How to Get Only the Pub Part of GPG –list-public-keys

duplicityencryptiongpglinuxUbuntu

Okay, there is probably a better way to phrase this question. I am writing a script to configure my web servers on the first boot, but I hit a snag when generating the GPG key that will be used to encrypt backups with duplicity.

I am using this to generate the key without user interaction, but I need a way to get only the number under pub to throw on a file that will be used by duplicity later on the script.

I need this:

jamespond@penelope:~$ gpg --list-public-keys
/home/jamespond/.gnupg/pubring.kbx
----------------------------------
pub   rsa3072 2018-11-10 [SC] [expires: 2020-11-09]
      8304C92D7F77938BCE05A1619FC07FF505D443D3
uid           [ultimate] James Pond <root@madpony.co>
sub   rsa3072 2018-11-10 [E] [expires: 2020-11-09]

To become this:

jamespond@penelope:~$ gpg --list-public-keys | somecommand
8304C92D7F77938BCE05A1619FC07FF505D443D3

Is that possible? I looked at GPG's man page and it doesn't seem like there is a command for that, so I am guessing I would need to pipe –list-public-keys to sed? But I have no idea what regular expression I would need to use to get just that piece of the puzzle.

Thanks in advance!

Best Answer

First, you will want to use the --with-colons output mode for scripting. Then, to grab only the fingerprints of the public keys, I used sed to narrow down to only the pub part and cut to get to the 10th field of the fpr field:

gpg --list-public-keys --with-colons \
    | sed -ne '/^pub:/,/^fpr:/ { /^fpr:/ p }' \
    | cut -d: -f10

If you have multiple keys, it will print each of them on a line of its own.

Related Solutions

Firewall – How to install gpg keys from behind a firewall

Some key servers answer to port 80 as well:

gpg --keyserver hkp://wwwkeys.de.pgp.net:80 --recv-keys 0A5174AF

And since hkp relies on http, you should be able to use it trough a web proxy too.

How to enable the storing of GPG / PGP keys in OpenLDAP

You can use an LDIF file to import the data, provided you have set up the attribute correctly in the schema.

This howto you've referenced is for setting up a keyserver with LDAP as a backing store, not for adding PGP keys to LDAP users in your existing schema. The difference is important, because in the referenced schema, PGP keys are the individual entities in the directory, not users.

How you accomplish this task exactly depends on how you intend to use it. If all you want is to get the keys into the directory, it would suffice to add the 1.3.6.1.4.1.3401.8.2.11 (pgpKey) attribute to your directory and then add it in your schema as an optional attribute for your user class.

If you want to use this information with GPG (as a keyserver), the problem becomes slightly harder. You can add the schema as it is, and store the PGP keys in parallel with your other data. This would be easiest to set up, but harder to manage in the long run. You can also try to make a hybrid schema, but that will require substantial planning that is really too broad in scope to detail here. However, things to look at would be how you want the keys to be written (who has write permission? Perhaps just administrators?), and which attributes the key should be searchable by. Most probably you will be able to add the PGP key attributes pgpCertID $ pgpKey $ pgpDisabled $ pgpKeyID $ pgpKeyType $ pgpUserID $ pgpKeyCreateTime $ pgpSignerID $ pgpRevoked $ pgpSubKeyID $ pgpKeySize $ pgpKeyExpireTime, making them mandatory or optional as you require, to your user object. If the LDAP query GPG uses happens to check objectClass=pgpKeyInfo however, this might prove difficult and you might have to use a sub-object on your users.

That said, I'd advise you to not do this, and instead set up a separate LDAP keyserver with just the keys in it, at keys.example.net where example.net is your domain. This will be much more supported and will prevent keyserver load from impacting your general directory performance.

Related Topic