Change a key’s allowed actions in GPG

gpg

When you --gen-key in GPG, you can choose which actions of Sign, Certify, Encrypt, and Authenticate the key will be usable for.

Can these be later modified (i.e. obviously a new key can be created if the current one has C, and the old one revoked, but that's not the question) to remove or add actions?

Best Answer

Keys' allowed usages can be modified, but the gpg tool doesn't support it (even in version 2). To change a key's usage, you need to modify gpg. The basic idea is detailed in a thread on the gnupg-users mailing list: usage information is carried by the self-signature, so you need to change the usage parser to force the value you're interested in, then create a new self-signature on your key, for example by changing your key's expiry date.

Related Solutions

RSA 2048 keypair generation: via openssl 0.5s via gpg 30s, why the difference

GnuPG consumes several bytes from /dev/random for each random byte it actually uses. You can easily check that with this command:

start cmd:> strace -e trace=open,read gpg --armor --gen-random 2 16 2>&1 | tail
open("/etc/gcrypt/rngseed", O_RDONLY)   = -1 ENOENT (No such file or directory)
open("/dev/urandom", O_RDONLY)          = 3
read(3, "\\\224F\33p\314j\235\7\200F9\306V\3108", 16) = 16
open("/dev/random", O_RDONLY)           = 4
read(4, "/\311\342\377...265\213I"..., 300) = 128
read(4, "\325\3\2161+1...302@\202"..., 172) = 128
read(4, "\5[\372l\16?\...6iY\363z"..., 44) = 44
open("/home/hl/.gnupg/random_seed", O_WRONLY|O_CREAT, 0600) = 5
cCVg2XuvdjzYiV0RE1uzGQ==
+++ exited with 0 +++

In order to output 16 bytes of high-quality entropy GnuPG reads 300 bytes from /dev/random.

This is explained here: Random-Number Subsystem Architecture

Linux stores a maximum of 4096 bytes (see cat /proc/sys/kernel/random/poolsize) of entropy. If a process needs more than available (see cat /proc/sys/kernel/random/entropy_avail) then the CPU usage becomes more or less irrelevant as the feeding speed of the kernel's entropy pool becomes the relevant factor.

Centos – How to get yum to use the already imported gpg keys

This is a cargo-cult workaround that seems to work for automating key import:

yum -q makecache -y --disablerepo='*' --enablerepo=THENEWREPO

Best Answer

Related Solutions

RSA 2048 keypair generation: via openssl 0.5s via gpg 30s, why the difference

Centos – How to get yum to use the already imported gpg keys

Related Question