managing OpenPGP cards in batch mode?

Werner Koch wk at
Wed May 4 08:13:13 CEST 2016

On Tue,  3 May 2016 20:20, daniel at said:

> gen-key (and get back the key ID)

There is also --quick-gen-key:

  $ gpg -v --status-fd 2 --batch  --quick-gen-key test-20160504.2 at 
  gpg: writing self signature
  gpg: RSA/SHA256 signature from: "43A68746 [?]"
  gpg: writing key binding signature
  gpg: RSA/SHA256 signature from: "43A68746 [?]"
  gpg: writing public key to '/home/wk/b/gnupg/tmp3/pubring.kbx'
  gpg: using PGP trust model
  gpg: key 43A68746 marked as ultimately trusted
  gpg: writing to '[...]/openpgp-revocs.d/5AF79828EB76B2709378639CEE[...]
  gpg: RSA/SHA256 signature from: "43A68746 test-20160504.2 at"
  gpg: revocation certificate stored as '[...]/openpgp-revocs.d/5AF7[...]
  [GNUPG:] KEY_CREATED B 5AF79828EB76B2709378639CEEBFB26F43A68746

Instead of the key ID you should use the fingerprint as shows in the
KEY_CREATED status line.

> adding more subkeys (addkey)
>   "--gen-key --batch" only creates one subkey

A --quick-addkey has been discussed but has not yet been implemented.

> gen-revoke

Well, 2.1 creates a revocation certifciate with the key.

> card-edit (for setting PIN, etc)

You need to use --status-fd and --command-fd to automate this.  Or you
bypass gpg and use gpg-connect-agent to access the card directly.  Using
--debug 1024 and a log file in scdaemon.confshows you what the gpg
commands do.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list