Encrypt and sign with specific secret key

Question

I have an OpenPGP smart card key (YubiKey NEO) as well as a local secret key installed in my GnuPG keyring.

I'd like to encrypt and sign a file with my card's key, not the key in my keyring. How can I specify what key I'd like to sign with?

If my filesystem secret key id is DEADBEEF and my smartcard key is DEADBEE5, how do I sign with that key?

score 36 · Answer 1 · answered Dec 06 '14 at 08:56

36

The signing key is selected with -u / --local-user:

gpg --local-user 0xDEADBEE5 --sign file

This option can be given several times in order to combine signatures of several keys:

gpg --local-user 0xDEADBEE5 --local-user 0x12345678 --sign file

answered Dec 06 '14 at 08:56

Hauke Laging

According to the man page using --local-user is the same as using --default-user as in my answer – Anthon Dec 06 '14 at 09:00
1

@Anthon It leads to the same result. That doesn't mean that --default-* should be recommended for this usage. I have been on the GnuPG mailinglist for years. I have never seen something like that before. – Hauke Laging Dec 06 '14 at 09:06
Well yeah, it looks like the issue came up once on gnupg-users and that you where the one who provided the answer with your reading of the man page ;-). For me specifying an option with -key in its name feels much more appropriate when I want to use a specific key than specifying something with -user YMMV. – Anthon Dec 06 '14 at 09:19
5

I think @Anthon meant --default-key in his comment above. Running with that, one difference between --local-user and --default-key in my experience, is that the first fails if a matching key isn't present, while the second will fall back to other keys. For that reason, I'd be very wary of putting --default-key in scripts. – Jack O'Connor Jun 19 '18 at 20:37
1

I tested and confirmed @JackO'Connor's comment with gpg 2.2.4. The man for --default-key says If there is no secret key available for any of the specified values, GnuPG will not emit an error message but continue as if this option wasn't given. – wisbucky Dec 03 '19 at 00:22
--local-user can also use the email. Oh Yeah! – Evan Hu Jul 11 '22 at 07:42

Anthon · Accepted Answer · 2014-12-06T09:00:04.560

19

You should specify --default-key:

gpg -s --default-key DEADBEE5 input > output

and check afterwards with

gpg -d < output | head -1

From the gpg man page( --sign section):

The key to be used for signing is chosen by default or can be set with the --local-user and --default-key options.

edited Dec 06 '14 at 09:00

answered Dec 05 '14 at 19:29

Anthon

gpg: conflicting commands when I try to encrypt and sign. – Naftuli Kay Dec 05 '14 at 19:31
@NaftuliTzviKay Sorry --sign-key is for signing other keys with a specific key. I updated the answer (and tested beforehand this time). – Anthon Dec 05 '14 at 19:35
--default-* makes little sense on the command line. These options are for the config file. – Hauke Laging Dec 06 '14 at 08:52
5

The difference between --local-user and --default-key is that --local-user will give an error if you specify a non-existent key. With --default-key, it will ignore a non-existent key and use the first key in the keyring. – wisbucky Dec 03 '19 at 00:31

2 Answers2