commands for gpg keychain access

Charly Avital shavital at
Mon Apr 16 13:44:37 CEST 2007

Stoddard Richard wrote the following on 4/16/07 1:10 PM:
> Thanks. I think I understand it all, and will tackle it this evening.  

I am glad you do, thanks: I was not sure my explanations were clear enough.

> The problem I had when generating the key is that even though I  
> checked 4096 as the size, only the subkey is 4096. I didn't have an  
> option for the primary key.
> --
> Rick

Now that I have --enable-dsa2 in my gpg.conf, when I go to Terminal and
type gpg --gen-key, I get:

[gpg info...) and interactive session, e.g.:

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (1024) 2048
Requested keysize is 2048 bits
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

What I did before --enable-dsa2 was available, was to add a subkey (RSA)
with a value of at least 2048, and *select* the 'signing subkey' option.
Thus I had an additional subkey that I use use for signing with SHA256
(after enabling digest-algo SHA256).

I don't believe you can change the value of the primary key you have
already generated. If you want to keep on using it (it's already on the
keyservers), maybe you could do as I did, add a signing subkey:

gpg --edit key (your Key ID)

Command> addkey     (this is the command to add a subkey), and proceed
with the interactive dialogue: signing subkey, size etc...

There's another "thing" when you add a signing subkey to an existing
key. You should cross-certify your new subkey (equivalent of signing the
subkey, in order to validate it). You can use 'cross-certify' in the
interactive dialogue that follows --edit-key. I am not sure you can do
everything in one single operation. If, after creating the signing subkey,
Command> cross-certify does not work, you'd better save the key with its
additional subkey, and only then invoke it again with
gpg --edit-key [key ID] and proceed with
Command> cross-certify

When you have saved all the changes, you should upload the updated key
to the key servers.

Another possibility:
after enabling 'enable-dsa2', creating a DSA key with a primary key
whose value is 2048, enabling digest-algo SHA256, and testing that you
can actually sign a test message with SHA256, you can revoke the former
key, upload the revocation certificate to the servers, and upload your
new key to the servers.


More information about the Gnupg-users mailing list