Hi,
I understand that normally the split-gpg2 client qubes can only use the subkeys, but what about key signing?
Is it possible to sign (certify) other people’s keys using split-gpg2 without importing the public keys into the gpg backend qube?
Thanks
I dont know much about GPG but:
This means that a client can use Split GPG-2 to sign other keys, which Split GPG did not allow.
and in the next seciton:
To prevent this, Split GPG-2 creates a new GnuPG home directory and imports the secret subkeys (not the primary key!) to it.
This restriction makes sense of course, since split-gpg2 can’t tell if it’s certifying a key or just signing some data. I’m not too familiar with the OpenPGP standard, but it may be that a compromised client qube with the ability to sign a hash using the primary key may be able to certify a new subkey. So I get why this isn’t possible normally.
I’m just wondering what the recommended setup is for key signing is, if it is possible at all.