Possible bug: addkey can create certifying subkey

James P. Howard, II jh at jameshoward.us
Mon Aug 31 19:24:44 CEST 2009 

I am not sure if this is a bug, but given the documentation it is not
the expected behavior.  I created new keys this weekend, due to a lost
USB drive.  Replicating it here, if you specify --expert and create a
RSA subkey with all the options off, it will create a subkey with all
the options, including certification turned on.  Here's a slightly
edited transcript:

howardjp at thermopylae:~$ gpg --expert --edit 0xE6602099
Secret key is available.

pub  4096R/0xE6602099  created: 2009-08-30  expires: never       usage: C
                       trust: ultimate      validity: ultimate
sub  2048R/0xFCB31625  created: 2009-08-30  expires: never       usage: E
sub  2048R/0xA40883BA  created: 2009-08-30  expires: never       usage: A
sub  2048R/0x2C3602D7  created: 2009-08-30  expires: never       usage: S
sub  2048R/0x3EE4249E  created: 2009-08-30  expires: never       usage: S
[ultimate] (1). James Patrick Howard, II

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "James Patrick Howard, II"
4096-bit RSA key, ID 0xE6602099, created 2009-08-30

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

pub  4096R/0xE6602099  created: 2009-08-30  expires: never       usage: C
                       trust: ultimate      validity: ultimate
sub  2048R/0xFCB31625  created: 2009-08-30  expires: never       usage: E
sub  2048R/0xA40883BA  created: 2009-08-30  expires: never       usage: A
sub  2048R/0x2C3602D7  created: 2009-08-30  expires: never       usage: S
sub  2048R/0x3EE4249E  created: 2009-08-30  expires: never       usage: S
sub  2048R/0xB892F408  created: 2009-08-31  expires: never       usage: SCEA
[ultimate] (1). James Patrick Howard, II

Command> quit
Save changes? (y/N) n
Quit without saving? (y/N) y
howardjp at thermopylae:~$ gpg --version
gpg (GnuPG/MacGPG2) 2.0.12
libgcrypt 1.4.4
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
        CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
howardjp at thermopylae:~$

-- 
James P. Howard, II, MPA
jh at jameshoward.us

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090831/f5aee472/attachment.pgp>

More information about the Gnupg-users mailing list