(Redirecting to -users since that seems more appropriate) On 07/12/2018 10:42 PM, Ben McGinnes wrote: > On Tue, Jul 10, 2018 at 01:01:10PM -0400, Jacob Adams wrote: >> I would prefer to use the automatically generated certificate as it >> also comes with some useful explanation text, but the problem I'm >> having is that there is no way to trigger this generation from GPGME >> and it appears to happen whenever you generate your first subkey (or >> perhaps your first signing subkey, haven't dug that much into it). > > It's generated with the certification key and this comment indicates > there may be a little misunderstanding about the revocation > certificate. It's used to revoke an entire key, including subkeys and > it does this by the simple expedient of revoking the certification > key. Once the certification key is revoked, the certification > signatures can't be validated without throwing the disabled key errors > which prevent the subkeys from being used. > > So even if subkeys are added later, there are no additional revocation > certificates generated for the subkeys. Which is why you'll find .rev > files in $GNUPGHOME/openpgp-revocs.d/ directory matching the > fingerprint of the primary key, but nothing for the subkeys; while the > $GNUPGHOME/private-keys-v1.d/ is populated with multiple .key files > matching the keygrips for all the keys and subkeys generated. >
Oh ok that makes a lot more sense now! Most of what I know about GPG is just picked up from random Internet tutorials of dubious quality so I end up with a very spotty understanding of how all this works. Thank you for the clear overview. >> and a random extra password prompt > > There are no random extra password prompts, they're all necessary for > a secure system. Sorry random was the wrong word here. I meant only that the generation of this revocation certificate seems to happen later than I would expect. (Actually I was entirely wrong here about the order of events anyway, see below.) > >> for the revocation certificate that I can't control doesn't really >> help there. If there's some way I could manually trigger this >> process that would be great. > > It should have already occurred when the key was first generated. The > only time it needs to be done manually is when issuing a specific > revocation certificate with a less generic revocation reason or if the > key was generated with an older version of GPG that did not generate > such a certificate by default. > When I don't generate my own revocation certificate, I get a second password prompt when generating the first subkey. I had been assuming that this was for the revocation certificate, but some testing confirms that the certificate already exists before this. I'm still not sure why I would be getting a second prompt however. Any ideas? Thanks, Jacob
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users