Can preferred order of decryption keys be specified?

[Werner Koch]

On Sat, 14 Oct 2023 12:06, Martin Jambor said:

> Is there a way to specify a preferred decryption key (that is different
> from the default signing key)?

Although we meanwhile have a way to set preferences for ssh keys [1] we
don't have this for decryption keys.  :-(

> Incidentally, does anybody know how to convince emacs EasyPG to pass
> --no-throw-keyids to GPG? :-)

Elisp is easy to modify ;-).  One other idea: Replace the throw-keyid in
gpg.conf by

--8<---------------cut here---------------start------------->8---
[getenv no_throw_keyid NO_THROW_KEYID]
[if $no_throw_keyid -z ]
  throw-keyid
[fi]
--8<---------------cut here---------------end--------------->8---

and then have Emacs to set the NO_THROW_KEYID envvar to 1 or so.


Shalom-Salam,

   Werner


[1] In the respective .key file you may put this name/value:
*** Use-for-ssh
If given and the value is "yes" or "1" the key is allowed for use by
gpg-agent's ssh-agent implementation.  This is thus the same as
putting the keygrip into the 'sshcontrol' file.  Only one such item
should exist.  If another non-zero value between 1 and 99999 is used,
this is taken to establish the order in which the keys are returned to
ssh; lower numbers are returned first.  If a negative value is used
this overrides currently active (inserted) cards and thus allows to
prefer on-disk keys over inserted cards.  A value of -1 has the
highest priority; values are capped at -999 and have a lower priority
but still above the positive values, inserted cards or the order in
sshcontrol.

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20231016/64456e9f/attachment.sig>