Page MenuHome GnuPG
Create Task
Maniphest T4514

Batch mode/unattended key generation: support multiple subkeys
Open, NormalPublic
Actions

Description

As it stands, the unattended key generation only allows one to have a single subkey specified in the parameter file. It is limited and assumes there can only be one subkey.

However, we know that an OpenPGP smartcard has three slots: for sign, encrypt, and authenticate. For those who wish to have an auth subkey (e.g. to use as an SSH identity), this means the key generation interface is ill-suited for smartcard keys.

Consider this a feature request for the unattended key generation interface in batch mode to support an unlimited number of additional subkeys. I would propose the parameters to be termed Subkey[n]-(Type|Length|Usage) etc. unless someone can think of something more clever.

To create a key meant to be transferred to a smartcard and fill all three slots, it might look something like this:

Key-Type: RSA
Key-Length: 4096
Key-Usage: cert,sign
Subkey-Type: RSA
Subkey-Length: 4096
Subkey-Usage: encrypt
Subkey2-Type: RSA
Subkey2-Length: 4096
Subkey2-Usage: auth

To illustrate, I wrote a patch that grants me this option; but bear in mind I'm highly amateurish in C and am uncertain of its total correctness. Would greatly appreciate the effort of GnuPG developers towards this feature.

Likewise, this scheme should be supported by the "default-new-key-algo" and/or "default_pubkey_algo" which is currently rsa3072/cert,sign+rsa3072/encr—it should be possible to specify rsa4096/cert,sign+rsa4096/encr+rsa4096/auth.

Details

Version
2.2.15

Event Timeline

ageis created this task.May 14 2019, 5:18 AM
ageis updated the task description. (Show Details)
ageis updated the task description. (Show Details)May 14 2019, 5:32 AM
dkg added a subscriber: dkg.May 14 2019, 7:55 AM

I think you'll be better off doing this with the simpler --quick-generate-key and --quick-add-key interfaces, rather than hacking on the domain-specific language used by --batch --generate-key.

the main trick there is using --status-fd or --status-file to extract the generated fingerprint from --quick-generate-key so that it can be used by --quick-add-key subsequently, but this should be relatively easy by comparison.

werner triaged this task as Normal priority.May 14 2019, 8:44 AM
werner edited projects, added gnupg (gpg23); removed Bug Report.
werner added a subscriber: werner.

I anyway plan to extend the --quick-gen-key parameters to allow the specification of several subkeys on the command line.

matheusmoreira added a subscriber: matheusmoreira.May 14 2019, 2:04 PM
ageis added a comment.EditedMar 28 2021, 8:08 AM

Hey @wener.. As I mentioned in the original post, there's a default-new-key-algo setting... Is it still not possible to use specify something like "rsa4096/cert,rsa4096/encr,rsa4096/sign,rsa4096/auth"?? Would love to see some progress on this. Glad to help test.

werner added a project: gnupg24.Dec 13 2022, 11:21 AM