As it stands, the [[ https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html | unattended key generation ]] only allows one to have a single subkey specified in the parameter file. It is limited and assumes there can only be one subkey.
However, we know that an [[ https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.3.pdf | OpenPGP smartcard ]] has three slots: for //sign//, //encrypt//, and //authenticate//. For those who wish to have an auth subkey (e.g. to use as an SSH identity), this means the key generation interface is ill-suited for smartcard keys.
Consider this a feature request for the unattended key generation interface in batch mode to support an unlimited number of additional subkeys. I would propose the parameters to be termed `Subkey[n]-(Type|Length|Usage)` etc. unless someone can think of something more clever.
To create a key meant to be transferred to a smartcard and fill all three slots, it might look something like this:
```
Key-Type: RSA
Key-Length: 4096
Key-Usage: cert,sign
Subkey-Type: RSA
Subkey-Length: 4096
Subkey-Usage: encrypt
Subkey2-Type: RSA
Subkey2-Length: 4096
Subkey2-Usage: auth
```
To illustrate, I wrote [[ https://git.cointel.pro/FOSS/gnupg2/commit/0b7faa8a5b8942565410f5f30a6ecb1f7f7eb6ab | a patch ]] that grants me this option; but bear in mind I'm highly amateurish in C and am uncertain of its total correctness. Would greatly appreciate the effort of GnuPG developers towards this feature.
Likewise, this scheme should be supported by the "default-new-key-algo" and/or "default_pubkey_algo" which is currently `rsa3072/cert,sign+rsa3072/encr`—it should be possible to specify `rsa4096/cert,sign+rsa4096/encr+rsa4096/auth`.