Nate Bargmann [2019-07-09T09:18:51-05] wrote:
> pub dsa1024 2000-05-02 [SCA] [expires: 2024-07-06]
> 82D64F6B0E67CD41F689BBA6FB2C5130D55A8819
> uid [ultimate] Nate Bargmann <n0nb@n0nb.us>
> uid [ultimate] Nate Bargmann <n0nb@yahoo.com>
> uid [ultimate] Nate Bargmann <n0nb@arrl.net>
> sub elg4096 2018-03-07 [E] [expires: 2021-07-07]
> sub rsa3072 2019-07-08 [S] [expires: 2021-07-07]
> The new subkey is shown as sign only [S]. As the primary key is only
> DSA 1024, I'd like to be sure that it is no longer used. Is the only
> way to assure the newer key is used (I read an assertion that gpg will
> choose the newest key for whatever action) is to remove the primary
> key as noted at https://wiki.debian.org/Subkeys ?
Yes, for message signing gpg chooses the newest signing capable [S]
subkey automatically. You can select certain primary key or subkey by
using default-key option in gpg.conf:
default-key FINGERPRINT!
Notice the "!" at the end. It forces gpg to use that very key for
signing without automagic key selection magic. So if use "!" with key's
fingerprint then that primary key is used for signing (if it is capable
of signing). If you use "!" with certain subkey's fingerprint then that
subkey is used for signing.
> I have not figured out how to remove a capability from a key.
It is possible but it's an undocumented feature.
$ gpg --edit-key YOUR_KEY
Select your master key and change it's usage capabilities:
gpg> key 0
gpg> change-usage
This creates new self-signatures to your public key.
--
/// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
// https://keys.openpgp.org/search?q=tlikonen@iki.fi
/ https://keybase.io/tlikonen https://github.com/tlikonen
Attachment:
signature.asc
Description: PGP signature