how to determine default GPG key ID?

Werner Koch wk at
Mon Nov 7 20:53:43 CET 2011

On Mon,  7 Nov 2011 15:54, jim at said:

> Is there some way to make GPG print the default key ID
> without actually signing something or having access to

 $ gpgconf --list-options gpg | awk -F: '$1 == "default-key" {print $10}'

The '\"' indicates that the value is a string.  This works by paring the
config file.

There is no other reliable method to figure it out.  GPG uses the first
usable key in the keyring and the order of the keys in the ring is not

> definition.  But even determining which .gnupg/gpg.conf file to
> read is not trivial, since gpg's choice depends on envvars like


Right.  Thus we came up with gpgconf.  It actually invokes gpg to get
some metadata on the options.  A bit complicated but this system allows
us to create a configuraion GUI on the fly.

> Currently in gnulib's file, I do this;
> gpg_key_ID ?= \
>   $$(git cat-file tag v$(VERSION) > .ann-sig \
>      && gpgv .ann-sig - < /dev/null 2>&1 \
> 	  | sed -n '/.*key ID \([0-9A-F]*\)/s//\1/p'; rm -f .ann-sig)
> which is ok, since we always have a GPG-signed tag on the release, and
> from that we can determine the ID of the signing key.  Even that could
> be improved if there's a way to extract the signing key ID without having
> to use a temporary file.

That is easy:

   git cat-file tag v$(VERSION) \
     | gpgv --status-fd 1 --keyring /dev/null 2>/dev/null \
     | awk '$1 == "[GNUPG:]" && $2 == "ERRSIG" {print $3}'

"--keyring /dev/null" makes sure that you will always get an error back.
--status-fd is very import - it needs to be used by all scripts because
it has a well defined output format which will never change.  The script
above returns the long keyid.  Usually GPG only prints the abbreviated
short keyid.  You may pass the long keyid anywhere where the short keyid
is expected.  You can't get the fingerprint from a signature because it
is not in the signature file.  The tags like ERRSIG are described in



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list