Signing with a key on a smart card
Werner Koch
wk at gnupg.org
Wed Sep 2 13:12:35 CEST 2009
On Wed, 2 Sep 2009 10:55, jerome.blanc at nerim.net said:
> anyone that could explain me how gpg chooses which secret key to use or
> how I could tell gpg which one to use ?
Without an option, gpg uses the first available secret key for signing.
This is usually not desired, thus you can use "default-key" in gpg.conf
to select a different one. If you want to use another than the default
key, you may give it on the command line with "-u USERID". You may even
give several "-u" options to sign the data with several keys.
An OpenPGP keys consists of a primary key and optionally several
subkeys. Gpg uses the latest subkey capable of signing to create a
signature, if no such subkey is available, the primary key is used.
This happens even if you speicify the keyid of a subkey. If you want to
force the use of a specific signing subkey, you need use the ! suffix to
the keyid. Example:
pub 1024D/5B0358A2 created: 1999-03-15 expires: 2011-07-11 usage: SC
sub 2048R/B604F148 created: 2004-03-21 expired: 2005-12-31 usage: E
sub 2048R/C3680A6E created: 2006-01-01 expired: 2007-12-31 usage: E
sub 1024D/3D52C282 created: 2007-12-31 expires: 2010-07-11 usage: S
sub 2048R/F409CD54 created: 2007-12-31 expires: 2011-07-10 usage: E
sub 2048R/12345678 created: 2009-06-30 expires: 2010-07-10 usage: S
Using:
-u 0x5B0358A2 ==> Subkey 0x12345678 is used.
-u 0x12345678 ==> Subkey 0x12345678 is used.
-u 0x3D52C282 ==> Subkey 0x12345678 is used.
-u 0x3D52C282! ==> Subkey 0x3D52C282 is used.
Due to the key expiration, this will chnage in one year to:
-u 0x5B0358A2 ==> Primary key 0x5B0358A2 is used.
-u 0x12345678 ==> Primary key 0x5B0358A2 is used.
-u 0x3D52C282 ==> Primary key 0x5B0358A2 is used.
-u 0x3D52C282! ==> Primary key 0x5B0358A2 is used.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnupg-users
mailing list