howto not list disabled keys?

Gregor Zattler telegraph at
Sun Feb 9 15:13:51 CET 2014

Hi Peter,
* Peter Lebbing <peter at> [09. Feb. 2014]:
> On 09/02/14 12:32, Gregor Zattler wrote:
>> I'd like to list only the public keys which are not disabled.  Is
>> there a way to achieve this?
> I don't know if there are more ways, but you can view the disabled status with:
> $ gpg2 --with-colons -k
> (note that it lists all keys because I don't restrict it with a search term)
> This is the machine readable output, and colon-delimited field number 12
> contains an uppercase letter D when the key is disabled (got this from the doc
> file named DETAILS).

Thanks.  I did not read this.  I only read the man page.

> Now you can construct a way to list in human-readable format those keys that are
> not disabled:
> $ gpg2 --with-colons -k|gawk -F: '$1 == "pub" && $12 !~ /D/ { print $5 }'|xargs gpg2 -k
> Note that you should never just enter some command on the command line because
> someone on the internet said so. You need to understand what you're doing or
> there might be some mean little thing screwing up your system.

Thanks again.  

> The explanation is as follows:
> gawk splits the lines by the field separator :, and if the first field is
> literally "pub" then the line indicates a public key. The regular expression D
> is matched to field 12; it is an inverted match, so the pattern only evaluates
> to true if field 12 does not match the regex D. In other words, the whole
> pattern guards that we are reading a line with pub as field 1, and no D in field
> 12. If this is the case, we print field 5, which is the long key identifier.
> This is then piped to xargs, which invokes gpg2 -k ${KEYID1} .. ${KEYIDn} with
> all the matched key ID's, causing gpg2 to list the keys. If the list is very
> long, multiple invocations will be done so as not to exceed the maximum line length.
> Note that a collision in the long key identifier still causes a disabled key to
> be listed, but this is rare. It is possible to write an AWK program that would
> check the fingerprint, but it would be more complex. As long as you don't
> /depend/ on there being no disabled keys in the listing, and can just ignore
> this as a bit of static, you're fine.

... If I only wasn't so pedantic.  I reimplemented your idea with
grep and sed instead of gawk:

gpg --with-colons --fingerprint --list-options no-show-photos,no-show-policy-urls,no-show-notations,no-show-keyserver-urls,show-uid-validity,no-show-keyring,no-show-unusable-uids,no-show-unusable-subkeys --list-public-keys 2>/dev/null|grep -A1 "^pub"|grep -v -- "^--$"|while read PUBLIC;  read FINGERPRINT ; do echo $PUBLIC|cut -f 12 -d ":"|grep -q "D" || { echo $FINGERPRINT|grep "^fpr"|cut -f 10 -d ":" ; } ; done|sort -u |sed -e "s/^\(.\)/0x\1/"|xargs gpg2  --list-options no-show-photos,no-show-policy-urls,no-show-notations,no-show-keyserver-urls,show-uid-validity,no-show-keyring,no-show-unusable-uids,no-show-unusable-subkeys --list-public-keys 2>/dev/null

This also discards error messages and prohibits showing photos.
This works assuming every "pub" line is followed by a "fpr" line.

Actually I use this to generate lists of fully and marginally
valid user ids.

> Oh, by the way, I kinda assumed you're on a GNU system because you didn't say
> anything and I am on one, so this is what works for me. In general, it would be
> a good idea to indicate what OS you're using when asking
> something like this.

You were right and you are right.

> Although you perhaps expected a reply like "you use --list-options
> exclude-disabled", and that would be cross-platform :).

Whilst I RTFM I still boped for such kind of solution.

Ciao, Gregor
 -... --- .-. . -.. ..--.. ...-.-

More information about the Gnupg-users mailing list