controlling the use of subkeys

Robert J. Hansen rjh at sixdemonbag.org
Sat Dec 23 20:51:01 CET 2006


Mike Frysinger wrote:
> i do signing of Gentoo packages and historically i would just 
> generate a new key and sign that with my normal public one ... when 
> the last one expired, i decided to try and use subkeys

This may be bad policy on your part.  The average Gentoo user is not
going to be an expert on cryptography or the OpenPGP protocol.  Keeping
things as simple as possible for them is probably better than getting
clever with subkeys, especially since there are some interesting edge
cases there.

> so my main key i get everyone to sign is E837F581 and i use that when
>  signing my e-mails ... i created a new subkey just for signing
> Gentoo packages and that is 205D3103

Generally speaking, people don't sign keys; they sign user IDs.

> ... now when i sign e-mails or files, my main key is no longer used,
> just my subkey ... how can i control this behavior ?

Use the "!" symbol to explicitly specify a subkey.  E.g.,

"gpg -u 0x205D3103! --clearsign ..."

I would suggest rethinking your strategy, however.





More information about the Gnupg-users mailing list