gnupg: Specify a User ID
1
1 7 How to Specify a User Id
1 **************************
1
1 There are different ways to specify a user ID to GnuPG. Some of them are
1 only valid for 'gpg' others are only good for 'gpgsm'. Here is the
1 entire list of ways to specify a key:
1
1 * By key Id. This format is deduced from the length of the string
1 and its content or '0x' prefix. The key Id of an X.509 certificate
1 are the low 64 bits of its SHA-1 fingerprint. The use of key Ids
1 is just a shortcut, for all automated processing the fingerprint
1 should be used.
1
1 When using 'gpg' an exclamation mark (!) may be appended to force
1 using the specified primary or secondary key and not to try and
1 calculate which primary or secondary key to use.
1
1 The last four lines of the example give the key ID in their long
1 form as internally used by the OpenPGP protocol. You can see the
1 long key ID using the option '--with-colons'.
1
1 234567C4
1 0F34E556E
1 01347A56A
1 0xAB123456
1
1 234AABBCC34567C4
1 0F323456784E56EAB
1 01AB3FED1347A5612
1 0x234AABBCC34567C4
1
1 * By fingerprint. This format is deduced from the length of the
1 string and its content or the '0x' prefix. Note, that only the 20
1 byte version fingerprint is available with 'gpgsm' (i.e. the SHA-1
1 hash of the certificate).
1
1 When using 'gpg' an exclamation mark (!) may be appended to force
1 using the specified primary or secondary key and not to try and
1 calculate which primary or secondary key to use.
1
1 The best way to specify a key Id is by using the fingerprint. This
1 avoids any ambiguities in case that there are duplicated key IDs.
1
1 1234343434343434C434343434343434
1 123434343434343C3434343434343734349A3434
1 0E12343434343434343434EAB3484343434343434
1 0xE12343434343434343434EAB3484343434343434
1
1 'gpgsm' also accepts colons between each pair of hexadecimal digits
1 because this is the de-facto standard on how to present X.509
1 fingerprints. 'gpg' also allows the use of the space separated
1 SHA-1 fingerprint as printed by the key listing commands.
1
1 * By exact match on OpenPGP user ID. This is denoted by a leading
1 equal sign. It does not make sense for X.509 certificates.
1
1 =Heinrich Heine <heinrichh@uni-duesseldorf.de>
1
1 * By exact match on an email address. This is indicated by enclosing
1 the email address in the usual way with left and right angles.
1
1 <heinrichh@uni-duesseldorf.de>
1
1 * By partial match on an email address. This is indicated by
1 prefixing the search string with an '@'. This uses a substring
1 search but considers only the mail address (i.e. inside the angle
1 brackets).
1
1 @heinrichh
1
1 * By exact match on the subject's DN. This is indicated by a leading
1 slash, directly followed by the RFC-2253 encoded DN of the subject.
1 Note that you can't use the string printed by 'gpgsm --list-keys'
1 because that one has been reordered and modified for better
1 readability; use '--with-colons' to print the raw (but standard
1 escaped) RFC-2253 string.
1
1 /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
1
1 * By exact match on the issuer's DN. This is indicated by a leading
1 hash mark, directly followed by a slash and then directly followed
1 by the RFC-2253 encoded DN of the issuer. This should return the
1 Root cert of the issuer. See note above.
1
1 #/CN=Root Cert,O=Poets,L=Paris,C=FR
1
1 * By exact match on serial number and issuer's DN. This is indicated
1 by a hash mark, followed by the hexadecimal representation of the
1 serial number, then followed by a slash and the RFC-2253 encoded DN
1 of the issuer. See note above.
1
1 #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
1
1 * By keygrip. This is indicated by an ampersand followed by the 40
1 hex digits of a keygrip. 'gpgsm' prints the keygrip when using the
1 command '--dump-cert'.
1
1 &D75F22C3F86E355877348498CDC92BD21010A480
1
1 * By substring match. This is the default mode but applications may
1 want to explicitly indicate this by putting the asterisk in front.
1 Match is not case sensitive.
1
1 Heine
1 *Heine
1
1 * . and + prefixes These prefixes are reserved for looking up mails
1 anchored at the end and for a word search mode. They are not yet
1 implemented and using them is undefined.
1
1 Please note that we have reused the hash mark identifier which was
1 used in old GnuPG versions to indicate the so called local-id. It is
1 not anymore used and there should be no conflict when used with X.509
1 stuff.
1
1 Using the RFC-2253 format of DNs has the drawback that it is not
1 possible to map them back to the original encoding, however we don't
1 have to do this because our key database stores this encoding as meta
1 data.
1