Change Details

As it stands, the [[ https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html | unattended key generation ]] only allows one to have a single subkey specified in the parameter file. It is limited and assumes there can only be one subkey. However, we know that an [[ https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.3.pdf | OpenPGP smartcard ]] has three slots: for sign, encrypt, and authenticate. For those who wish to have an auth subkey (e.g. to use as an SSH identity), this means the key generation interface is ill-suited for smartcard keys. Consider this a feature request for the unattended key generation interface in batch mode to support an unlimited number of additional subkeys. I would propose the parameters to be termed `Subkey[n]-(Type|Length|Usage)` etc. unless someone can think of something more clever. To create a key meant to be transferred to a smartcard and fill all three slots, it might look something like this: ``` Key-Type: RSA Key-Length: 4096 Key-Usage: cert,sign Subkey-Type: RSA Subkey-Length: 4096 Subkey-Usage: encrypt Subkey2-Type: RSA Subkey2-Length: 4096 Subkey2-Usage: auth ``` To illustrate, I wrote [[ https://git.cointel.pro/FOSS/gnupg2/commit/0b7faa8a5b8942565410f5f30a6ecb1f7f7eb6ab | a patch ]] that grants me this option; but bear in mind I'm highly amateurish in C and am uncertain of its total correctness. Would greatly appreciate the effort of GnuPG developers towards this feature.

As it stands, the [[ https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html | unattended key generation ]] only allows one to have a single subkey specified in the parameter file. It is limited and assumes there can only be one subkey. However, we know that an [[ https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.3.pdf | OpenPGP smartcard ]] has three slots: for //sign//, //encrypt//, and //authenticate//. For those who wish to have an auth subkey (e.g. to use as an SSH identity), this means the key generation interface is ill-suited for smartcard keys. Consider this a feature request for the unattended key generation interface in batch mode to support an unlimited number of additional subkeys. I would propose the parameters to be termed `Subkey[n]-(Type|Length|Usage)` etc. unless someone can think of something more clever. To create a key meant to be transferred to a smartcard and fill all three slots, it might look something like this: ``` Key-Type: RSA Key-Length: 4096 Key-Usage: cert,sign Subkey-Type: RSA Subkey-Length: 4096 Subkey-Usage: encrypt Subkey2-Type: RSA Subkey2-Length: 4096 Subkey2-Usage: auth ``` To illustrate, I wrote [[ https://git.cointel.pro/FOSS/gnupg2/commit/0b7faa8a5b8942565410f5f30a6ecb1f7f7eb6ab | a patch ]] that grants me this option; but bear in mind I'm highly amateurish in C and am uncertain of its total correctness. Would greatly appreciate the effort of GnuPG developers towards this feature.

As it stands, the [[ https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html | unattended key generation ]] only allows one to have a single subkey specified in the parameter file. It is limited and assumes there can only be one subkey. However, we know that an [[ https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.3.pdf | OpenPGP smartcard ]] has three slots: for //sign//, //encrypt//, and //authenticate//. For those who wish to have an auth subkey (e.g. to use as an SSH identity), this means the key generation interface is ill-suited for smartcard keys. Consider this a feature request for the unattended key generation interface in batch mode to support an unlimited number of additional subkeys. I would propose the parameters to be termed `Subkey[n]-(Type|Length|Usage)` etc. unless someone can think of something more clever. To create a key meant to be transferred to a smartcard and fill all three slots, it might look something like this: ``` Key-Type: RSA Key-Length: 4096 Key-Usage: cert,sign Subkey-Type: RSA Subkey-Length: 4096 Subkey-Usage: encrypt Subkey2-Type: RSA Subkey2-Length: 4096 Subkey2-Usage: auth ``` To illustrate, I wrote [[ https://git.cointel.pro/FOSS/gnupg2/commit/0b7faa8a5b8942565410f5f30a6ecb1f7f7eb6ab | a patch ]] that grants me this option; but bear in mind I'm highly amateurish in C and am uncertain of its total correctness. Would greatly appreciate the effort of GnuPG developers towards this feature.