Problems with two active encryption subkeys

Hauke Laging mailinglisten at
Wed Nov 10 20:20:13 CET 2010

Am Mittwoch 10 November 2010 19:52:00 schrieb MFPA:

> > AFAIK gpg takes the (compatible) subkey which is valid
> > for the longest remaining period.
> I thought Gunpg used the largest available subkey for the task, and
> multiple appropriate sukeys were of the same size the newest would be
> used.

I created some more subkeys to check that...

For 2.0.15 you are right in one point and wrong in the other. It is the newer 
creation date which is chosen not the longer remaining validity period. But 
the newer key wins against the longer one:

start cmd:> LC_ALL=C gpg --edit-key 71FDC5CB
pub  1024D/0x71FDC5CB  created: 2010-02-25  expires: 2011-02-25  usage: C
sub  2048R/0xDA63AFDA  created: 2010-11-10  expires: 2011-01-09  usage: E
sub  1024R/0x1860836B  created: 2010-11-10  expires: 2010-12-10  usage: E

gpg --encrypt --recipient 71FDC5CB test.html

encrypts for 1860836B not for the both longer and longer valid DA63AFDA.

> >  Unfortunately you
> > cannot even force gpg to use a certain subkey
> > (directly):

> What happens when you specify the subkey with an exclamation mark (!)
> after the key id?

Funny. That's even explained in the man page. What other secrets may wait 
there for discovery...

PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101110/55eb8f1a/attachment.pgp>

More information about the Gnupg-users mailing list