Page MenuHome GnuPG
Create Task
Maniphest T3970

Change capabilities / usage flags in edit-key
Closed, ResolvedPublic
Actions

Description

My offline master key only has [C] and I have three subkeys with [S], [E] and [A] capabilities on a smart card.
I used to sign keys by using the subkey with [S] only. This is not possible any more because of T3844 with Version 2.2.5+

As smart cards only have three slots for [S], [E] and [A] it is not possible to add the master key with [C] to it to be able to sign keys with the smart card.
A solution would be to abandon the current [S] subkey, change the capabilities of the master key from [C] to [SC] and put it onto the smart card.

The change of capabilities / usage flags is currently not possible, but there is a patch which makes this possible, see external link.
Could you please implement this officially?

Thanks for the many improvements in the last years which make the usage of smart cards feasible!

Details

External Link
https://github.com/xdgc/gnupg/commit/e7fb69baebf7aec46c0af0c40e5a6a3ea6375735
Version
2.2

Related Objects

Event Timeline

damadmai created this task.May 9 2018, 6:19 PM
werner closed this task as Resolved.May 10 2018, 10:49 AM
werner claimed this task.
werner added a subscriber: werner.

You are lucky. This has been possible for quite some time and since 2.2.6 it is an official part of the API. See T3816

change-usage
            Change  the  usage  flags  (capabilities) of the primary key or of subkeys.  These
            usage flags (e.g. Certify, Sign, Authenticate, Encrypt) are set  during  key  cre‐
            ation.  Sometimes it is useful to have the opportunity to change them (for example
            to add Authenticate) after they have been created.  Please take  care  when  doing
            this; the allowed usage flags depend on the key algorithm.
damadmai added a comment.May 10 2018, 4:46 PM

Great! I did not notice this feature!
Is it on purpose that this is not shown by hitting TAB in the --edit-key command prompt (and auto-completion)?

gpg>
addcardkey  addrevoker  check       delsig      enable      grip        keyserver   lsign       nrsign      primary     revsig      setpref     sign        uid
addkey      adduid      clean       deluid      expire      help        keytocard   minimize    passwd      quit        revuid      showphoto   trust
addphoto    bkuptocard  delkey      disable     fpr         key         list        notation    pref        revkey      save        showpref    tsign

cross-certify is also not among this list.

damadmai reopened this task as Open.May 13 2018, 12:01 PM

cross-sign is also missing.

werner closed this task as Resolved.May 15 2018, 1:19 PM

Yes, this is on purpose, we display only the most important commands, similar to --help