[Announce] GnuPG 2.0.18 released

Werner Koch wk at gnupg.org
Fri Aug 5 09:17:08 CEST 2011 

On Thu,  4 Aug 2011 23:32, dougb at dougbarton.us said:

> comments/questions. First, would it be possible to have a run-time
> option not to display the fingerprints? I think it's an interesting
> idea, but not particularly useful to me as I don't already have them
> memorized. :)

No.  The fingerprint is required for the confirm option ("ssh-add -c" or
the confirm flag in sshcontrol) because ssh-agent displays the same
information.

> The other question is about the display of the path to the key (which
> for me actually is relevant since it tells me what password I need to
> type). I have several keys, and so far for one it displays the path in
> the ()s, but for one of my others it does not. How would I debug this?

Ssh-add should send the comment from the key via the
ssh-agent-protocol.  However for PEM encoded keys is uses the filename
instead.  I am not sure why it does that:

  		prv = key_load_private_pem(fd, KEY_UNSPEC, passphrase, NULL);
		/* use the filename as a comment for PEM */
		if (commentp && prv)
			*commentp = xstrdup(filename);

You may change the comment by editing the corresponding file in
/gnupg/private-keys-v1.d/  like this:

  $ /usr/local/libexec/gpg-protect-tool \
               8147AB71CC2CB61C56A3E3F9C9F0A2A656B38AF8.key
  (protected-private-key 
   (dsa 
  ...]
    (protected-at "20110720T142801")
    )
   (comment foo_dsa)
   )
  
save the output to a file and change the value of the comment field.  It
is best to put the value into quotes (comment "this is my comment").
The save the output under the same name.  It doesn't matter that it is
now in advanced representation.  However if you would like to store it
in canonical format, you may pipe it through

  $ /usr/local/libexec/gpg-protect-tool --canonical

So now, how to find the name of the file.  The name is the so-called
keygrip and not the fingerprint.  To translate them you may look at a
listing of all files in private-keys-v1.d:

  $ gpg-connect-agent 'keyinfo --list --ssh-fpr' /bye
  [...]
  S KEYINFO 8147AB71CC2CB61C56A3E3F9C9F0A2A656B38AF8 \
D - - - P 2d:b1:70:1a:04:9e:41:a3:ce:27:a5:c7:22:fe:3a:a3
  [...]
  OK

[I used the backslash to split the long line just for this mail]

You see a lot of these lines.  The important information is the 7th
field after KEYINFO; it is the ssh fingerprint.  You may simply grep for
it.  The 1st field is the keygrip.  Append a ".key" and you have the
filename you are looking for.  Note that with 2.0.18 you will see a '-'
instead of the 'P' flag.  To see the help string for the keyinfo command
you may use

  $ gpg-connect-agent 'help keyinfo' /bye




Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list