Keyrings file format

David Shaw dshaw at
Tue Jan 6 14:27:23 CET 2009

On Jan 6, 2009, at 4:58 AM, David Paleino wrote:

> Hello [0],
> I'm writing a CLI library (in C# -- to be used with all CLRs, i.e.  
> Mono, .NET
> and DotGNU Portable .NET) to give GnuPG's functionalities to "end- 
> developers".
> My library currently parses the output of `gpg --with-colons`, but  
> I'd like to
> give its users the ability to directly act on the keyrings in  
> ~/.gnupg/.
> Is the format documented anywhere?

A GnuPG keyring is defined in RFC-4880 ( 
).  Basically the pubring is a series of "Transferable Public  
Keys" (section 11.1) concatenated together.  The secring is a series  
of "Transferable Secret Keys" (section 12.1) concatenated together.

Note, though, section 3.6 of the RFC:

3.6. Keyrings

    A keyring is a collection of one or more keys in a file or database.
    Traditionally, a keyring is simply a sequential list of keys, but  
    be any suitable database.  It is beyond the scope of this standard  
    discuss the details of keyrings or other databases.

It is perfectly legal for a program to use some internal method for  
storing keys that isn't the traditional "file with a lot of key  
packets" method.  The only thing that is required is that the  
transferable (i.e. exported) format conforms to the spec.  If you  
really want to really future-proof yourself against potential storage  
format changes, avoid reading pubring.gpg or secring.gpg yourself, and  
instead have your library parse the output of "gpg --export" or "gpg -- 
export-secret-keys".  Today, these are identical, but in the future,  
they might not be.

All that said, what are you trying to do, exactly?  What information  
do you need to get from the keys that isn't available now?


More information about the Gnupg-devel mailing list