non-exportable OpenPGP certifications [was: Re: hashed user IDs ]
David Shaw
dshaw at jabberwocky.com
Fri Mar 11 14:33:25 CET 2011
On Mar 11, 2011, at 5:08 AM, Ben McGinnes wrote:
> On 11/03/11 6:50 PM, Daniel Kahn Gillmor wrote:
>> On 03/11/2011 01:44 AM, Ben McGinnes wrote:
>>> Ah, this is what I've been looking around for! For the sake of the
>>> archives, how does one provide a non-exportable certification?
>>> Obviously the export flag won't cut it.
>>
>> non-exportable OpenPGP certifications are also known as "local"
>> certifications.
>>
>> To make a non-exportable OpenPGP certification, use:
>>
>> gpg --lsign-key frida at example.net
>
> This bit I knew and have used sporadically, good to know that you were
> referring to what I assumed, though.
>
>> To put that in a file:
>>
>> gpg --export-options export-local --export --armor frida at example.net \
>>> frida.gpg
>>
>> Then the receiving party does:
>>
>> gpg --import-options import-local --import < frida.gpg
>
> Oh, excellent. Just one little clarification; the man page lists the
> parameters as export-local-sigs and import-local-sigs, does shortening
> it the way you have work or does the full option name need to be used?
As a general rule, most gpg options can be shortened, so long as they are still unique. So the real name for the option is "export-local-sigs", but "export-local" or even "export-l" is fine (and "export" would not be as gpg can't tell if you mean export-local-sigs, or export-attributes, or...)
If you're documenting or scripting things, it's good practice to give the full name since you never know if we're going to add a "export-lovely-sigs" option or some such, and thus make "export-l" non unique.
David
More information about the Gnupg-users
mailing list