Page MenuHome GnuPG

Change capabilities / usage flags in edit-key
Closed, ResolvedPublic


My offline master key only has [C] and I have three subkeys with [S], [E] and [A] capabilities on a smart card.
I used to sign keys by using the subkey with [S] only. This is not possible any more because of T3844 with Version 2.2.5+

As smart cards only have three slots for [S], [E] and [A] it is not possible to add the master key with [C] to it to be able to sign keys with the smart card.
A solution would be to abandon the current [S] subkey, change the capabilities of the master key from [C] to [SC] and put it onto the smart card.

The change of capabilities / usage flags is currently not possible, but there is a patch which makes this possible, see external link.
Could you please implement this officially?

Thanks for the many improvements in the last years which make the usage of smart cards feasible!

Event Timeline

werner claimed this task.
werner added a subscriber: werner.

You are lucky. This has been possible for quite some time and since 2.2.6 it is an official part of the API. See T3816

            Change  the  usage  flags  (capabilities) of the primary key or of subkeys.  These
            usage flags (e.g. Certify, Sign, Authenticate, Encrypt) are set  during  key  cre‐
            ation.  Sometimes it is useful to have the opportunity to change them (for example
            to add Authenticate) after they have been created.  Please take  care  when  doing
            this; the allowed usage flags depend on the key algorithm.

Great! I did not notice this feature!
Is it on purpose that this is not shown by hitting TAB in the --edit-key command prompt (and auto-completion)?

addcardkey  addrevoker  check       delsig      enable      grip        keyserver   lsign       nrsign      primary     revsig      setpref     sign        uid
addkey      adduid      clean       deluid      expire      help        keytocard   minimize    passwd      quit        revuid      showphoto   trust
addphoto    bkuptocard  delkey      disable     fpr         key         list        notation    pref        revkey      save        showpref    tsign

cross-certify is also not among this list.

cross-sign is also missing.

Yes, this is on purpose, we display only the most important commands, similar to --help