Batch mode/unattended key generation: support multiple subkeys
Open, NormalPublic


As it stands, the unattended key generation only allows one to have a single subkey specified in the parameter file. It is limited and assumes there can only be one subkey.

However, we know that an OpenPGP smartcard has three slots: for sign, encrypt, and authenticate. For those who wish to have an auth subkey (e.g. to use as an SSH identity), this means the key generation interface is ill-suited for smartcard keys.

Consider this a feature request for the unattended key generation interface in batch mode to support an unlimited number of additional subkeys. I would propose the parameters to be termed Subkey[n]-(Type|Length|Usage) etc. unless someone can think of something more clever.

To create a key meant to be transferred to a smartcard and fill all three slots, it might look something like this:

Key-Type: RSA
Key-Length: 4096
Key-Usage: cert,sign
Subkey-Type: RSA
Subkey-Length: 4096
Subkey-Usage: encrypt
Subkey2-Type: RSA
Subkey2-Length: 4096
Subkey2-Usage: auth

To illustrate, I wrote a patch that grants me this option; but bear in mind I'm highly amateurish in C and am uncertain of its total correctness. Would greatly appreciate the effort of GnuPG developers towards this feature.

Likewise, this scheme should be supported by the "default-new-key-algo" and/or "default_pubkey_algo" which is currently rsa3072/cert,sign+rsa3072/encr—it should be possible to specify rsa4096/cert,sign+rsa4096/encr+rsa4096/auth.


ageis created this task.May 14 2019, 5:18 AM
ageis updated the task description. (Show Details)
ageis updated the task description. (Show Details)May 14 2019, 5:32 AM
dkg added a subscriber: dkg.May 14 2019, 7:55 AM

I think you'll be better off doing this with the simpler --quick-generate-key and --quick-add-key interfaces, rather than hacking on the domain-specific language used by --batch --generate-key.

the main trick there is using --status-fd or --status-file to extract the generated fingerprint from --quick-generate-key so that it can be used by --quick-add-key subsequently, but this should be relatively easy by comparison.

werner edited projects, added gnupg (gpg23); removed Bug Report.May 14 2019, 8:44 AM
werner triaged this task as Normal priority.
werner added a subscriber: werner.

I anyway plan to extend the --quick-gen-key parameters to allow the specification of several subkeys on the command line.