Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)

Sun Sep 23 18:18:13 CEST 2018

Hi all,

The intent of this mail is not to ask whether something works. This can
be easily verified. It's asking whether it is a supported way of doing
things. I hope I can get some guidance on this!

On 23/09/2018 15:38, Peter Lebbing wrote: 
> The context is that for Debian's cryptsetup, I'm trying to determine
> whether all secret (sub)keys in a homedir are stubs (serial numbers or
> empty stubs). And the reason is that I'd like to error out if there is
> any actual confidential data in the private keyring, instead of copying
> it to the unencrypted initramfs. A password-protected on-disk key is a
> major red flag despite its password protection.

So this ran into a major mistake on my part. Not all keys in
private-keys-v1.d will be listed with this method, plus it launches an
agent which in this case is a no-go.

The situation with regard to which parts of the homedir are
implementation details and which are an API is a bit muddled IMHO. For
instance, we're supposed to be creating and editing *.conf files and
access revocation certificate files in openpgp-revocs.d, but a lot of
the rest is "Don't touch".

Would it be okay to scrub the private-keys-v1.d directory so it will
only hold KEYGRIP.key for that one smartcard stub we want to have? I'm
talking about a separate, special-purpose homedir, not the regular user
homedir, let's not scrub private-keys-v1.d there :-D.

That's the specific way of asking the question. A more general question
would be: in GnuPG 2.1+, can we expect the private key with grip X to be
at private-keys-v1.d/X.key and will an agent be happy to work on a
private-keys-v1.d with just files X.key, Y.key and Z.key when we
actually only need private keys X, Y and Z? Or is this an implementation
detail?

While I'm at it: there are conflicting opinions on whether it is okay to
build a keyring using:
$ gpg --export SOMEKEY >pubring.gpg
instead of:
$ gpg --export SOMEKEY | gpg --no-default-keyring --keyring ./pubring.kbx

Can we also get official guidance on that; is the former acceptable?
(FWIW, I've always thought it was not.)

Thanks!

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180923/d2b2df3d/attachment.sig>