how to determine default GPG key ID?

Jim Meyering jim at meyering.net
Mon Nov 7 23:09:41 CET 2011


Werner Koch wrote:
> On Mon,  7 Nov 2011 15:54, jim at meyering.net said:
>
>> Is there some way to make GPG print the default key ID
>> without actually signing something or having access to
>
>  $ gpgconf --list-options gpg | awk -F: '$1 == "default-key" {print $10}'

Ahhhh....  Perfect. ;-)
I didn't know about gpgconf.

...
>> Currently in gnulib's maint.mk file, I do this;
>>
>> gpg_key_ID ?= \
>>   $$(git cat-file tag v$(VERSION) > .ann-sig \
>>      && gpgv .ann-sig - < /dev/null 2>&1 \
>> 	  | sed -n '/.*key ID \([0-9A-F]*\)/s//\1/p'; rm -f .ann-sig)
>>
>> which is ok, since we always have a GPG-signed tag on the release, and
>> from that we can determine the ID of the signing key.  Even that could
>> be improved if there's a way to extract the signing key ID without having
>> to use a temporary file.
>
> That is easy:
>
>    git cat-file tag v$(VERSION) \
>      | gpgv --status-fd 1 --keyring /dev/null 2>/dev/null \
>      | awk '$1 == "[GNUPG:]" && $2 == "ERRSIG" {print $3}'
>
> "--keyring /dev/null" makes sure that you will always get an error back.
> --status-fd is very import - it needs to be used by all scripts because
> it has a well defined output format which will never change.  The script
> above returns the long keyid.  Usually GPG only prints the abbreviated
> short keyid.  You may pass the long keyid anywhere where the short keyid
> is expected.  You can't get the fingerprint from a signature because it
> is not in the signature file.  The tags like ERRSIG are described in
> doc/DETAILS.

Nice!  Thank you for the tips!

Note that I had to add the two "-" arguments to placate gpgv.
Also, I have a slight preference for sed here:

gpg_key_ID ?= \
  $$(git cat-file tag v$(VERSION) \
     | gpgv --status-fd 1 --keyring /dev/null - - 2>/dev/null \
     | sed -n '/^\[GNUPG:\] ERRSIG /{s///;s/ .*//p;q}')



More information about the Gnupg-devel mailing list