pubring.kbx, no secring?

Werner Koch wk at gnupg.org
Tue Dec 22 16:26:48 CET 2015 

On Tue, 22 Dec 2015 15:08, guru at unixarea.de said:

> why the new keys of v2 are stored in a dir private-keys-v1.d and not in
> a dir for example private-keys-v2.d; don't you think that such name *v1.d* confuses
> people (like me)?

You are the first one to comment on this ;-) The new format is actually
much older than gnupg 2.1.  We use it since about 2003, albeit then only
for gpgsm (X.509, S/MIME).

Note also that there are actually two changes: private-keys-v1.d/
replaces the secring.gpg and pubring.kbx replaces pubring.gpg.  However,
we still support the old pubring.gpg format and only create the new
pubring.kbx format if no pubring.gpg exists.

To make things more complicate, pubring.kbx is used by gpg 2.1 only iff
has been created by gpg or if an OpenPGP key has been inserted.  Thus
for public keys there are theses cases:

  - Only pubring.kbx:  Used by gpgsm and gpg for all keys.

  - Only pubring.gpg: Used by gpg; if gpgsm creates or imports the first
    X.509 certificate that will be stored in a newly created pubring.kbx.

  - pubring.kbx and pubring.gpg but no OpenPGP key in pubring.kbx:  The
    first is used by gpgsm and the latter by gpg.

  - pubring.kbx and pubring.gpg but with OpenPGP key in pubring.kbx:
    Only pubring.kbx is used by both, gpg and gpgsm.

Now, how can you know whether gpg uses pubring.kbx?  There are three
ways: The first is to use -v with a key listing and gpg prints the name
of the key database.  The seconds is

  $ kbxutil --stats ~/.gnupg/pubring.kbx
  Total number of blobs:       30
                 header:        1
                  empty:        0
                openpgp:        5
                   x509:        3
            non flagged:        8
         secret flagged:        0
      ephemeral flagged:        0
  
which shows that there are OpenPGP keys, and the third is

  $  kbxutil ~/.gnupg/pubring.kbx | head | grep Flags
  Flags:   0002 (openpgp)
  
The flag shows that the pubring.kbx is used for OpenPGP keys.  This is
actually how gpg decides whether to use pubring.kbx.



Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list