doc/DETAILS says this about the output of --with-colons listings: > *** Field 15 - S/N of a token > > Used in sec/ssb to print the serial number of a token (internal > protect mode 1002) or a '#' if that key is a simple stub (internal > protect mode 1001). If the option --with-secret is used and a > secret key is available for the public key, a '+' indicates this.
This suggests that a '+' is only output for --with-secret --list-keys, but I see it as well in --list-secret-keys. Running gpg 2.1.18-8~deb9u2 from Debian stretch/stable. The specification leaves some interpretation room. - Is '+' output iff it is an on-disk key, both on --with-secret --list-keys and --list-secret-keys? - I see S/N's on --with-secret --list-keys, is there even a need to mention --with-secret separately or is field 15 completely identical for both invocations? - Is field 15 ever anything else than a serial number, a '#' or a '+' on --list-secret-keys? I presume the answer is "this may change in the future", but I mean currently. The context is that for Debian's cryptsetup, I'm trying to determine whether all secret (sub)keys in a homedir are stubs (serial numbers or empty stubs). And the reason is that I'd like to error out if there is any actual confidential data in the private keyring, instead of copying it to the unencrypted initramfs. A password-protected on-disk key is a major red flag despite its password protection. Not all of my questions directly pertain to this use case, I'm just trying to get a good feel for the field to be able to reason about it. My attempt at bailing on confidential data is here: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903163#140> and it is this: --8<---------------cut here---------------start------------->8--- #!/bin/sh UNSAFEKEYS=$(gpg --batch --with-colons --homedir /etc/keys --list-secret-keys | \ gawk -F: '$1=="sec" || $1=="ssb" \ { if ($15 !~ /D27600012401.*/ && $15 != "#") { print $5 } }') if [ -n "$UNSAFEKEYS" ]; then echo "Non-smartcard keys found:\n${UNSAFEKEYS}\nAborting" >&2 exit 1 fi --8<---------------cut here---------------end--------------->8--- It will only accept true OpenPGP smartcard keys (matched on ISO 7816 Application Identifier) or empty stubs (no secret key whatsoever). No other secret key material should be necessary for this particular application. Note that the dialect (or lack thereof) is dash; if run in bash, echo would need -e. Thanks, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
