why importing same key from same token in different machine lead to different keyids

[alireza11048]

Hi, I have a token with an RSA key pair in it and it works perfectly with the gpg thanks to gnupg-pkcs11-scd, but I have a problem with it. when I have imported this token resident key in different machines, I got different key-ids as I listed them below: gpg -k result in system1 pub rsa2048 2022-02-27 [SCE] 758C5B2525F619372C77818F0F369ACF84FDABDD uid [ultimate] PatchSigner <infra@example.co> and gpg -k result in system2 pub rsa2048 2022-02-27 [SCE] C538148C640D7C84BF696C2F0E6AD49E15C7F922 uid [ultimate] PatchSigner <infra@example.co> with this behavior a critical problem arises in the below scenario: consider that I use system1 to sign patches of a product and in the product, I use the corresponding public key with id "758C5B2525F619372C77818F0F369ACF84FDABDD" to verify the signature. if something goes wrong with system1 and I set up system2 with the same token to sign patches, the product couldn't verify that patch as the key id of the new patch is "C538148C640D7C84BF696C2F0E6AD49E15C7F922" while the product expects the previous id. is there any workaround for this problem? how key id's with the gnupg-pkcs11-scd is generated?

[alonbl]

Please discuss this at upstream list, it is common to any smartcard keys.

In nutshell, try to set the gnupg home at custom location, import the key and move the home to the other machine.