Signing with a key on a smart card

Werner Koch wk at
Wed Sep 2 13:12:35 CEST 2009

On Wed,  2 Sep 2009 10:55, jerome.blanc at said:

> anyone that could explain me how gpg chooses which secret key to use or
> how I could tell gpg which one to use ? 

Without an option, gpg uses the first available secret key for signing.
This is usually not desired, thus you can use "default-key" in gpg.conf
to select a different one.  If you want to use another than the default
key, you may give it on the command line with "-u USERID".  You may even
give several "-u" options to sign the data with several keys.

An OpenPGP keys consists of a primary key and optionally several
subkeys.  Gpg uses the latest subkey capable of signing to create a
signature, if no such subkey is available, the primary key is used.
This happens even if you speicify the keyid of a subkey.  If you want to
force the use of a specific signing subkey, you need use the ! suffix to
the keyid.  Example:

 pub  1024D/5B0358A2  created: 1999-03-15  expires: 2011-07-11  usage: SC  
 sub  2048R/B604F148  created: 2004-03-21  expired: 2005-12-31  usage: E   
 sub  2048R/C3680A6E  created: 2006-01-01  expired: 2007-12-31  usage: E   
 sub  1024D/3D52C282  created: 2007-12-31  expires: 2010-07-11  usage: S   
 sub  2048R/F409CD54  created: 2007-12-31  expires: 2011-07-10  usage: E   
 sub  2048R/12345678  created: 2009-06-30  expires: 2010-07-10  usage: S   


  -u 0x5B0358A2   ==> Subkey 0x12345678 is used.
  -u 0x12345678   ==> Subkey 0x12345678 is used.
  -u 0x3D52C282   ==> Subkey 0x12345678 is used.
  -u 0x3D52C282!  ==> Subkey 0x3D52C282 is used.

Due to the key expiration, this will chnage in one year to:

  -u 0x5B0358A2   ==> Primary key 0x5B0358A2 is used.
  -u 0x12345678   ==> Primary key 0x5B0358A2 is used.
  -u 0x3D52C282   ==> Primary key 0x5B0358A2 is used.
  -u 0x3D52C282!  ==> Primary key 0x5B0358A2 is used.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-users mailing list