how to determine default GPG key ID?
Jim Meyering
jim at meyering.net
Mon Nov 7 23:09:41 CET 2011
Werner Koch wrote:
> On Mon, 7 Nov 2011 15:54, jim at meyering.net said:
>
>> Is there some way to make GPG print the default key ID
>> without actually signing something or having access to
>
> $ gpgconf --list-options gpg | awk -F: '$1 == "default-key" {print $10}'
Ahhhh.... Perfect. ;-)
I didn't know about gpgconf.
...
>> Currently in gnulib's maint.mk file, I do this;
>>
>> gpg_key_ID ?= \
>> $$(git cat-file tag v$(VERSION) > .ann-sig \
>> && gpgv .ann-sig - < /dev/null 2>&1 \
>> | sed -n '/.*key ID \([0-9A-F]*\)/s//\1/p'; rm -f .ann-sig)
>>
>> which is ok, since we always have a GPG-signed tag on the release, and
>> from that we can determine the ID of the signing key. Even that could
>> be improved if there's a way to extract the signing key ID without having
>> to use a temporary file.
>
> That is easy:
>
> git cat-file tag v$(VERSION) \
> | gpgv --status-fd 1 --keyring /dev/null 2>/dev/null \
> | awk '$1 == "[GNUPG:]" && $2 == "ERRSIG" {print $3}'
>
> "--keyring /dev/null" makes sure that you will always get an error back.
> --status-fd is very import - it needs to be used by all scripts because
> it has a well defined output format which will never change. The script
> above returns the long keyid. Usually GPG only prints the abbreviated
> short keyid. You may pass the long keyid anywhere where the short keyid
> is expected. You can't get the fingerprint from a signature because it
> is not in the signature file. The tags like ERRSIG are described in
> doc/DETAILS.
Nice! Thank you for the tips!
Note that I had to add the two "-" arguments to placate gpgv.
Also, I have a slight preference for sed here:
gpg_key_ID ?= \
$$(git cat-file tag v$(VERSION) \
| gpgv --status-fd 1 --keyring /dev/null - - 2>/dev/null \
| sed -n '/^\[GNUPG:\] ERRSIG /{s///;s/ .*//p;q}')
More information about the Gnupg-devel
mailing list