GPG sub-keys
Wiktor Kwapisiewicz
wiktor at metacode.biz
Tue Jan 4 12:29:48 UTC 2022
On 4.01.2022 13:04, Jan Christian Grünhage wrote:
> Because if they're all to be treated the same, you can just use
> the primary key ID and pass should still just use the encryption
> sub-keys available for that PGP key.
Nope, GnuPG will use just one single valid, most recent encryption
subkey and completely disregard all others. For the record this part is
actually not specified in the OpenPGP spec and other implementations
(such as Sequoia PGP or OpenKeychain) do it differently, and - in my
opinion - better: they encrypt to all valid encryption subkeys.
GnuPG actually makes it worse because using subkey fingerprint will not
use that fingerprint but rather use the following logic:
- if the fingerprint is for subkey look go to primary key,
- if you want encryption subkey from primary find the most recent
encryption subkey.
The workaround is, as Grégoire mentioned, to append "!" to the
fingerprint. That will force it to use that exact specific key.
Kind regards,
Wiktor
More information about the Password-Store
mailing list