch it twice).

If you have the ability to test it it'd be very helpful. I still need to add better error handling so it's not ready to be merged.

I've tested it on two of my cards, connecting one or the other and the UX was better.

Sadly it seems the age plugin interface doesn't add two identities at once but executes the plugin one by one, which prevents me from doing clever optimisations (e.g. seeing if one of the cards is connected and going for that one immediately).

I'll need to debug it further to see if it's possible to get more out of it...

See you later! 👋

[r08l]

Thank you for the quick response. How can I make age use the newly build plugin version with your changes? i tried but it always uses the already installed one

[wiktor-k]

How can I make age use the newly build plugin version with your changes? i tried but it always uses the already installed one

I think it always uses what's in the PATH so I'd do something like this:

First, install the thing from my branch:

cargo install --git https://github.com/wiktor-k/age-plugin-openpgp-card --branch wiktor/better-support-for-multiple-cards

Then ask age to prefer the thing from .cargo/bin:

PATH=~/.cargo/bin:$PATH age ...

Hope that helps! If not, you may want to uninstall your existing plugin to make sure this one is used.

👋

[r08l]

Hello,

Unfortunately, the behavior is still the same for me.

I have uninstalled the official release and installed the version from this branch.

Description

When attempting to decrypt and I have multiple stubs in my identities file, like in the example below:

The tool always asks me to insert the first card listed in the stub.

If I press Enter, it simply reprints the same prompt and never proceeds to the second card:

• The prompt never advances to the second stub.
• It continuously requests the first card.
• Inserting the first card works as expected:
  • I am prompted for the PIN
  • I am asked twice to touch the card
  • Decryption then completes successfully

Conclusion

From what I can see, the behavior remains the same as before.

[wiktor-k]

Hmm... interesting. I wonder if you can additionally test that with rage which IIRC has explicit "cancel" mechanism. While we're at it I'll test with age. Thanks for your time! 👋

[r08l]

Using rage I can use the cancel option and it prompts me for the second card. So that works correctly

[wiktor-k]

Okay, great, then that's something. I'll work on age a little bit but sadly I'm a bit stuffed right now... Unless you think releasing a version with this change right now would be a good idea...? 🤔

[r08l]

I can use rage for now with your change in this branch so I don't think a release is necessary. Thank you for working on this.
BR