generating revocation certs non-interactively

Werner Koch wk at
Tue May 5 09:41:52 CEST 2015

On Tue,  5 May 2015 01:14, luis at said:

> keypair we would also like to generate a revocation certificate. Keys
> are passwordless, so at first I thought that it should be straight forward.

Note that GnuPG 2.1 generates revocation certificates by default.

> for the revocation certificate. So I'm a little stuck. The --gen-revoke
> option prompts the user for 4 questions for a passwordless key, 5 if the
> key has a password and I couldn't get around this.

The idea is that you should be able to tell the reason for the
revocation.  This is not very often used and thus I consider the command
line interface sufficent.  You may automate this but you need to employ
a state mahine to answer all the questions.  This is how the GUI tools

I don't think that adding a --quick-gen-revoke command is very useful
here.  It would be only done for 2.1 anyway and that version has the
pre-made revocations.

> I have also tried pexpect to 'mock' user input to bypass interaction, no
> success there.

You need to use this command

  gpg --command-fd 0 --status-fd 2 --gen-revoke 0x12345678

and act upon the GET_* status lines.

--8<---------------cut here---------------start------------->8---
[GNUPG:] GET_BOOL gen_revoke.okay
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
[GNUPG:] GET_LINE ask_revocation_reason.code
Enter an optional description; end it with an empty line:
[GNUPG:] GET_LINE ask_revocation_reason.text
[GNUPG:] GET_LINE ask_revocation_reason.text

Reason for revocation: Key is no longer used
[GNUPG:] GET_BOOL ask_revocation_reason.okay
ASCII armored output forced.
--8<---------------cut here---------------end--------------->8---

End the "ask_revocation_reason.text" prompts with an empty line.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list