Automating the generation of master keys

Dashamir Hoxha dashohoxha at gmail.com
Wed Jun 1 12:47:31 CEST 2016


On Wed, Jun 1, 2016 at 10:56 AM, Aurélien Vallée <vallee.aurelien at gmail.com>
wrote:
>
> So "cert" is a default for primary-keys. If I do not provide any
> "Key-Usage", all usages will be set. If I do provide a "Key-Usage", then my
> master key is not "certify only" anymore.
>

I think that certify and sign are very similar, so it doesn't hurt if the
primary key is both "cert" and "sign".
I do it in batch mode like this:
 - https://github.com/dashohoxha/egpg/blob/gnupg-2.0/src/cmd/key/gen.sh#L42

Anyway, I generate a sign-only subkey later, and gnupg-2.0 picks by default
the latest sign subkey, when it comes to signing, so the primary key
normally will not be used for signing (which is what you want).


> Currently, I fallback to writing an expect script to automate the key
> generation. The handling of passphrases input with possibly different
> pinentry programs makes the expect script insane to read and fragile in
> practice.
>

I use the script above for automatic (batch) key generation.
If you don't mind, can you share your expect script?

Regards,
Dashamir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160601/2e04ea34/attachment.html>


More information about the Gnupg-users mailing list