Fatal编程技术网
  • gnupg/
  • Gnupg 是否可以使用签名子项(本地)对UID进行签名

Gnupg 是否可以使用签名子项(本地)对UID进行签名

Gnupg 是否可以使用签名子项(本地)对UID进行签名,gnupg,Gnupg,我正在尝试为系统帐户添加信任(在使用该密钥加密数据时停止唠叨消息)。我已经设置了子密钥和脱机主密钥: $ gpg --edit-key AAAAAAAA [...] Secret key is available. pub 4096R/AAAAAAAA created: 2015-09-09 expires: never usage: SC trust: ultimate validity: ultimate sub

我正在尝试为系统帐户添加信任(在使用该密钥加密数据时停止唠叨消息)。我已经设置了子密钥和脱机主密钥:

$ gpg --edit-key AAAAAAAA
[...]
Secret key is available.

pub  4096R/AAAAAAAA  created: 2015-09-09  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/BBBBBBBB  created: 2015-09-09  expires: never       usage: E   
sub  4096R/CCCCCCCC  created: 2015-09-09  expires: never       usage: S   
sub  4096R/DDDDDDDD  created: 2015-09-09  expires: never       usage: A

$ gpg --list-secret-keys
sec#  4096R/AAAAAAAA 2015-09-09
uid                  $NAME <$EMAIL>
ssb   4096R/BBBBBBBB 2015-09-09
ssb   4096R/CCCCCCCC 2015-09-09
ssb   4096R/DDDDDDDD 2015-09-09
它完全使用指定的子键进行签名(尽管在本例中aaaa实际上不可用,因此在任何情况下都无法使用)。但是,如果我尝试执行类似于lsign另一个UID的操作:

$ gpg --lsign-key --local-user CCCCCCCC! 'Mentor Root'                                                                                                                          

pub  4096R/DDDDDDDD  created: 2015-09-14  expires: never       usage: SC  
                     trust: undefined     validity: unknown
sub  4096R/EEEEEEEE  created: 2015-09-14  expires: never       usage: E   
[ unknown] (1). $OTHER_NAME <$OTHER_EMAIL>


pub  4096R/DDDDDDDD  created: 2015-09-14  expires: never       usage: SC  
                     trust: undefined     validity: unknown
 Primary key fingerprint: DDDD DDDD DDDD DDDD DDDD  DDDD DDDD DDDD DDDD DDDD

     $OTHER_NAME <$OTHER_EMAIL>

Are you sure that you want to sign this key with your
key "$NAME <$EMAIL>" (AAAA)

The signature will be marked as non-exportable.

Really sign? (y/N) y
gpg: secret key parts are not available
gpg: signing failed: general error

Key not changed so no update needed.

$gpg--lsign key--local user cccc!'根导师'
发布4096R/DDDD创建日期:2015-09-14过期日期:从不使用:SC
信任:未定义的有效性:未知
子4096R/EEEE创建日期:2015-09-14到期日期:从不使用日期:E
[未知](1)$其他名称
发布4096R/DDDD创建日期:2015-09-14过期日期:从不使用:SC
信任:未定义的有效性:未知
主键指纹:dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
$OTHER_NAME
您确定要用您的密码签名此密钥吗
键“$NAME”(AAAA)
签名将被标记为不可导出。
真的吗?(是/否)是
gpg:密钥部分不可用
gpg:签名失败:一般错误
密钥未更改,因此不需要更新。
这只是gpg的一个硬限制,还是我遗漏了一些步骤

(或者同样可能的是,我是否完全误解了这一切的意图?)

编辑:只是因为CCCC子键没有C功能吗?是否有可能拥有具有C功能的子密钥(似乎不是通过粗略搜索得到的)?

只有主键可以具有认证功能
C
。您不能使用子密钥对(ceritfy)密钥/用户ID进行签名

发件人:

在V4密钥中,主键必须是能够认证的密钥。 子键可以是任何其他类型的键

数学很可能允许认证子键,但标准阻止了它

$ gpg --lsign-key --local-user CCCCCCCC! 'Mentor Root'                                                                                                                          

pub  4096R/DDDDDDDD  created: 2015-09-14  expires: never       usage: SC  
                     trust: undefined     validity: unknown
sub  4096R/EEEEEEEE  created: 2015-09-14  expires: never       usage: E   
[ unknown] (1). $OTHER_NAME <$OTHER_EMAIL>


pub  4096R/DDDDDDDD  created: 2015-09-14  expires: never       usage: SC  
                     trust: undefined     validity: unknown
 Primary key fingerprint: DDDD DDDD DDDD DDDD DDDD  DDDD DDDD DDDD DDDD DDDD

     $OTHER_NAME <$OTHER_EMAIL>

Are you sure that you want to sign this key with your
key "$NAME <$EMAIL>" (AAAA)

The signature will be marked as non-exportable.

Really sign? (y/N) y
gpg: secret key parts are not available
gpg: signing failed: general error

Key not changed so no update needed.