On Mon, 2024-04-01 at 10:59 +0200, thomas@goirand.fr wrote: > Only for the signing operation, one can turn on the "force-sig" > option so that the key always prompt for a pin. And that is not the > default. There are two levels. In the OpenPGP protocol, the smartcard can be configured to require the PIN for every signature. This works for any OpenPGP card, it is not specific to Yubikey. Yubikey has an additional feature where you can require to physically touch the Yubikey for each signature. This even protects from malware using the key in some scenarios where the attacker got the PIN (keylogger etc.). Not all smartcards/readers have that. There are also smartcard readers with PIN pad, where the PIN is not sent to the host in the first place. It is also possible to forward your gpg-agent via SSH. This way you can sign large files on a server, but all public-key operations and the PIN remain on your client. Regards
Attachment:
signature.asc
Description: This is a digitally signed message part