Page MenuHome GnuPG
Create Task
Maniphest T4072

fix inconsistent CLI
Closed, WontfixPublic
Actions

Description

As discussed on IRC:

I am generating a key via CLI and found it to be a little quirky.

gpg --status-file status --quick-gen-key "Name <foo@gmail.com>" rsa4096 cert,sign never

FPR=$(awk '($2=="KEY_CREATED") { print $4 }' < status)

gpg --quick-add-uid foo@gmail.com "Name <bar@gmail.com>"
gpg --quick-add-key $FPR rsa4096 sign 2y

While the above works the addressing of the target key is inconsistent between --quick-add-uid and --quick-add-key. What I would love to see instead is that this works:

gpg --quick-gen-key "Name <foo@gmail.com>" rsa4096 cert,sign never
gpg --quick-add-uid foo@gmail.com "Name <bar@gmail.com>"
gpg --quick-add-key foo@gmail.com rsa4096 sign 2y

It would throw an error if the search via email is not distinct. Which leads to what also should be possible:

gpg --quick-add-uid $FPR "Name <bar@gmail.com>"
gpg --quick-add-key $FPR rsa4096 sign 2y

For getting to the fingerprint of the key I'd like to see at least one of the following options (or something similar):

FPR=$(gpg --print-fingerprint --quick-gen-key "Name <foo@gmail.com>" rsa4096 cert,sign never)
FPR=$(gpg --fingerprint foo@gmail.com --print-fingerprint)

Because extracting the fingerprint from a status file or a pretty print isn't exactly nice.

Details

Version
2.2.8

Event Timeline

tcurdt created this task.Jul 12 2018, 11:17 PM
tcurdt added a comment.Jul 13 2018, 2:22 AM

To clarify: I would like to see the targeting of keys be unified.
I see the following options:

1) Consistently support both fingerprint and uid to specify a target key.

This means that all of these will work

gpg --quick-add-uid foo@gmail.com "Name <bar@gmail.com>"
gpg --quick-add-key foo@gmail.com rsa4096 sign 2y
gpg --quick-add-uid $FPR "Name <bar@gmail.com>"
gpg --quick-add-key $FPR rsa4096 sign 2y

This exact behavior seems to be already implemented for --quick-add-uid. If there is ambiguity it will give an error.

gpg: key "foo@gmail.com" not found: Ambiguous name

This would need to be implemented for --quick-add-key in the same way. Possibly in other places, too.
Also the documentation and usage information would need to be updated.

2) Consistently use fingerprints only

This means that only the following will work:

gpg --quick-add-uid $FPR "Name <bar@gmail.com>"
gpg --quick-add-key $FPR rsa4096 sign 2y

For this the documentation need be changed for --quick-add-uid and the use of uids should be deprecated.
This means there is no possible case of ambiguity anymore. But this also means that access to the fingerprints must be made more accessible. While the use of --status-file and awk in this case works, it's very clunky. Especially when targeting not freshly created key this would require parsing stdout.

Ideally the create operation would return the fingerprint in a way that it can be consumed without further parsing.
Listing of all key fingerprints and fingerprints just matching a uid would need to be implemented, too.
The exact interface would be up for discussion. This would only be a start:

# creation
$ gpg --print-fingerprint --quick-gen-key "Name <foo@gmail.com>" rsa4096 cert,sign never
E1F122A3ED115448C863298C85AEC379CF3E598B

# unique
$gpg --fingerprint foo@gmail.com --print-fingerprint
E1F122A3ED115448C863298C85AEC379CF3E598B

# ambiguous
$gpg --fingerprint foo@gmail.com --print-fingerprint
E1F122A3ED115448C863298C85AEC379CF3E598B
C32C7ADB10A7580CCAACD04D2D6BED697ECF510D

# all
gpg --fingerprint --print-fingerprint
E1F122A3ED115448C863298C85AEC379CF3E598B
C32C7ADB10A7580CCAACD04D2D6BED697ECF510D
D015FCE796DEB6D2D40DCAACC0857A01BDA7C232
``
werner edited projects, added gnupg, Feature Request; removed Bug Report.Jul 13 2018, 9:03 AM
werner added a subscriber: werner.

I am not sure wheat I understand your request. --quick-add-uid takes a fingerprint as first argument you _may _ use a a user-id instead but that is for consistency with all gpg commands. Using the fingerprint is always highly suggested.

Sure we can print a new status line with the fingerprint of the created key but that does not make much sense becuase you already get this via the current status output. Printing the fingerprint of the created key on stdout would of course be possible but that would be the start of a new complementary machine inetrface which is IMHO not a good idea. Why not

$ gpg --quick-gen-key --passphrase '' --batch --status-fd=1 test@example.com \
   | awk '$1=="[GNUPG:]" && $2=="KEY_CREATED" { print $4 }'

which prints the fingerprint and only the fingerprint to stdout.

tcurdt added a comment.Jul 13 2018, 10:38 AM

From the man page:

--quick-add-uid user-id new-user-id
--quick-add-key fpr [algo [usage [expire]]]
  1. It does not mention that --quick-add-uid can also use a fingerprint.
  2. --quick-add-key requires a fingerprint (which is a different behavior compared to --quick-add-uid)
  3. Using --status-fd=1 is for --quick-gen-key somewhat acceptable, it does not solve the problem of getting to the fingerprint in a machine readable way when you want to lookup uid -> fingerprint. (for using --quick-add-key outside of the context of --quick-gen-key)
werner closed this task as Wontfix.Jul 13 2018, 11:39 AM
werner claimed this task.

The term “user-id” is used throughout gpg to mean some kind of user id beit is a name, a key id, a fingerprint, a keygrip, etc. See the section "How to specify a user id" in the man page. FPR is used if a fingerprint is required.

To map user ids to fingerprints you MUST use the --with-colons output because that is the stable and well defined interface; for example

$ gpg --with-colons -k wk@gnupg.org  \
 | awk -F: '$1=="fpr" && found {found=0; print $10}; $1=="pub" {found=1}'
tcurdt added a comment.Jul 13 2018, 12:04 PM

You completely ignore the fact that --quick-add-uid and --quick-add-key are not consistent.
It's not clear why one should require a fingerprint and the other allows the kind of "user-id" you just described.
That was the main point of this issue.

tcurdt added a comment.Jul 13 2018, 12:09 PM

And FWIW: an inconsistent UI/CLI should be treated as bug - not as a feature request.

werner added a comment.Jul 13 2018, 12:28 PM

The command line is an API and we will never break an API without a very good reason. If you didn't like that API you should have noted that on the devel mailing list years ago ;-)

tcurdt added a comment.EditedJul 13 2018, 1:19 PM

I should have :) Thing is - a fix could be made in a backwards compatible way. So I don't really see your point.

dkg added a subscriber: dkg.Jul 14 2018, 5:11 AM

We do have a history of extending the API, no?

it looks to me like @tcurdt is asking for quick-add-key to take a user-id, which is an extension of an fpr. that would make it consistent with quick-add-uid

werner added a comment.Jul 14 2018, 10:05 AM

Right, but requires extra code. The --quick commands try to reuse existing code and, iirc, that is the reason why a user id is accepted for --quick-add-uid.

(Wasn't it you who always suggested to use the fingerprint .-)

tcurdt added a comment.Jul 14 2018, 1:01 PM

@werner That begs the question: why can't quick-add-key re-use the same code that quick-add-uid is using?