Collaborate Disseminate
I have just extended the expiry date of my GPG key by following these instructions: Can you extend the expiration date of an already expired GPG key? I have previously backed-up my key. Do I need to backup again after extending its expiry … Continue reading Do I need to backup my GPG key again after extending its expiry date?
I’ve created a GPG keyring as follows:
pub rsa4096 2020-09-22 [C]
CAF532F48781F8A0973317A41F2912156496A89A
uid [ultimate] Ryan McClue <user@email.com>
sub rsa4096 2020-09-22 [S] [expires: 2021-09-22]
sub rsa4096… Continue reading Retrieving GPG Private Sub-Key ID
From the gpg manual:
–refresh-keys
Request updates from a keyserver for keys that already exist on the local keyring.
This is useful for updating a key with the latest signatures, user IDs, etc.
Calling this with no arguments will refres… Continue reading Is `gpg –refresh-keys` secure and where is this documented?
I would like to import a private key into GPG so I did:
gpg –allow-secret-key-import –import /path/to/key/key.asc
gpg: key 51D5DF493ECAFF88: "John Doe <john.doe@acme.com>" not changed
gpg: key 51D5DF493ECAFF88: secret key… Continue reading Import secret key into GnuPg doesn’t work?
What does this "sign only locally" check box do or mean in gpa (the GNU Privacy Assistant)?
I’m working on verifying the fingerprints of acquired public keys, and once verified with their owner, then self signing these keys to s… Continue reading When self signing a key in `gpa`, what is the purpose of the "sign only locally" option, and what does it do?
Are there benefits to set an expiration date on a PGP primary key which is only used offline?
Is setting an expiration date only on the subkeys enough?
Is there a way to use gpg –verify to verify a detached signature without the actual data, but only its digest?
I searched the options and didn’t find anything that looks like what I want, but maybe it exists.
From what I understand about … Continue reading GPG option to verify file using only digest
I have recently been introduced to GPG signing as a better way of verifying data than hashing. It was described that if you posted the hash of the file, someone could hack your website, alter the hash and publish a different binary and you… Continue reading Main Reasons for GPG over hashing for verification
I have GPG agent forwarding via SSH RemoteForward working, up to a point:
I can list my private and public keys on the remote host.
If I try to decrypt a file remotely, the PIN is prompted for but the text is stepped, garbled and the pas… Continue reading GPG Agent SSH Forward Pinentry
Based on Is it possible to export a GPG subkey’s public component? I got familiar with:
gpg --keyid-format long --with-fingerprint --list-key {e-mail}
gpg --export --armor --output public-key.asc 633DBBC0! # for ssb1
and
gpg --export-options export-minimal {key-id}
I also found the following which I added to my gpg.conf.
list-options show-unusable-subkeys
In the context of a Yubikey, I sometimes need to transfer public key components to a new key ring on a new system in order to decrypt an old file. For some reason gpg --card-status is not enough to get the ball rolling. Gpg will keep reporting that no key exist to decrypt the file. After importing the public key component, it works. I read somewhere on Stack that “the yubikey has not enough data on it to recontruct the public key component.” (Might add source later).
However, I don’t want to export all old subkeys (hence keyid!), only a select few and I don’t want to export any signatures (hence export-minimal).
So this is what I tried, but did not result in a desired result:
gpg --armor --export --export-options export-minimal {subkeyid1}! {subkeyid2!}
or
gpg --armor --export --export-options export-minimal {subkeyid1}!
gpg --armor --export --export-options export-minimal {subkeyid2}!
If I pick one {subkeyx}!, the output is the same. The combination of export-minimal and pointing to a subkey is not working as far as I can tell. I don’t know of any switch I can put in front of keyid, do you?
Then I tried the following and merged them later:
gpg --armor --export --output file1.asc {subkeyid1}!
gpg --armor --export --output file2.asc {subkeyid2}!
But these public key components contain unwanted signatures (and their primary key public part and uid which is acceptable).
I used gpg --armor --export {subkeyid2}! | gpg for reading the output. If I do this with unexpired subkeys, I get an expected result of keys, but if I do this with expired subkeys, the subkey is not listed.
The question: So, how do I export two expired subkeys’s public key components without any signatures?
(Sidenote; meta question; alternative route):
gpg --card-status delivers:
[...]
General key info..: sub {rsaX/eccX}/{keyid} {date} {name} {address}
sec# {rsaX/eccX}/{keyid} {created date} {expires date}
[...]
ssb> {rsaX/eccX}/{subkeyid1} {created date} {expires date}
card-no: {nr}
ssb> {rsaX/eccX}/{subkeyid2} {created date} {expires date}
card-no: {nr}
And as we now from gpg -k and gpg -K. ‘sub’ means public subkey; ‘ssb’ means private subkey and the ‘>’ indicator means material is on smartcard. So this all seems to confirm the public material is not on the card.
Continue reading Is it possible to export an expired GPG subkey’s public key without signatures?