[kdepim-users] Re: Using subkeys to sign messages with Kontact and GnuPG

Ingo Klöcker kloecker at kde.org
Thu Apr 14 21:08:48 BST 2011 

On Wednesday 13 April 2011, Robert Simmons wrote:
> 2011/4/11 Ingo Klöcker <kloecker at kde.org>:
> > No, I guess not. You can probably set the fingerprint of the subkey
> > manually in your ~/.kde/share/config/emailidentities . I haven't
> > tested whether that works.
> 
> Well, I have added the fingerprint of the subkey from the command
> $gpg --fingerprint --fingerprint {KEYID}
> into that file.
> 
> This does sign the email with a subkey.  However, I think I have dug
> up a bug.  This does not behave as you think it should.
> 
> First, Kontact ignores the fingerprint in
> ~/.kde/share/config/emailidentities.  Well, ignores is not exactly
> what happens.  What happens is it signs email with the LAST subkey on
> that primary key, no matter what.
> 
> This is the same behavior I have discovered in KGpg as well.
> 
> So, if I have the following:
> One keypair for signing and one subkey for encrypting (this is the
> default for gpg - both are RSA)
> The following happens:
> Everything works as expected.
> 
> If I have a primary key that is set to S for sign and another subkey
> set to S then Kontact signs all email with the subkey, even if the
> primary key's fingerprint is in the emailidentities file!
> 
> This is the same behavior as KGpg, so I think I should report them
> both as separate bugs.

You might be experiencing gpg's default behavior.

From 'man gpg':
=====
HOW TO SPECIFY A USER ID
[...]
       By key Id.
              This  format  is deduced from the length of the string and
              its content or 0x prefix. The key Id of an X.509
              certificate are the low 64 bits of its SHA-1 fingerprint. 
              The use of key Ids is just a shortcut,  for  all
              automated processing the fingerprint should be used.

              When  using  gpg  an exclamation mark (!) may be appended
              to force using the specified primary or secondary
              key and not to try and calculate which primary or
              secondary key to use.
=====

So you might try to append an exclamation mark (!) to the fingerprint of 
the desired subkey.


> On a side note: Am I the first person to use subkeys?

Probably.


> Is this something that is so unusual that only now has this been
> encountered?

All I can say is that I have never before heard of anybody trying to use 
a subkey with KMail.


> The reason I want to use subkeys is that I want to sign my email with
> a key that does not expire.  I also want to sign software with a
> subkey that is set to expire.
> 
> Hence the problem, because my most recent subkey for signing software
> is always the last one (and when it expires the new one will be last)
> Kontact signs everything with that key, which is not good.
> 
> Any thoughts?

Try the above. If that fails then your only option might be to use two 
separate (probably cross-signed) keys.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kdepim-users/attachments/20110414/47558ca8/attachment.sig>
-------------- next part --------------
_______________________________________________
KDE PIM users mailing list
Subscription management: https://mail.kde.org/mailman/listinfo/kdepim-users

More information about the kdepim-users mailing list