Documentation about --list-secret-keys output
mogliii at gmx.net
Thu Apr 6 05:03:16 CEST 2017
I got recently very confused about how secret keys on smartcards are
presented and handled in gpg.
In particular, after putting the subkeys on a Nitrokey, my output of gpg
sec# 4096R/XXXXXAB 2017-XX-XX [expires: 20XX-XX-XX]
uid My name <name at provider.tdl>
ssb> 2048R/XXXXXBB 2017-XX-XX
ssb> 2048R/XXXXXCB 2017-XX-XX
ssb> 2048R/XXXXXDB 2017-XX-XX
1. What is the meaning of # after sec? This means that the master key is
not available (https://wiki.debian.org/Subkeys). We already have 5 lines
of text. Why not add another line such as "#: Master key not present"
2. What is the meaning of > after ssb? It means that the secret sub keys
are not present in the keyring, but on a known smartcard. This does not
come up in a google search 'gpg "ssb>"'. I only came accross another
post by accident that said that after issuing keytocard, the sub key is
deleted (when using save) and only a reference is left. Following 1.,
why not write "#: Master key not present; >: reference to secret key on
3. This output means that there is *NO* secret key on this computer.
This is an extremely important information, but it is not evident from
the output. Enigmail makes it look like I have a private keypair. But
actually it's not. Only a reference.
4. I cannot fully delete the secret key reference by "gpg
--delete-secret-key XXXXXAB". Although it asks me for confirmation and
does not show in --list-secret-keys anymore, it still shows in enigmail
(bold for having private key) and .gnupg/private-keys-v1.d still
contains the keys. So I'm kind of stuck in limbo here. Deleting the
offending files in private-keys-v1.d is the only way to make enigmail
forget about them.
Has this discussed before? I think there was once a drive to improve
usability of gpg. Is there a place to propose a change in the output?
More information about the Gnupg-users