Go gpg, guess, what I want

Daniel Ranft Daniel.Ranft at giepa.de
Tue May 17 14:58:41 CEST 2016


Today I want to discuss about a situation, where gpg seems to guess, what I want to do (which is IMHO not a good idea).

If I export a keypair (gpg -a -o C:\some\where.asc --export-secret-keys abcd1234), the pinentry will pop up for each primary-/subkey to prompt for the passphrase. So far, so good. When I cancel the first prompt, gpg still tries to export the other subkeys to generate a somehow usefull output. That is, what I think is guessing.

Result when I only cancel the first prompt, but not the second:
I get a file which contains only the secret subkey and its binding sig:
# off=0 ctb=9d tag=7 hlen=3 plen=966
:secret sub key packet:
        version 4, algo 1, created 1283427770, expires 0
        pkey[0]: [2048 bits]
        pkey[1]: [17 bits]
        iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: =LONGKEY=
        protect count: 4980736 (195)
        protect IV:  2f 89 b9 0a 22 c5 6d 50 4d 8b a2 53 1f 53 50 bf
        skey[2]: [v4 protected]
        keyid: 82AE4F2683F549E5
# off=969 ctb=89 tag=2 hlen=3 plen=293
:signature packet: algo 1, keyid =LONGKEY=
        version 4, created 1427802947, md5len 0, sigclass 0x18
        digest algo 2, begin of digest 13 ab
        hashed subpkt 27 len 1 (key flags: 0C)
        hashed subpkt 2 len 4 (sig created 2015-03-31)
        hashed subpkt 9 len 4 (key expires after 6y211d0h12m)
        subpkt 16 len 8 (issuer key ID =LONGKEY=)
        data: [2044 bits]

FWIW: When I cancel the first prompt, gpg should stop the export of the complete key. If there are several keys to export, gpg should still process the other keys.
If I would have wanted to export the subkey only, I would have used the exclamation mark syntax.

Best regards,
Daniel Ranft

More information about the Gnupg-users mailing list