Is it possible to remove capabilities from an existing key?

Daniel Kahn Gillmor dkg at
Thu Sep 12 00:07:14 CEST 2013

On 09/11/2013 05:42 PM, Philip Jägenstedt wrote:
> My public key has the default capabilities sign and certify. I've seen
> that some people have only the certify capability in order to be able to
> keep the main key offline most of the time.
> Is it technically possible to change the capabilities of an existing
> key, even if there's no way to do it via --edit-key?
> If it's not possible, what would be the consequence of adding a subkey
> with the sign capability, which key would be used when both are
> available?

i believe GnuPG uses the most-recently-updated subkey that it believes
to have signing capability, unless you force the subkey in question via
--local-user or --default-key with a ! suffix (see the "By key Id."
section in gpg(1)).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130911/faa9b80f/attachment.sig>

More information about the Gnupg-users mailing list