Closed ghost closed 7 years ago
Nope - that's the reason you can store a URL on OpenPGP cards, so you can download the public key easily on a strangers computer (or if you use them as part of building security, seen exactly one company do that). Either way, using --export-secret-subkeys
will export an unprotected secret key for non-smartcard users (the hook works - with some modifications - for those users too)
I ended up taking a different approach to this since gpg 2.1.15 has started behaving oddly on my system when I bought a new Yubikey NEO. It refused to allow --export-secret-keys
to work. So we are now attempting to export the secret key, and if it returns nothing (egrep '.+'
fails) it will use --export
.
Unfortunately, they still have not deprecated the stub functionality entirely - keys will still show up in --list-secret-keys
even when gpg does not in fact have the secret key on hand. This is incorrect behavior IMHO - gpg --export-secret-keys
should work for anything that shows up in --list-secret-keys
, but should output a public key block with some flag set indicating a smartcard stub.
Until gpg is able to easily discern between local and smartcard-hosted secret keys the behavior will remain the same for now, including (unfortunately) the storage of unnecessary subkeys.
Hey, so I just saw this. GitHub is very bad about getting emails out.
Let me test this on a few systems first. I'm fairly certain you need
--export-secret-keys
, which is only a stub in GPG's local storage if you're using a smartcard.