non-exportable OpenPGP certifications [was: Re: hashed user IDs ]

David Shaw dshaw at jabberwocky.com
Fri Mar 11 14:33:25 CET 2011


On Mar 11, 2011, at 5:08 AM, Ben McGinnes wrote:

> On 11/03/11 6:50 PM, Daniel Kahn Gillmor wrote:
>> On 03/11/2011 01:44 AM, Ben McGinnes wrote:
>>> Ah, this is what I've been looking around for!  For the sake of the
>>> archives, how does one provide a non-exportable certification?
>>> Obviously the export flag won't cut it.
>> 
>> non-exportable OpenPGP certifications are also known as "local"
>> certifications.
>> 
>> To make a non-exportable OpenPGP certification, use:
>> 
>> gpg --lsign-key frida at example.net
> 
> This bit I knew and have used sporadically, good to know that you were
> referring to what I assumed, though.
> 
>> To put that in a file:
>> 
>> gpg --export-options export-local --export --armor frida at example.net \
>>> frida.gpg
>> 
>> Then the receiving party does:
>> 
>> gpg --import-options import-local --import < frida.gpg
> 
> Oh, excellent.  Just one little clarification; the man page lists the
> parameters as export-local-sigs and import-local-sigs, does shortening
> it the way you have work or does the full option name need to be used?

As a general rule, most gpg options can be shortened, so long as they are still unique.  So the real name for the option is "export-local-sigs", but "export-local" or even "export-l" is fine (and "export" would not be as gpg can't tell if you mean export-local-sigs, or export-attributes, or...)

If you're documenting or scripting things, it's good practice to give the full name since you never know if we're going to add a "export-lovely-sigs" option or some such, and thus make "export-l" non unique.

David




More information about the Gnupg-users mailing list