Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
Pass expiration date param to subkey only via unattended key generation
s7r at sky-ip
Oct 4, 2022, 2:21 PM
Post #1 of 3 (231 views)
Permalink
Dear All,

Context:
https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html

A script will create on demand GPG keys unattended that will be further
used to automatically sign a document, but the requirement is that they
must also include an Encryption subkey to receive feedback securely.

Question is: keys can be generated unattended just fine, except I did
not find a clear way to pass an Expire date param to the encryption
subkey only, and not the primary key as well. The requirement is that
the primary key must NEVER expire and the encryption subkey MUST expire
in 2 years.

Example:

Key-Type: eddsa
Key-Curve: ed25519
Key-Usage: sign, cert, auth
Name-Real: Test
Name-Email: test@test.com
Expire-Date: 0
Subkey-Type: ecdh
Subkey-Curve: cv25519
Subkey-Usage: encrypt

How to pass an expiration date ONLY for the encryption subkey while
leaving the primary key with no expiration date?

(I know that this goal can be later achieved by using $ gpg --edit-key
but I am looking for a solution within the unattended key generation itself)

Attached Files:

Re: Pass expiration date param to subkey only via unattended key generation [ In reply to ]
gnupg-users at gnupg
Oct 5, 2022, 6:09 AM
Post #2 of 3 (231 views)
Permalink
On Wed, 5 Oct 2022 00:21, s7r said:

> Question is: keys can be generated unattended just fine, except I did
> not find a clear way to pass an Expire date param to the encryption
> subkey only, and not the primary key as well. The requirement is that

Use

gpg --quick-gen-key --batch test@test.com ed25519 sign,cert

and then

gpg --quick-add-key --batch FINGERPRINT cv25519 encr sign,cert 2y

Use --status-fd to get status lines which will return you the
fingerprint from the first command. You might also want to use --yes to
allow creating a key with an already existing name or
--passphrase "mysecret" to avoid the pinentry.

(commands typed from memory so you may nned to consult the man page.)



Salam-Shalom,

Werner


--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Attached Files:

Re: Pass expiration date param to subkey only via unattended key generation [ In reply to ]
s7r at sky-ip
Oct 5, 2022, 8:13 AM
Post #3 of 3 (231 views)
Permalink
> Use
>
> gpg --quick-gen-key --batch test@test.com ed25519 sign,cert
>
> and then
>
> gpg --quick-add-key --batch FINGERPRINT cv25519 encr sign,cert 2y
>

Thank you very much!
I will see how I can apply this, in a single sh script with the
unattended key generation as well. The thing is I "feed" the private key
material to gnupg for generation, the key is not generated randomly.

Isn't it wise to add a "Subkey-Expire-Date:" param that will map to
pSUBKEYEXPIRE (I can see there is a pSUBKEYEXPIRE from browsing the
code)? That will only touch the subkey itself, without caring about the
primary key? Or it doesn't work like this?

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal