GPGME and multiple subkeys

David Anderson david.anderson at
Thu Oct 30 22:16:38 CET 2003

Werner Koch wrote:
> The question is on how to detect what the Gobelins key is.  The simple
> method would be to have the user enter the keyID are more advanced one
> to use notation data to detected the desired subkey.

Good point, we hadn't actually thought that far. I myself am in charge 
of developping the networking layer for the project, which should manage 
authentication and encryption 99% transparently (user interaction will 
still be required for things like a passphrase to unlock secret keys).
Unfortunately, I am not as versed in PGP/GPG as I'd like to be, and I 
had no ideas for subkey selection other than ID specification. What is 
notation data? How could I use this to find the right subkey?

> You are right, GPGME does not yet support enforcing the use of a
> specific subkey.  Thanks for noting this.  We should definitely do
> something about it.  When doing that we should also allow for more
> flexibility, so that for example a subkey may be selected using
> notation data or other attributes.  We need to think about the API.

I have not looked in detail at the source code of GPGME, but I would be 
willing to lend a hand in implementing this functionnality.

Concerning the API, the main selection function would of course be by 
subkey ID. However, something which would be useful is a 'flags' 
parameter, in which you could logical-OR the attributes the subkey 
should have. For instance, if I wanted to search for a decryption 
subkey, I would combine the SUBKEY_ENCRYPTION and SUBKEY_SECRET 
parameters, in order to refine the search.
The basic API would then look something like:

gpgme_subkey_t gpgme_subkey_select(struct gpgme_key_t key, 
gpgme_subkey_t last_subkey, const char *keyid, const unsigned char flags);

with last_subkey being NULL if you want to search all subkeys, or set to 
the last subkey returned to return the next subkey.

Then all crypto functions would have to be adapted to take an extra 
subkey argument (if NULL, a function to select the appropriate subkey 
for the task is run).

What do you think?

> pipe and fork/exec is obviously a choice, however a way to sel;ect a
> specific subkey is something we require in GPGME anyway.

The problem with interfacing gpg directly is that I have to call an 
external program, which I normally don't like doing.
But as I said, if I can help get the function I need into GPGME, I'd be 
quite happy to lend a hand.

David Anderson

More information about the Gnupg-devel mailing list