gpg: replace -s flag by implicit adding to existing GPG key

2026-03-24 03:11:15 +08:00 · 2016-10-21 21:01:24 +03:00
parent aaade1737f
commit 1bd6775c35
2 changed files with 18 additions and 6 deletions
--- a/README-GPG.md
+++ b/README-GPG.md
@@ -53,7 +53,7 @@ pub   rsa2048/87BB07B4 2016-06-17 [SC]
 uid         [ultimate] John Doe <john@doe.bit>
 sub   rsa2048/7176D31F 2016-06-17 [E]

-$ trezor-gpg create --subkey "${TREZOR_GPG_USER_ID}" | gpg2 --import  # use the TREZOR to confirm signing the subkey
+$ trezor-gpg create "${TREZOR_GPG_USER_ID}" | gpg2 --import           # use the TREZOR to confirm signing the subkey
 gpg: key 87BB07B4: "John Doe <john@doe.bit>" 2 new signatures
 gpg: key 87BB07B4: "John Doe <john@doe.bit>" 2 new subkeys
 gpg: Total number processed: 1
--- a/trezor_agent/gpg/main.py
+++ b/trezor_agent/gpg/main.py
@@ -2,18 +2,27 @@
 """Create signatures and export public keys for GPG using TREZOR."""
 import argparse
 import contextlib
+import io
 import logging
 import sys
 import time

 import semver

-from . import agent, device, encode, keyring, protocol
+from . import agent, decode, device, encode, keyring, protocol
 from .. import formats, server, util

 log = logging.getLogger(__name__)


+def key_exists(user_id):
+    """Return True iff there is a GPG key with specified user ID."""
+    for p in decode.parse_packets(io.BytesIO(keyring.export_public_keys())):
+        if p['type'] == 'user_id' and p['value'] == user_id:
+            return True
+    return False
+
+
 def run_create(args):
    """Generate a new pubkey for a new/existing GPG identity."""
    log.warning('NOTE: in order to re-generate the exact same GPG key later, '
@@ -24,8 +33,9 @@ def run_create(args):
    verifying_key = conn.pubkey(ecdh=False)
    decryption_key = conn.pubkey(ecdh=True)

-    if args.subkey:
-        primary_bytes = keyring.export_public_key(user_id=args.user_id)
+    if key_exists(args.user_id):  # add as subkey
+        log.info('adding %s GPG subkey for "%s" to existing key',
+                 args.ecdsa_curve, args.user_id)
        # subkey for signing
        signing_key = protocol.PublicKey(
            curve_name=args.ecdsa_curve, created=args.time,
@@ -34,13 +44,16 @@ def run_create(args):
        encryption_key = protocol.PublicKey(
            curve_name=formats.get_ecdh_curve_name(args.ecdsa_curve),
            created=args.time, verifying_key=decryption_key, ecdh=True)
+        primary_bytes = keyring.export_public_key(args.user_id)
        result = encode.create_subkey(primary_bytes=primary_bytes,
                                      subkey=signing_key,
                                      signer_func=conn.sign)
        result = encode.create_subkey(primary_bytes=result,
                                      subkey=encryption_key,
                                      signer_func=conn.sign)
-    else:
+    else:  # add as primary
+        log.info('creating new %s GPG primary key for "%s"',
+                 args.ecdsa_curve, args.user_id)
        # primary key for signing
        primary = protocol.PublicKey(
            curve_name=args.ecdsa_curve, created=args.time,
@@ -82,7 +95,6 @@ def main():

    create_cmd = subparsers.add_parser('create')
    create_cmd.add_argument('user_id')
-    create_cmd.add_argument('-s', '--subkey', action='store_true', default=False)
    create_cmd.add_argument('-e', '--ecdsa-curve', default='nist256p1')
    create_cmd.add_argument('-t', '--time', type=int, default=int(time.time()))
    create_cmd.set_defaults(run=run_create)