Quantcast

Documentation about --list-secret-keys output

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Documentation about --list-secret-keys output

mogliii
Hi,

I got recently very confused about how secret keys on smartcards are
presented and handled in gpg.

In particular, after putting the subkeys on a Nitrokey, my output of gpg
--list-secret-keys is

sec#  4096R/XXXXXAB 2017-XX-XX [expires: 20XX-XX-XX]
uid                  My name <[hidden email]>
ssb>  2048R/XXXXXBB 2017-XX-XX
ssb>  2048R/XXXXXCB 2017-XX-XX
ssb>  2048R/XXXXXDB 2017-XX-XX

Following confusions:

1. What is the meaning of # after sec? This means that the master key is
not available (https://wiki.debian.org/Subkeys). We already have 5 lines
of text. Why not add another line such as "#: Master key not present"

2. What is the meaning of > after ssb? It means that the secret sub keys
are not present in the keyring, but on a known smartcard. This does not
come up in a google search 'gpg "ssb>"'. I only came accross another
post by accident that said that after issuing keytocard, the sub key is
deleted (when using save) and only a reference is left. Following 1.,
why not write "#: Master key not present; >: reference to secret key on
smart card"

3. This output means that there is *NO* secret key on this computer.
This is an extremely important information, but it is not evident from
the output. Enigmail makes it look like I have a private keypair. But
actually it's not. Only a reference.

4. I cannot fully delete the secret key reference by "gpg
--delete-secret-key XXXXXAB". Although it asks me for confirmation and
does not show in --list-secret-keys anymore, it still shows in enigmail
(bold for having private key) and .gnupg/private-keys-v1.d still
contains the keys. So I'm kind of stuck in limbo here. Deleting the
offending files in private-keys-v1.d is the only way to make enigmail
forget about them.

Has this discussed before? I think there was once a drive to improve
usability of gpg. Is there a place to propose a change in the output?



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Documentation about --list-secret-keys output

Werner Koch
On Thu,  6 Apr 2017 05:03, [hidden email] said:

> sec#  4096R/XXXXXAB 2017-XX-XX [expires: 20XX-XX-XX]
> uid                  My name <[hidden email]>
> ssb>  2048R/XXXXXBB 2017-XX-XX
> ssb>  2048R/XXXXXCB 2017-XX-XX
> ssb>  2048R/XXXXXDB 2017-XX-XX

The man page explains the '#' under --list-secret-keys.  I just added a
description of '>' to the man page.


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Documentation about --list-secret-keys output

mogliii
Dear Werner,

Thank you for the fix. I think the explanation in the manpage is more clear now.

Any idea how to delete subkey stubs so that they show deleted in enigmail as well?

@@ -301,10 +301,13 @@ and other programs.
 @itemx -K
 @opindex list-secret-keys
 List the specified secret keys.  If no keys are specified, then all
-known secret keys are listed.  A @code{#} after the letters @code{sec}
-means that the secret key is not usable (for example, if it was
-exported using @option{--export-secret-subkeys}).  See also
-@option{--list-keys}.
+known secret keys are listed.  A @code{#} after the intial tags
+@code{sec} or @code{ssb} means that the secret key or subkey is
+currently not usable.  We also say that this key has been taken
+offline (for example, a primary key can be taken offline by exported
+the key using the command @option{--export-secret-subkeys}).  A
+@code{>} after these tags indicate that the key is stored on a
+smartcard.  See also @option{--list-keys}.
 
 @item --list-signatures
 @opindex list-signatures




On 04/07/2017 05:29 PM, Werner Koch wrote:
On Thu,  6 Apr 2017 05:03, [hidden email] said:

sec#  4096R/XXXXXAB 2017-XX-XX [expires: 20XX-XX-XX]
uid                  My name [hidden email]
ssb>  2048R/XXXXXBB 2017-XX-XX
ssb>  2048R/XXXXXCB 2017-XX-XX
ssb>  2048R/XXXXXDB 2017-XX-XX
The man page explains the '#' under --list-secret-keys.  I just added a
description of '>' to the man page.


Shalom-Salam,

   Werner



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
NdK
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Documentation about --list-secret-keys output

NdK
Il 07/04/2017 11:51, mogliii ha scritto:
> +offline (for example, a primary key can be taken offline by exported
Shouldn't it be "exporting" instead of "exported"?

BYtE,
 Diego


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Loading...