Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
gpg --card-status
felix.klee at inka
Dec 30, 2023, 2:30 PM
Post #1 of 6 (164 views)
Permalink
Example output with line numbers:

01 Reader ...........: Yubico YubiKey CCID 00 00
02 Application ID ...: D2760001240103040006186980150000
03 Application type .: OpenPGP
04 Version ..........: 3.4
05 Manufacturer .....: Yubico
06 Serial number ....: 18698015
07 Name of cardholder: [not set]
08 Language prefs ...: [not set]
09 Salutation .......:
10 URL of public key : [not set]
11 Login data .......: [not set]
12 Signature PIN ....: not forced
13 Key attributes ...: rsa4096 rsa4096 rsa4096
14 Max. PIN lengths .: 127 127 127
15 PIN retry counter : 3 0 3
16 Signature counter : 0
17 KDF setting ......: off
18 Signature key ....: 7A0F E73D DB74 4F0F 9734 1DA7 1BE3 49D1 1B6E
D589
19 created ....: 2023-06-29 03:50:43
20 Encryption key....: DBBD 3239 D0F1 4326 808D FC8F 7CC0 2D68 D2E3
1736
21 created ....: 2023-06-29 03:50:43
22 Authentication key: 7A0F E73D DB74 4F0F 9734 1DA7 1BE3 49D1 1B6E
D589
23 created ....: 2023-06-29 03:50:43
24 General key info..: pub rsa4096/1BE349D11B6ED589 2023-06-29
Felix E. Klee (YubiKey) <yubikey@f76.eu>
25 sec> rsa4096/1BE349D11B6ED589 created: 2023-06-29 expires:
never
26 card-no: 0006 18698015
27 ssb> rsa4096/7CC02D68D2E31736 created: 2023-06-29 expires:
never
28 card-no: 0006 18698015
29 ssb# rsa4096/32B106F6877CC64B created: 2023-11-22 expires:
never

Lines 18, 20, 22: Fingerprint. I read somewhere that this a hash of the
key. But of which one? The public key? The private key? What hash
function?

Line 25: “sec>” means secret primary key. Where does the key ID come
from? Is it read from the card? Or it read from the public key ring on
disk?

Line 27: “ssb>” means secret sub key.

Line 29: “ssb#” means secret sub key, but without the matching secret
key on the card. This I just learned from Ingo Klöcker in another
thread.

If there is any authoritative documentation, please let me know! So far,
I’ve puzzled the info together, piece by piece from various resources on
the web.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --card-status [ In reply to ]
kloecker at kde
Dec 31, 2023, 8:34 AM
Post #2 of 6 (164 views)
Permalink
On Samstag, 30. Dezember 2023 23:30:39 CET Felix E. Klee wrote:
> Line 25: “sec>” means secret primary key. Where does the key ID come
> from? Is it read from the card? Or it read from the public key ring on
> disk?
>
> Line 27: “ssb>” means secret sub key.
>
> Line 29: “ssb#” means secret sub key, but without the matching secret
> key on the card. This I just learned from Ingo Klöcker in another
> thread.

The meaning of ">" and "#" is documented in the description of the command
`--list-secret-keys` in the manual page of gpg.

Regards,
Ingo

Attached Files:

Re: gpg --card-status [ In reply to ]
guru at unixarea
Jan 1, 2024, 11:33 AM
Post #3 of 6 (159 views)
Permalink
El día domingo, diciembre 31, 2023 a las 05:34:42p. m. +0100, Ingo Klöcker escribió:

> On Samstag, 30. Dezember 2023 23:30:39 CET Felix E. Klee wrote:
> > Line 25: “sec>” means secret primary key. Where does the key ID come
> > from? Is it read from the card? Or it read from the public key ring on
> > disk?
> >
> > Line 27: “ssb>” means secret sub key.
> >
> > Line 29: “ssb#” means secret sub key, but without the matching secret
> > key on the card. This I just learned from Ingo Klöcker in another
> > thread.
>
> The meaning of ">" and "#" is documented in the description of the command
> `--list-secret-keys` in the manual page of gpg.
>
> Regards,
> Ingo

It seems from the man page that only '#' is documented:

man gpg
...
--list-secret-keys

-K List all keys from the secret keyrings, or just the ones given
on the command line. A # after the letters sec means that the
secret key is not usable (for example, if it was created via
--export-secret-subkeys).

What does '>' means?

Thanks

matthias

--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia.
? ?? ???? ? ???????.
Ich bin nicht im Krieg mit Russland.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --card-status [ In reply to ]
kloecker at kde
Jan 1, 2024, 12:10 PM
Post #4 of 6 (159 views)
Permalink
On Montag, 1. Januar 2024 20:33:28 CET Matthias Apitz wrote:
> It seems from the man page that only '#' is documented:

Must be an older version. The manual page of GnuPG 2.4.3 reads:

?K List the specified secret keys. If no keys are specified, then
all known secret keys are listed. A # after the initial tags sec or ssb means
that the secret key or subkey is currently not usable. We also say that this
key has been taken offline (for example, a primary key can be taken offline by
exporting the key using the command ??export?secret?subkeys). A > after
these tags indicate that the key is stored on a smartcard. See also
??list?keys.

Regards,
Ingo

Attached Files:

Re: gpg --card-status [ In reply to ]
guru at unixarea
Jan 2, 2024, 3:44 AM
Post #5 of 6 (158 views)
Permalink
El día lunes, enero 01, 2024 a las 09:10:01p. m. +0100, Ingo Klöcker escribió:

> On Montag, 1. Januar 2024 20:33:28 CET Matthias Apitz wrote:
> > It seems from the man page that only '#' is documented:
>
> Must be an older version. The manual page of GnuPG 2.4.3 reads:

You are correct:

$ gpg --version | grep ^gpg
gpg (GnuPG) 1.4.23
$ man gpg | col -b | grep -A5 -- -K
-K List all keys from the secret keyrings, or just the ones given
on the command line. A # after the letters sec means that the
secret key is not usable (for example, if it was created via
--export-secret-subkeys).


$ gpg2 --version | grep ^gpg
gpg (GnuPG) 2.4.3
$ man gpg2 | col -b | grep -A5 -- -K
-K List the specified secret keys. If no keys are specified, then
all known secret keys are listed. A # after the initial tags
sec or ssb means that the secret key or subkey is currently not
usable. We also say that this key has been taken offline (for
example, a primary key can be taken offline by exporting the key
using the command --export-secret-subkeys). A > after these
...

Thanks

matthias

--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia.
? ?? ???? ? ???????.
Ich bin nicht im Krieg mit Russland.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --card-status [ In reply to ]
felix.klee at inka
Jan 2, 2024, 2:06 PM
Post #6 of 6 (156 views)
Permalink
On Sat, Dec 30, 2023 at 11:30?PM Felix E. Klee <felix.klee@inka.de> wrote:
> Example output with line numbers:
>
> 01 Reader ...........: Yubico YubiKey CCID 00 00
> 02 Application ID ...: D2760001240103040006186980150000
> 03 Application type .: OpenPGP
> 04 Version ..........: 3.4
> 05 Manufacturer .....: Yubico
> 06 Serial number ....: 18698015
> 07 Name of cardholder: [not set]
> 08 Language prefs ...: [not set]
> 09 Salutation .......:
> 10 URL of public key : [not set]
> 11 Login data .......: [not set]
> 12 Signature PIN ....: not forced
> 13 Key attributes ...: rsa4096 rsa4096 rsa4096
> 14 Max. PIN lengths .: 127 127 127
> 15 PIN retry counter : 3 0 3
> 16 Signature counter : 0
> 17 KDF setting ......: off
> 18 Signature key ....: 7A0F E73D DB74 4F0F 9734 1DA7 1BE3 49D1 1B6E
> D589
> 19 created ....: 2023-06-29 03:50:43
> 20 Encryption key....: DBBD 3239 D0F1 4326 808D FC8F 7CC0 2D68 D2E3
> 1736
> 21 created ....: 2023-06-29 03:50:43
> 22 Authentication key: 7A0F E73D DB74 4F0F 9734 1DA7 1BE3 49D1 1B6E
> D589
> 23 created ....: 2023-06-29 03:50:43
> 24 General key info..: pub rsa4096/1BE349D11B6ED589 2023-06-29
> Felix E. Klee (YubiKey) <yubikey@f76.eu>
> 25 sec> rsa4096/1BE349D11B6ED589 created: 2023-06-29 expires:
> never
> 26 card-no: 0006 18698015
> 27 ssb> rsa4096/7CC02D68D2E31736 created: 2023-06-29 expires:
> never
> 28 card-no: 0006 18698015
> 29 ssb# rsa4096/32B106F6877CC64B created: 2023-11-22 expires:
> never

Thanks for all the input! My current state of knowledge is:

* Lines 18, 20, 22: Fingerprints identifying the secret keys stored on
the card.

A fingerprint is an SHA-1 hash of: corresponding public key + some
meta data

The fingerprints displayed on these lines are stored on the card.

* Lines 25, 27, 29: Information about availability of secret keys on
the card.

The numbers are long key IDs. A long key ID is the last 16
characters of a fingerprint.

The fingerprints displayed on these lines are generated from the
public keys stored on disk.

Here:

- sec: Secret primary key

- ssb: Secret sub key

- >: Secret key is available on the card

- #: Secret key is missing from the card

For a summary concerning how the fingerprints are calculated, I found:

https://blog.djoproject.net/2020/05/03/main-differences-between-a-gnupg-fingerprint-a-ssh-fingerprint-and-a-keygrip/

Please correct me where I’m wrong!

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal