From d3e49e0bb3ed6165ad253c276359c0b8ce09619b Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 19 Apr 2022 19:46:13 +0200 Subject: [PATCH] Add cautionary text about OpenPGP cert export --- tools/README.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/tools/README.md b/tools/README.md index 38d01dd..18ca596 100644 --- a/tools/README.md +++ b/tools/README.md @@ -123,7 +123,7 @@ Password validation retry count: user pw: 3, reset: 3, admin pw: 3 ``` -### Get OpenPGP public key +### Get an OpenPGP public key representation from a card This command returns an OpenPGP public key representation of the keys on a card. @@ -170,6 +170,27 @@ And/or pass the user PIN as a file, for non-interactive use": $ opgpcard pubkey -p ``` +#### Caution: the exported public key material isn't always what you want + +The result of exporting public key material from a card is only an approximation of the original public key, since +some metadata is not available on OpenPGP cards. This missing metadata includes expiration dates. + +Also, if your card only contains subkeys, but not the original primary key, then the exported certificate will use the +signing subkey from the card as the primary key for the exported certificate. + +One way to safely process this exported public key material from a card is via `sq key adopt`. + +You can use this approach when you have access to your private primary key material (in the following example, we +assume this key is available in `key.pgp`). Then you can bind the public key material from a card to your key: + +``` +opgpcard pubkey > public.key +sq key adopt key.pgp public.pgp +``` + +In that process, you will be able to manually set any relevant flags. + + ### Using a card for ssh auth To use an OpenPGP card for ssh login authentication, a PGP authentication key needs to exist on the card.