34

I'm trying to export the public component of my subkey, but all GPG will give me is the public component of my master key. The keyring is set up like this.

$ gpg -K /home/alex/.gnupg/secring.gpg ------------------------------------------------------- sec# 4096R/4ACA8B96 2014-06-21 [expires: 2015-06-21] uid Alex Jordan <[email protected]> ssb 4096R/633DBBC0 2014-06-21 ssb 4096R/93A31C56 2014-06-21 $ gpg --armor --export 93A31C56 -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (MingW32) ... -----END PGP PUBLIC KEY BLOCK-----

The key that is output to the console is the public component of 4ACA8B96, not the requested key. Is there a technical limitation that's preventing this from working, or is it just GPG being stubborn?

Improve this question

2 Answers 2

Reset to default
26

RFC 4880, OpenPGP, 11.1. Transferable Public Keys defines subkey packets are always preceded by a public (primary) key, thus GnuPG does not allow to export it separately.

To do so anyway, export the key (it is recommended to use --export-options export-minimal to reduce the number of packets you have to deal with), and use gpgsplit on it, which will decompose the OpenPGP file into the individual packets. Those ending in public_subkey are the ones you're looking for. To find out which one is the right, have a look into them using pgpdump [file] (gpg --list-packets fails for single packets, as the input is no valid OpenPGP file). pgpdump should be available for most distributions in a package of the same name.

Improve this answer
1
  • Splitting my key 0xBEF6EFD38FE8DCA0 works, but importing the sub key fails. gpg --import 000004-014.public_subkey says: gpg: no valid OpenPGP data found. Is there anything else that needs to be done? Commented Jul 30, 2018 at 9:46
17

use ! to keep gpg from speculating/grabbing primary+secondary keys associated with your keyid [email protected]

When using gpg an exclamation mark (!) may be appended to force using the specified primary or secondary key and not to try and calculate which primary or secondary key to use. https://linux.die.net/man/1/gpg

so get the keyid, then export only the specified subkey (and later test via --import on your test .gnupg):

gpg --keyid-format long --with-fingerprint --list-key [email protected] gpg --export --armor --output public-key.asc 633DBBC0! # for ssb1
Improve this answer
2
  • Combo question: security.stackexchange.com/q/238017/69743 - Can you combine your strategy with expired subkeys and no signatures export? Commented Sep 6, 2020 at 11:37
  • I followed these steps and used the fingerprint of the subkey along with "!", but when I peak into the output file with gpg --show-keys I still see the primary key listed along with the sub key. Commented Oct 28, 2024 at 22:15

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.