Page MenuHome GnuPG
Create Task
Maniphest T806

default-key could take a list of keys to try
Closed, ResolvedPublic
Actions

Description

I'd like to share my gpg.conf between multiple machines. It seems entirely
machine-independent, except that it has the key-specific default-key and
encrypt-to options. While a user with a single private key could omit
default-key and gnupg would guess correctly, Werner Koch suggested that users
should not do that, as it makes gnupg less robust, such as if another private
key gets imported.

To solve this problem, what if default-key took a list of key IDs to try? It
could then select as the default key the first key ID for which gnupg has the
corresponding private key. That would allow a single configuration that said
"If I have my secure private key, use that, otherwise use my somewhat-secure
work key."

I will file a separate issue about solving encrypt-to.

Details

Due Date
Sep 30 2013, 2:00 AM

Related Objects

Event Timeline

josh added projects: Feature Request, gnupg.Jun 9 2007, 9:22 AM
josh added a subscriber: josh.
werner added a subscriber: werner.Nov 15 2007, 4:35 PM

I was first thinking about

default-key-x $GPG_DEFAULT_KEY

with GPG_DEFAULT_KEY being an envvar. However your suggestion aslo makes sense.

I need to see how this can be implemented in a compatible way.  Probably a new

option

default-key-list

needs to be used.

werner set Due Date to Nov 30 2008, 1:00 AM.Sep 30 2008, 8:09 PM
werner changed Due Date from Nov 30 2008, 1:00 AM to Jan 30 2009, 1:00 AM.Dec 5 2008, 6:00 PM
werner changed Due Date from Jan 30 2009, 1:00 AM to Sep 30 2013, 2:00 AM.Apr 22 2013, 9:55 AM
neal added a subscriber: neal.Nov 3 2015, 11:20 PM

I implemented this as follows: it is possible to specify --default-key multiple
times. The last specified key for which a secret key is available is taken. If
multiple such keys are available, the others are simply ignored. The patch is a
bit noisy, because we need to pass the ctrl structure around. But, I've tested
it as follows:

  gpg2 -a -s --default-key 58859975EE37CF96 --default-key 58859975EE37CF95

and it correctly takes the 96 key, which is available (95 is not).

Werner: thoughts?

neal added a comment.Nov 3 2015, 11:20 PM

D43: 705_0001-gpg-Allow-multiple-default-key-options.-Take-the-las.patch

neal closed this task as Resolved.Nov 4 2015, 1:21 PM
neal claimed this task.

Committed in e16d716.