Hi! On Tue, 5 Dec 2023 00:00, Maxime de Roucy said:
> On gnupg 2.4.3 the fist subkey tried is the "local" one. > I think that it's because the "local" subkey is rsa4096, which is more secure > than rsa2048 (the yubikey subkey). No, there is such logic. > I found --personal-cipher-preferences, --personal-digest-preferences and > --personal-compress-preferences but as both subkeys are RSA… it doesn't help. That does not help with decryption. In general this problem shows up if you receive a lot of mails using an anonymous recipients (--throw-keyids) and gpg ask you to insert all your cards one after the ther. We have this TODO item in the code: /* FIXME: The list needs to be sorted so that we try the keys in * an appropriate order. For example: * - On-disk keys w/o protection * - On-disk keys with a cached passphrase * - On-card keys of an active card * - On-disk keys with protection * - On-card keys from cards which are not plugged it. Here a * cancel-all button should stop asking for other cards. * Without any anonymous keys the sorting can be skipped. */ Your use case is very similar and such a sorting would also be helpful. Another way to implement this might be by using a similar thing to what we allow for ssh-keys (see gnupg/agent/keyformat.txt) in the private key files: *** Use-for-ssh If given and the value is "yes" or "1" the key is allowed for use by gpg-agent's ssh-agent implementation. This is thus the same as putting the keygrip into the 'sshcontrol' file. Only one such item should exist. If another non-zero value between 1 and 99999 is used, this is taken to establish the order in which the keys are returned to ssh; lower numbers are returned first. If a negative value is used this overrides currently active (inserted) cards and thus allows to prefer on-disk keys over inserted cards. A value of -1 has the highest priority; values are capped at -999 and have a lower priority but still above the positive values, inserted cards or the order in sshcontrol. Sorry, for not having a better answer. > (reminder: all subkeys are derived from the same primary key). Sure that you derived them? What we do is to bind subkeys to a primary key and then the sender selects the latest valid subkey for encryption. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users