Automating the generation of master keys

Dashamir Hoxha dashohoxha at
Wed Jun 1 12:47:31 CEST 2016

On Wed, Jun 1, 2016 at 10:56 AM, Aurélien Vallée <vallee.aurelien at>
> So "cert" is a default for primary-keys. If I do not provide any
> "Key-Usage", all usages will be set. If I do provide a "Key-Usage", then my
> master key is not "certify only" anymore.

I think that certify and sign are very similar, so it doesn't hurt if the
primary key is both "cert" and "sign".
I do it in batch mode like this:

Anyway, I generate a sign-only subkey later, and gnupg-2.0 picks by default
the latest sign subkey, when it comes to signing, so the primary key
normally will not be used for signing (which is what you want).

> Currently, I fallback to writing an expect script to automate the key
> generation. The handling of passphrases input with possibly different
> pinentry programs makes the expect script insane to read and fragile in
> practice.

I use the script above for automatic (batch) key generation.
If you don't mind, can you share your expect script?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160601/2e04ea34/attachment.html>

More information about the Gnupg-users mailing list