gpg --card-status always create proxy private keys

Alon Bar-Lev alon.barlev at gmail.com
Mon Feb 13 22:59:08 CET 2017


On 13 February 2017 at 23:49, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
> On 13 February 2017 at 18:15, Peter Lebbing <peter at digitalbrains.com> wrote:
>>
>> I'm not up to speed on all the fine detail. But perhaps there is a
>> different alternative that would work for you. GnuPG 2.1 has:
>>
>> $ gpg2 --expert --edit-key [KEYID]
>> [...]
>> > addkey
>> Please select what kind of key you want:
>>    (3) DSA (sign only)
>>    (4) RSA (sign only)
>>    (5) Elgamal (encrypt only)
>>    (6) RSA (encrypt only)
>>    (7) DSA (set your own capabilities)
>>    (8) RSA (set your own capabilities)
>>   (10) ECC (sign only)
>>   (11) ECC (set your own capabilities)
>>   (12) ECC (encrypt only)
>>   (13) Existing key
>>
>> Note option 13. You can use this to add an existing key from an OpenPGP
>> smartcard as well. So if you want to add existing keys from a card
>> infrastructure emulating an OpenPGP card, I think it could be integrated
>> in the same way you can, now with 2.1, add existing keys on real OpenPGP
>> cards. This was a workflow that didn't exist in 2.0.
>
> Hi Peter,
>
> Similar option was possible in 2.0 using addcardkey.
> I checked this as well, and it actually works nicely.
> However, it is insufficient...
> I am unsure I like the master key to exist outside of the hardware...
> This is egg and chicken as the master key cannot be enrolled per the
> issue I am experiencing.
> Also unfortunately, rpm does not support signing using subkeys.
>
> Do you know other magics? I searched maybe to take a subkey and
> promote it to primary key somehow... did not find sane sequence.
>
> Maybe instead of "card-edit/generate" there should be "card-edit/use
> existing" or something?

hmmm... maybe something like:
gpg --genkey --keygrip XXXXXX
so it will generate a primary key out of specific private key?

>
> I still think that the simplest solution is to override whatever in
> ~/.gnupg/private-keys-v1.d and not fail if same key hash exists, this
> requires a small code change of gnupg.
>
> Regards,
> Alon



More information about the Gnupg-devel mailing list