Hi all, The intent of this mail is not to ask whether something works. This can be easily verified. It's asking whether it is a supported way of doing things. I hope I can get some guidance on this!
On 23/09/2018 15:38, Peter Lebbing wrote: > The context is that for Debian's cryptsetup, I'm trying to determine > whether all secret (sub)keys in a homedir are stubs (serial numbers or > empty stubs). And the reason is that I'd like to error out if there is > any actual confidential data in the private keyring, instead of copying > it to the unencrypted initramfs. A password-protected on-disk key is a > major red flag despite its password protection. So this ran into a major mistake on my part. Not all keys in private-keys-v1.d will be listed with this method, plus it launches an agent which in this case is a no-go. The situation with regard to which parts of the homedir are implementation details and which are an API is a bit muddled IMHO. For instance, we're supposed to be creating and editing *.conf files and access revocation certificate files in openpgp-revocs.d, but a lot of the rest is "Don't touch". Would it be okay to scrub the private-keys-v1.d directory so it will only hold KEYGRIP.key for that one smartcard stub we want to have? I'm talking about a separate, special-purpose homedir, not the regular user homedir, let's not scrub private-keys-v1.d there :-D. That's the specific way of asking the question. A more general question would be: in GnuPG 2.1+, can we expect the private key with grip X to be at private-keys-v1.d/X.key and will an agent be happy to work on a private-keys-v1.d with just files X.key, Y.key and Z.key when we actually only need private keys X, Y and Z? Or is this an implementation detail? While I'm at it: there are conflicting opinions on whether it is okay to build a keyring using: $ gpg --export SOMEKEY >pubring.gpg instead of: $ gpg --export SOMEKEY | gpg --no-default-keyring --keyring ./pubring.kbx Can we also get official guidance on that; is the former acceptable? (FWIW, I've always thought it was not.) Thanks! Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
