howto not list disabled keys?

Peter Lebbing peter at
Sun Feb 9 13:45:18 CET 2014

On 09/02/14 12:32, Gregor Zattler wrote:
> I'd like to list only the public keys which are not disabled.  Is
> there a way to achieve this?

I don't know if there are more ways, but you can view the disabled status with:

$ gpg2 --with-colons -k

(note that it lists all keys because I don't restrict it with a search term)

This is the machine readable output, and colon-delimited field number 12
contains an uppercase letter D when the key is disabled (got this from the doc
file named DETAILS).

Now you can construct a way to list in human-readable format those keys that are
not disabled:

$ gpg2 --with-colons -k|gawk -F: '$1 == "pub" && $12 !~ /D/ { print $5 }'|xargs
gpg2 -k

Note that you should never just enter some command on the command line because
someone on the internet said so. You need to understand what you're doing or
there might be some mean little thing screwing up your system. The explanation
is as follows:

gawk splits the lines by the field separator :, and if the first field is
literally "pub" then the line indicates a public key. The regular expression D
is matched to field 12; it is an inverted match, so the pattern only evaluates
to true if field 12 does not match the regex D. In other words, the whole
pattern guards that we are reading a line with pub as field 1, and no D in field
12. If this is the case, we print field 5, which is the long key identifier.
This is then piped to xargs, which invokes gpg2 -k ${KEYID1} .. ${KEYIDn} with
all the matched key ID's, causing gpg2 to list the keys. If the list is very
long, multiple invocations will be done so as not to exceed the maximum line length.

Note that a collision in the long key identifier still causes a disabled key to
be listed, but this is rare. It is possible to write an AWK program that would
check the fingerprint, but it would be more complex. As long as you don't
/depend/ on there being no disabled keys in the listing, and can just ignore
this as a bit of static, you're fine.

Oh, by the way, I kinda assumed you're on a GNU system because you didn't say
anything and I am on one, so this is what works for me. In general, it would be
a good idea to indicate what OS you're using when asking something like this.
Although you perhaps expected a reply like "you use --list-options
exclude-disabled", and that would be cross-platform :).



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list