lsign produces exportable signatures when used for self-sigs

Daniel Kahn Gillmor dkg at
Fri Sep 13 01:22:13 CEST 2013

GnuPG is currently not able to create a non-exportable self-sig.  If you
try to do this, it gives an error:

  WARNING: the signature will not be marked as non-exportable.

But: some people might never want their keys to be published to the public
keyservers, or have some User IDs that they keep locally that they do
not want to be transmitted via the keyserver network.

AIUI, keyservers should reject keys that do not have a self-signature.
Keyservers should also honor the "non-exportable" marker by rejecting
OpenPGP certification packets that have the "exportable" subpacket
included and set to 0.

So the sensible thing for a keyholder who wants their key to stay off
the keyservers would be to issue a non-exportable self-signature.

The attached patch (against the 1.4.x branch, since that's what i'm in a
good position to test) allows a user comfortable with --expert mode to
add a non-exportable self-sig.

so the creation of such a key is possible with:

 --expert --edit-key
   uid 1 # select uids that you do not want distributed
   delsig # remove all signatures not marked non-exportable

this obviously isn't a great workflow, but with this patch it is at
least possible.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: enable-non-exportable-selfsigs.patch
Type: text/x-diff
Size: 5219 bytes
Desc: enable non-exportable self-sigs (against GnuPG's STABLE-BRANCH-1-4)
URL: </pipermail/attachments/20130912/ff7b9c37/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL: </pipermail/attachments/20130912/ff7b9c37/attachment.sig>

More information about the Gnupg-users mailing list