bash - Parsing the GnuPG secret key list -


you can parseable list of secret keys in gnupg doing:

gpg2 --list-secret-keys --with-colons 

the format of output described here: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/details

i want write bash function tells me if have both valid encryption , signing keys. based on above url, came with:

has_valid_secret_keys() {   return "$(gpg2 --list-secret-keys --with-colons 2>/dev/null | \             awk -f: 'begin { sign = 0; encrypt = 0; }                      ($1 ~ "sec|ssb") && ($2 ~ "[mfu]") {                        if ($12 ~ "s") sign++                        if ($12 ~ "e") encrypt++                      }                                 end { print !(sign * encrypt) }')" } 

that is, awk script matches secret keys , secret subkeys (field 1) marginal, full or ultimate validity (field 2), maintains counter of signing , encryption keys based on matched records' capabilities (field 12). if both these counters zero, have no signing or encryption keys, otherwise have want.

this works great in gnupg 2.1, when try in gnupg 2.0, capability field doesn't appear set in output of --list-secret-keys. quite hard work finding documentation output; presume must have changed between v2 , v2.1.

is there gnupg-version agnostic (including gnupg 1.4, if possible) way of doing this?


edit jens erat's answer, updated (i.e., working!) bash function follows:

has_valid_secret_keys() {   # check both valid signing , encryption (sub)keys exist    # format described @ http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/details   # first find key ids of secret keys , subkeys,   # reference these against public keys check capabilities   return "$(gpg --list-secret-keys --with-colons 2>/dev/null | \             awk -f: '($1 ~ "sec|ssb") { print $5 }' | \             xargs gpg --list-keys --with-colons 2>/dev/null | \             awk -f: 'begin { sign = 0; encrypt = 0; }                      ($1 ~ "[ps]ub") && ($2 ~ "[mfu]") {                        if ($12 ~ "s") sign++                        if ($12 ~ "e") encrypt++                      }                      end { print !(sign * encrypt) }')" } 

documentation under source control

the copy of document linked gnupg 2.1is under source control, can either @ file's history or fetch gnupg 1.4/gnupg 2.0 branches' versions.

the colon output has not changed quite time (it relevant part of might considered "api" interface gnupg binary). capability field should return expect since (at least) gnupg 1.4.

gnupg 2.1 merged secret keyring

the issue version difference 1 (and indeed, gnupg 2.1's behavior changed here): while gnupg 1.4 , 2.0 had separate secret key store, merged public key store gnupg 2.1. change, output changed. gnupg 1.4 , 2.0 list capabilities when querying public keyring; gnupg 2.1 queries same keyring both when listing public , secret keys , has same information in output both commands.

if need support gnupg 1.4 , 2.0, have to

  1. query secret keys , then
  2. filter using output of public key listing.

Comments

Popular posts from this blog

php - Vagrant up error - Uncaught Reflection Exception: Class DOMDocument does not exist -

vue.js - Create hooks for automated testing -

Add new key value to json node in java -