how to configure default sign key for particular user?
Scott Mcdermott
scott at smemsh.net
Mon May 9 21:28:46 CEST 2016
Robert J. Hansen on 2016/05/08 -0400 @22:12:11:
> > Otherwise, any application [which knows only username/email]
> > has to be know also the specific keyid to override gpg's
> > default selection (which I'm guessing is the first key in
> > the keyring); this seems wrong...
>
> It is wrong. You should file a bug with the software package
> which is mistakenly using UIDs as unique identifiers, as they
> are not.
Any such application, and myself, would never claim that a
userid was unique. A key is chosen if not specified; gpg
already has an algorithm to do this. If it was wrong to choose
a key, then gpg should bomb out if a uid is given instead of a
full key id, and furthermore there should be no default-key
configuration option at all.
Instead, what it does is to select a key; probably, it uses the
first key found in the keyring that matches the uid.
> > it should be configurable in gpg
>
> Probably not. The bug is in the software package you're
> using, not GnuPG. Adding new features to a package to remedy
> the brokenness of another package is usually
> counterproductive.
There is a configurable 'default-key' already for a reason: to
instruct gpg what to do if an application asks to sign
something, but doesn't specify the userid at all. The
information about default key preferences should be kept in gpg,
not every single application.
Here we have a case where *more* information is provided than
none (which is the case when 'default-key' is used), i.e.
userid, but less information is provided than the specific
keyid. In such a case, a default should be configurable.
Possibly, gpg could overload default-key based on how many args:
default-key uid1 keyid1
default-key uid2 keyid2
default-key keyid3
If no userid is specified, keyid3 is chosen, otherwise the
specified keyid is chosen. If an unconfigured uid is specified,
the current algorithm is used (presumably first on keyring --
although I personally think this should be last on keyring for
signing, but that's a separate matter).
--
Scott
More information about the Gnupg-users
mailing list