This question occured in the comments of "How do I display the usage flags for my encryption keys in a less hackish way?", and seems worth being answered in a Q&A form as the answer is not actually obvious.
To view Torvald's OpenPGP key 449FA3AB, I use gpg2 --list-keys 449FA3AB, which outputs
$ gpg2 --list-keys 449FA3AB
pub 1024D/449FA3AB 1999-10-05 [expired: 2001-10-04]
uid [ expired] Linus Torvalds
Usually, this command also lists subkeys, but no subkeys are printed for Torvald's key. Yet, when requesting batch output, there is one included.
$ gpg2 --with-colons --list-keys 449FA3AB
tru::1:1414619239:1414879758:3:1:5
pub:e:1024:17:956EB7BF449FA3AB:939086351:1002158351::-:::sca:
uid:e::::939086351::81A3799583B9B1B391E4C428112F302FF2ADF462::Linus Torvalds :
sub:e:2048:16:71CE8207BFF491C5:939086545:1002158545:::::e:
Seems like this Torvalds-key has some special feature that hides the sub-key. What happened here?
Answer
Expired Keys
This is no special feature, but Torvalds primary key is expired quite some time ago, and in consequence also the subkey. The answer is hidden in GnuPG's --list-options section of the man pages, as by default expired subkeys are hidden. From man gpg2:
show-unusable-subkeys
Show revoked and expired subkeys in key listings. Defaults to no.
By specifying this argument, the subkey will show up:
$ gpg2 --list-options show-unusable-subkeys --list-keys 449FA3AB
pub 1024D/449FA3AB 1999-10-05 [expired: 2001-10-04]
uid [ expired] Linus Torvalds
sub 2048g/BFF491C5 1999-10-05 [expired: 2001-10-04]
Travelling Back in Time
You can also verify this using the helpful faketime program to set the system time back some years for GnuPG. By travelling back in time to some date where Torvalds key was valid, the subkey will show up again:
$ faketime 2001-01-01 gpg2 --list-keys 449FA3AB
pub 1024D/449FA3AB 1999-10-05 [expires: 2001-10-04]
uid [ unknown] Linus Torvalds
sub 2048g/BFF491C5 1999-10-05 [expires: 2001-10-04]
No comments:
Post a Comment