Nate Bargmann [2019-07-09T09:18:51-05] wrote: > pub dsa1024 2000-05-02 [SCA] [expires: 2024-07-06] > 82D64F6B0E67CD41F689BBA6FB2C5130D55A8819 > uid [ultimate] Nate Bargmann <n...@n0nb.us> > uid [ultimate] Nate Bargmann <n...@yahoo.com> > uid [ultimate] Nate Bargmann <n...@arrl.net> > sub elg4096 2018-03-07 [E] [expires: 2021-07-07] > sub rsa3072 2019-07-08 [S] [expires: 2021-07-07]
> The new subkey is shown as sign only [S]. As the primary key is only > DSA 1024, I'd like to be sure that it is no longer used. Is the only > way to assure the newer key is used (I read an assertion that gpg will > choose the newest key for whatever action) is to remove the primary > key as noted at https://wiki.debian.org/Subkeys ? Yes, for message signing gpg chooses the newest signing capable [S] subkey automatically. You can select certain primary key or subkey by using default-key option in gpg.conf: default-key FINGERPRINT! Notice the "!" at the end. It forces gpg to use that very key for signing without automagic key selection magic. So if use "!" with key's fingerprint then that primary key is used for signing (if it is capable of signing). If you use "!" with certain subkey's fingerprint then that subkey is used for signing. > I have not figured out how to remove a capability from a key. It is possible but it's an undocumented feature. $ gpg --edit-key YOUR_KEY Select your master key and change it's usage capabilities: gpg> key 0 gpg> change-usage This creates new self-signatures to your public key. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen
signature.asc
Description: PGP signature
