The attached thread came through on gnupg-users, but the most recent
question in it (the interaction between enigmail and smartcards) might
be more relevant over here on the enigmail mailing list.
Any ideas about how to sync up enigmail's UI and smartcards?
Regards,
--dkg
--- Begin Message ---
Hi,
I got recently very confused about how secret keys on smartcards are
presented and handled in gpg.
In particular, after putting the subkeys on a Nitrokey, my output of gpg
--list-secret-keys is
sec# 4096R/XXXXXAB 2017-XX-XX [expires: 20XX-XX-XX]
uid My name <[email protected]>
ssb> 2048R/XXXXXBB 2017-XX-XX
ssb> 2048R/XXXXXCB 2017-XX-XX
ssb> 2048R/XXXXXDB 2017-XX-XX
Following confusions:
1. What is the meaning of # after sec? This means that the master key is
not available (https://wiki.debian.org/Subkeys). We already have 5 lines
of text. Why not add another line such as "#: Master key not present"
2. What is the meaning of > after ssb? It means that the secret sub keys
are not present in the keyring, but on a known smartcard. This does not
come up in a google search 'gpg "ssb>"'. I only came accross another
post by accident that said that after issuing keytocard, the sub key is
deleted (when using save) and only a reference is left. Following 1.,
why not write "#: Master key not present; >: reference to secret key on
smart card"
3. This output means that there is *NO* secret key on this computer.
This is an extremely important information, but it is not evident from
the output. Enigmail makes it look like I have a private keypair. But
actually it's not. Only a reference.
4. I cannot fully delete the secret key reference by "gpg
--delete-secret-key XXXXXAB". Although it asks me for confirmation and
does not show in --list-secret-keys anymore, it still shows in enigmail
(bold for having private key) and .gnupg/private-keys-v1.d still
contains the keys. So I'm kind of stuck in limbo here. Deleting the
offending files in private-keys-v1.d is the only way to make enigmail
forget about them.
Has this discussed before? I think there was once a drive to improve
usability of gpg. Is there a place to propose a change in the output?
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
--- End Message ---
--- Begin Message ---
On Thu, 6 Apr 2017 05:03, [email protected] said:
> sec# 4096R/XXXXXAB 2017-XX-XX [expires: 20XX-XX-XX]
> uid My name <[email protected]>
> ssb> 2048R/XXXXXBB 2017-XX-XX
> ssb> 2048R/XXXXXCB 2017-XX-XX
> ssb> 2048R/XXXXXDB 2017-XX-XX
The man page explains the '#' under --list-secret-keys. I just added a
description of '>' to the man page.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
pgp3V6S72u42P.pgp
Description: PGP signature
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
--- End Message ---
--- Begin Message ---
Dear Werner,
Thank you for the fix. I think the explanation in the manpage is more
clear now.
Any idea how to delete subkey stubs so that they show deleted in
enigmail as well?
--- a/doc/gpg.texi
<https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/gpg.texi;h=37e1ff10a8b154b9ee5532478818443bcee13681>
+++ b/doc/gpg.texi
<https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/gpg.texi;h=c0d7cc4e900ce389c0f458a77c64a0974248495b;hb=9c9fde1495be4accf4526a2626110876fd9d788d>
@@ -301,10
<https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/gpg.texi;h=37e1ff10a8b154b9ee5532478818443bcee13681#l301>
+301,13
<https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/gpg.texi;h=c0d7cc4e900ce389c0f458a77c64a0974248495b;hb=9c9fde1495be4accf4526a2626110876fd9d788d#l301>
@@ and other programs.
@itemx -K
@opindex list-secret-keys
List the specified secret keys. If no keys are specified, then all
-known secret keys are listed. A @code{#} after the letters @code{sec}
-means that the secret key is not usable (for example, if it was
-exported using @option{--export-secret-subkeys}). See also
-@option{--list-keys}.
+known secret keys are listed. A @code{#} after the intial tags
+@code{sec} or @code{ssb} means that the secret key or subkey is
+currently not usable. We also say that this key has been taken
+offline (for example, a primary key can be taken offline by exported
+the key using the command @option{--export-secret-subkeys}). A
+@code{>} after these tags indicate that the key is stored on a
+smartcard. See also @option{--list-keys}.
@item --list-signatures
@opindex list-signatures
On 04/07/2017 05:29 PM, Werner Koch wrote:
> On Thu, 6 Apr 2017 05:03, [email protected] said:
>
>> sec# 4096R/XXXXXAB 2017-XX-XX [expires: 20XX-XX-XX]
>> uid My name <[email protected]>
>> ssb> 2048R/XXXXXBB 2017-XX-XX
>> ssb> 2048R/XXXXXCB 2017-XX-XX
>> ssb> 2048R/XXXXXDB 2017-XX-XX
> The man page explains the '#' under --list-secret-keys. I just added a
> description of '>' to the man page.
>
>
> Shalom-Salam,
>
> Werner
>
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
--- End Message ---
_______________________________________________
enigmail-users mailing list
[email protected]
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
