是否可以使用签名子键(本地)签署UID

时间:2015-09-14 13:21:22

标签: gnupg

我正在尝试为系统帐户添加信任(用于在使用该密钥加密数据时停止唠叨信息)。我有子键设置和离线主密钥:

$ gpg --edit-key AAAAAAAA
[...]
Secret key is available.

pub  4096R/AAAAAAAA  created: 2015-09-09  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/BBBBBBBB  created: 2015-09-09  expires: never       usage: E   
sub  4096R/CCCCCCCC  created: 2015-09-09  expires: never       usage: S   
sub  4096R/DDDDDDDD  created: 2015-09-09  expires: never       usage: A

$ gpg --list-secret-keys
sec#  4096R/AAAAAAAA 2015-09-09
uid                  $NAME <$EMAIL>
ssb   4096R/BBBBBBBB 2015-09-09
ssb   4096R/CCCCCCCC 2015-09-09
ssb   4096R/DDDDDDDD 2015-09-09

如果我想签署一份文件我可以使用:

$ gpg --encrypt --sign --recipient AAAAAAAA --local-user CCCCCCCC! --output out.gpg in.gpg

使用完全指定的子键进行签名(尽管在这种情况下,AAAAAAAA实际上不可用,因此无论如何都不能使用它)。但是,如果我尝试做类似于另一个UID的事情:

$ gpg --lsign-key --local-user CCCCCCCC! 'Mentor Root'                                                                                                                          

pub  4096R/DDDDDDDD  created: 2015-09-14  expires: never       usage: SC  
                     trust: undefined     validity: unknown
sub  4096R/EEEEEEEE  created: 2015-09-14  expires: never       usage: E   
[ unknown] (1). $OTHER_NAME <$OTHER_EMAIL>


pub  4096R/DDDDDDDD  created: 2015-09-14  expires: never       usage: SC  
                     trust: undefined     validity: unknown
 Primary key fingerprint: DDDD DDDD DDDD DDDD DDDD  DDDD DDDD DDDD DDDD DDDD

     $OTHER_NAME <$OTHER_EMAIL>

Are you sure that you want to sign this key with your
key "$NAME <$EMAIL>" (AAAA)

The signature will be marked as non-exportable.

Really sign? (y/N) y
gpg: secret key parts are not available
gpg: signing failed: general error

Key not changed so no update needed.

这只是gpg的一个严格限制,还是我缺少一些步骤?

(或者同样可能,我完全误解了这一切的意图吗?)

编辑:仅仅是CCCCCCCC子项没有C功能吗?是否可以使用具有C功能的子键(似乎不是通过粗略搜索)?

1 个答案:

答案 0 :(得分:5)

只有主键可以具有认证功能C。您无法使用子键签名(ceritfy)键/用户ID。

来自RFC 4880, OpenPGP, 12.1 Key Structures

  

在V4密钥中,主键必须是能够认证的密钥。      子键可以是任何其他类型的键。

数学可能会允许认证子项,但标准会阻止它。