Documentation about --list-secret-keys output

mogliii mogliii at
Thu Apr 6 05:03:16 CEST 2017


I got recently very confused about how secret keys on smartcards are
presented and handled in gpg.

In particular, after putting the subkeys on a Nitrokey, my output of gpg
--list-secret-keys is

sec#  4096R/XXXXXAB 2017-XX-XX [expires: 20XX-XX-XX]
uid                  My name <name at provider.tdl>
ssb>  2048R/XXXXXBB 2017-XX-XX
ssb>  2048R/XXXXXCB 2017-XX-XX
ssb>  2048R/XXXXXDB 2017-XX-XX

Following confusions:

1. What is the meaning of # after sec? This means that the master key is
not available ( We already have 5 lines
of text. Why not add another line such as "#: Master key not present"

2. What is the meaning of > after ssb? It means that the secret sub keys
are not present in the keyring, but on a known smartcard. This does not
come up in a google search 'gpg "ssb>"'. I only came accross another
post by accident that said that after issuing keytocard, the sub key is
deleted (when using save) and only a reference is left. Following 1.,
why not write "#: Master key not present; >: reference to secret key on
smart card"

3. This output means that there is *NO* secret key on this computer.
This is an extremely important information, but it is not evident from
the output. Enigmail makes it look like I have a private keypair. But
actually it's not. Only a reference.

4. I cannot fully delete the secret key reference by "gpg
--delete-secret-key XXXXXAB". Although it asks me for confirmation and
does not show in --list-secret-keys anymore, it still shows in enigmail
(bold for having private key) and .gnupg/private-keys-v1.d still
contains the keys. So I'm kind of stuck in limbo here. Deleting the
offending files in private-keys-v1.d is the only way to make enigmail
forget about them.

Has this discussed before? I think there was once a drive to improve
usability of gpg. Is there a place to propose a change in the output?

More information about the Gnupg-users mailing list