Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun Sep 23 22:19:22 CEST 2018
On Sun 2018-09-23 18:18:13 +0200, Peter Lebbing wrote:
> The intent of this mail is not to ask whether something works. This can
> be easily verified. It's asking whether it is a supported way of doing
> things. I hope I can get some guidance on this!
I appreciate that you're asking for clarification about what is the
scope of GnuPG's "API", such as it is. We do need more clarity here.
i don't have the authority to answer your questions about the contents
of ~/.gnupg/private-keys-v1.d/, but i'd always thought that the
internals of ~/.gnupg/ were *not* part of the "API", and generally
should not be relied upon. I hope that Werner or someone else more
closely related to the project can clarify here.
> While I'm at it: there are conflicting opinions on whether it is okay to
> build a keyring using:
> $ gpg --export SOMEKEY >pubring.gpg
> instead of:
> $ gpg --export SOMEKEY | gpg --no-default-keyring --keyring ./pubring.kbx
>
> Can we also get official guidance on that; is the former acceptable?
> (FWIW, I've always thought it was not.)
The former statement is a way to create a simple, exported OpenPGP
"transferable public key" (TPK) of the form described in RFC 4880. This
is the most interoperable form, if you're looking to export a specific
key for transfer into any other implementation (including other versions
of GnuPG). This is not only "acceptable" but it is normal,
standardized, and widely interoperable.
Traditionally, GnuPG keyrings have been just a linear concatenation of
TPKs interspersed with "Trust Packets". The more modern keybox (the
default in 2.1 and going forward) is different from that format, though.
The latter statement doesn't even have a GnuPG command on the tail end
of the pipe, but i assume you intended for it to be --import. is that
right?
In that case, it creates a keyring of whatever format the current
version of gpg uses by default. But the real question is: why do you
need this, and what do you intend to do with it? creating a keyring for
a specific version of GnuPG may be useful in some contexts, but it's
also pretty dicey to use in many other contexts.
Perhaps explaining what you're looking to do with this file you're
creating would help to decide whether the latter form is better for your
purpose.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180923/ffb64363/attachment.sig>
More information about the Gnupg-users
mailing list