Is --export-ssh-key functionality possible with GnuPG 2.0?

Stephan Beck stebe at mailbox.org
Fri Nov 25 10:14:00 CET 2016


Hi,

Peter Lebbing:
> On 2016-11-24 16:59, Teemu Likonen wrote:
>> I believe that file ~/.gnupg/sshcontrol should contain
>> key's keygrip but how do I get the keygrip when there's no
>> --with-keygrip option in 2.0?
> 
> I think the following:
> 
> $ gpg-connect-agent
>> help keyinfo
> # KEYINFO [--[ssh-]list] [--data] [--ssh-fpr] [--with-ssh] <keygrip>
> #
> # Return information about the key specified by the KEYGRIP.  If the
> # key is not available GPG_ERR_NOT_FOUND is returned.  If the option
> # --list is given the keygrip is ignored and information about all
> # available keys are returned.  If --ssh-list is given information
> # about all keys listed in the sshcontrol are returned.  With --with-ssh
> # information from sshcontrol is always added to the info. Unless --data
> # is given, the information is returned as a status line using the format:
> #
> #   KEYINFO <keygrip> <type> <serialno> <idstr> - - <fpr> <ttl> <flags>
> #
> # KEYGRIP is the keygrip.
> #
> # TYPE describes the type of the key:
> #     'D' - Regular key stored on disk,
> #     'T' - Key is stored on a smartcard (token),
> #     'X' - Unknown type,
> #     '-' - Key is missing.
> #
> # SERIALNO is an ASCII string with the serial number of the
> #          smartcard.  If the serial number is not known a single
> #          dash '-' is used instead.
> #
> # IDSTR is the IDSTR used to distinguish keys on a smartcard.  If it
> #       is not known a dash is used instead.
> #
> # FPR returns the formatted ssh-style fingerprint of the key.  It is only
> #     printed if the option --ssh-fpr has been used.  It defaults to '-'.
> #
> # TTL is the TTL in seconds for that key or '-' if n/a.
> #
> # FLAGS is a word consisting of one-letter flags:
> #       'D' - The key has been disabled,
> #       'S' - The key is listed in sshcontrol (requires --with-ssh),
> #       'c' - Use of the key needs to be confirmed,
> #       '-' - No flags given.
> #
> # More information may be added in the future.
> OK
>> keyinfo --list
> [...]
> 
> I just can't think of how to pick out the right key now... What little
> detail is eluding me?

I'm not sure. This is the Agent's ASSUAN protocol. I had a look into the
gcrypt manual, as (AFAIK).gpg 2.0 as such lacks a specific command line
option, as Teemu indicated.
-----------------------------------------------------------------------
This manual is for Libgcrypt (version 1.4.4-svn1342, 20 October 2008),
which is GNU's library of cryptographic building blocks.

   Copyright (C) 2000, 2002, 2003, 2004, 2006, 2007, 2008 Free Software
Foundation, Inc.

     Permission is granted to copy, distribute and/or modify this
     document under the terms of the GNU General Public License as
     published by the Free Software Foundation; either version 2 of the
     License, or (at your option) any later version. The text of the
     license can be found in the section entitled "GNU General Public
     License".

6.5 General public-key related Functions

A couple of utility functions are available to retrieve the length of
the key, map algorithm identifiers and perform sanity checks:

-- Function: unsigned char * gcry_pk_get_keygrip (gcry_sexp_t KEY,
          unsigned char *ARRAY)
     Return the so called "keygrip" which is the SHA-1 hash of the
     public key parameters expressed in a way depended on the
     algorithm.
----------------------------------------------------------------------
Relevant section in the Info gnupg

File: gnupg.info,  Node: Top,  Next: Installation,  Up: (dir)

Using the GNU Privacy Guard
***************************

This is the 'The GNU Privacy Guard Manual' (version 2.0.26, August
2014).

   Copyright (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software
Foundation, Inc.

     Permission is granted to copy, distribute and/or modify this
     document under the terms of the GNU General Public License as
     published by the Free Software Foundation; either version 3 of the
     License, or (at your option) any later version.  The text of the
     license can be found in the section entitled "Copying".



2.6 Agent's Assuan Protocol
===========================


 2.6.10 Check whether a key is available
---------------------------------------

This can be used to see whether a secret key is available.  It does not
return any information on whether the key is somehow protected.

       HAVEKEY KEYGRIPS

   The agent answers either with OK or 'No_Secret_Key' (208).  The
caller may want to check for other error codes as well.  More than one
keygrip may be given.  In this case the command returns success if at
least one of the keygrips corresponds to an available secret key.


Cheers

Stephan



More information about the Gnupg-users mailing list