Exact definition of token S/N field for --with-colons

Sun Sep 23 15:38:35 CEST 2018

doc/DETAILS says this about the output of --with-colons listings:

> *** Field 15 - S/N of a token
> 
>     Used in sec/ssb to print the serial number of a token (internal
>     protect mode 1002) or a '#' if that key is a simple stub (internal
>     protect mode 1001).  If the option --with-secret is used and a
>     secret key is available for the public key, a '+' indicates this.

This suggests that a '+' is only output for --with-secret --list-keys,
but I see it as well in --list-secret-keys. Running gpg 2.1.18-8~deb9u2
from Debian stretch/stable. The specification leaves some interpretation
room.

- Is '+' output iff it is an on-disk key, both on --with-secret
  --list-keys and --list-secret-keys?
- I see S/N's on --with-secret --list-keys, is there even a need to
  mention --with-secret separately or is field 15 completely identical
  for both invocations?
- Is field 15 ever anything else than a serial number, a '#' or a '+' on
  --list-secret-keys? I presume the answer is "this may change in the
  future", but I mean currently.

The context is that for Debian's cryptsetup, I'm trying to determine
whether all secret (sub)keys in a homedir are stubs (serial numbers or
empty stubs). And the reason is that I'd like to error out if there is
any actual confidential data in the private keyring, instead of copying
it to the unencrypted initramfs. A password-protected on-disk key is a
major red flag despite its password protection.

Not all of my questions directly pertain to this use case, I'm just
trying to get a good feel for the field to be able to reason about it.

My attempt at bailing on confidential data is here:
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903163#140>
and it is this:

--8<---------------cut here---------------start------------->8---
#!/bin/sh

UNSAFEKEYS=$(gpg --batch --with-colons --homedir /etc/keys --list-secret-keys | \
	gawk -F: '$1=="sec" || $1=="ssb" \
		{ if ($15 !~ /D27600012401.*/ && $15 != "#") { print $5 } }')

if [ -n "$UNSAFEKEYS" ]; then
	echo "Non-smartcard keys found:\n${UNSAFEKEYS}\nAborting" >&2
	exit 1
fi
--8<---------------cut here---------------end--------------->8---

It will only accept true OpenPGP smartcard keys (matched on ISO 7816
Application Identifier) or empty stubs (no secret key whatsoever). No
other secret key material should be necessary for this particular
application. Note that the dialect (or lack thereof) is dash; if run in
bash, echo would need -e.

Thanks,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180923/c8a7efbe/attachment.sig>