Category Archives: smartcard

Is it possible to export an expired GPG subkey’s public key without signatures?

Posted on by

Based on Is it possible to export a GPG subkey’s public component? I got familiar with:

gpg --keyid-format long --with-fingerprint --list-key {e-mail}
gpg --export --armor --output public-key.asc 633DBBC0! # for ssb1

and

gpg --export-options export-minimal {key-id}

I also found the following which I added to my gpg.conf.

list-options show-unusable-subkeys

In the context of a Yubikey, I sometimes need to transfer public key components to a new key ring on a new system in order to decrypt an old file. For some reason gpg --card-status is not enough to get the ball rolling. Gpg will keep reporting that no key exist to decrypt the file. After importing the public key component, it works. I read somewhere on Stack that “the yubikey has not enough data on it to recontruct the public key component.” (Might add source later).

However, I don’t want to export all old subkeys (hence keyid!), only a select few and I don’t want to export any signatures (hence export-minimal).

So this is what I tried, but did not result in a desired result:

gpg --armor --export --export-options export-minimal {subkeyid1}! {subkeyid2!}
or
gpg --armor --export --export-options export-minimal {subkeyid1}!
gpg --armor --export --export-options export-minimal {subkeyid2}!

If I pick one {subkeyx}!, the output is the same. The combination of export-minimal and pointing to a subkey is not working as far as I can tell. I don’t know of any switch I can put in front of keyid, do you?

Then I tried the following and merged them later:

gpg --armor --export --output file1.asc {subkeyid1}!
gpg --armor --export --output file2.asc {subkeyid2}!

But these public key components contain unwanted signatures (and their primary key public part and uid which is acceptable).

I used gpg --armor --export {subkeyid2}! | gpg for reading the output. If I do this with unexpired subkeys, I get an expected result of keys, but if I do this with expired subkeys, the subkey is not listed.

The question: So, how do I export two expired subkeys’s public key components without any signatures?

(Sidenote; meta question; alternative route):

gpg --card-status delivers:

[...]
General key info..: sub {rsaX/eccX}/{keyid} {date} {name} {address}
sec# {rsaX/eccX}/{keyid} {created date} {expires date}
[...]
ssb> {rsaX/eccX}/{subkeyid1} {created date} {expires date}
card-no: {nr}
ssb> {rsaX/eccX}/{subkeyid2} {created date} {expires date}
card-no: {nr}

And as we now from gpg -k and gpg -K. ‘sub’ means public subkey; ‘ssb’ means private subkey and the ‘>’ indicator means material is on smartcard. So this all seems to confirm the public material is not on the card.

Continue reading Is it possible to export an expired GPG subkey’s public key without signatures?

Cryptoki PKCS11 C_Decrypt returns shorter key (decrypted message) than expected

Posted on by

First off let me say I’m fully aware this question can only be answered by the token vendor but I have already contacted them and with the whole COVID situation my hopes of hearing from them soon are not high (nor that I need to, this is j… Continue reading Cryptoki PKCS11 C_Decrypt returns shorter key (decrypted message) than expected