gpg --card-status always create proxy private keys

Alon Bar-Lev alon.barlev at gmail.com
Tue Feb 14 20:31:13 CET 2017 

On 14 February 2017 at 21:11, Peter Lebbing <peter at digitalbrains.com> wrote:
> Hello Alon,
>
> On 13/02/17 22:49, Alon Bar-Lev wrote:
>> Similar option was possible in 2.0 using addcardkey.
>
> If you can wrest this behaviour from "addcardkey" you're a better man than I
> :-). If I use addcardkey from 2.0, it does not give me the option to use an
> existing smartcard key, it will instead warn me that it will overwrite the
> existing key. Are you sure you can use an existing key that way?
>
>> Also unfortunately, rpm does not support signing using subkeys.
>
> My first thought is: then rpm should be updated, OpenPGP subkeys are a
> well-established technology. But I suppose you need a developer that cares
> enough first, it's cheap to yell "then it should be updated!".

Yes... but I cannot control that... it is pending ~10 years[1]
I need to support, among other, signing rpms using PKCS#11 enabled HSM.

[1] https://www.redhat.com/archives/rpm-list/2006-November/msg00105.html

> But since you can actually create a primary key that can do both certify and
> sign, it's not a showstopper for using smartcards.

This option is now lost when re-using keys as I described in my initial mail.

> You can, right? I'm not 100% sure I ever tested using a primary key on smartcard
> with *both* certify and sign, but I wouldn't expect it not to work since you
> actually use the "Sign" slot on a smartcard to use a Certify-capable key.

This worked so far, as "card-edit/generate" returned existing key, so
using PKCS#11 keys could have been used as primary keys, however, now
that gpg does not enable generate to return the same key, it broke the
ability to use primary keys. I believe that the block of using
existing key when generate is an unattended behavior and can be fixed
easily.

>> Maybe instead of "card-edit/generate" there should be "card-edit/use
>> existing" or something?
>
> Isn't that exactly the same as GnuPG 2.1's "edit-key/addkey/Use existing"? What
> would be the difference? Well, okay for the latter you need to look up the
> keygrip, but the functionality is there.

The difference is that edit-key uses existing primary key and manage
subkeys, while I need to support primary keys as well.

>
> On 13/02/17 22:59, Alon Bar-Lev wrote:
>> hmmm... maybe something like:
>> gpg --genkey --keygrip XXXXXX
>> so it will generate a primary key out of specific private key?
>
> I'd actually expect it differently. Right now, in contrast with
> "edit-key/addkey", GnuPG 2.1 offers the following:
>
>> $ gpg2 --expert --full-gen-key
>> gpg (GnuPG) 2.1.16; Copyright (C) 2016 Free Software Foundation, Inc.
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.
>>
>> Please select what kind of key you want:
>>    (1) RSA and RSA (default)
>>    (2) DSA and Elgamal
>>    (3) DSA (sign only)
>>    (4) RSA (sign only)
>>    (7) DSA (set your own capabilities)
>>    (8) RSA (set your own capabilities)
>>    (9) ECC and ECC
>>   (10) ECC (sign only)
>>   (11) ECC (set your own capabilities)
>> Your selection?
>
> I'd just like to see option 13 from "edit-key/addkey", so it would be like this
> (this is a mock-up, not actual output!):
>> $ gpg2 --expert --full-gen-key
>> gpg (GnuPG) 2.1.16; Copyright (C) 2016 Free Software Foundation, Inc.
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.
>>
>> Please select what kind of key you want:
>>    (1) RSA and RSA (default)
>>    (2) DSA and Elgamal
>>    (3) DSA (sign only)
>>    (4) RSA (sign only)
>>    (7) DSA (set your own capabilities)
>>    (8) RSA (set your own capabilities)
>>    (9) ECC and ECC
>>   (10) ECC (sign only)
>>   (11) ECC (set your own capabilities)
>>   (13) Existing key
>> Your selection?

Yes, this should generate a primary key using existing private key.
If this is acceptable it will be very nice.

Thanks!

> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>

More information about the Gnupg-devel mailing list