doc: Update description of the key format.

--
2025-01-03 12:11:33 +01:00 · 2022-08-16 12:33:26 +02:00 · 2022-08-16 12:33:26 +02:00 · 7046001b07
commit 7046001b07
parent 1908fa8b83
2 changed files with 21 additions and 11 deletions
--- a/agent/findkey.c
+++ b/agent/findkey.c
@ -49,7 +49,7 @@ struct try_unprotect_arg_s
 };


-/* Repalce all linefeeds in STRING by "%0A" and return a new malloced
+/* Replace all linefeeds in STRING by "%0A" and return a new malloced
 * string.  May return NULL on memory error.  */
 static char *
 linefeed_to_percent0A (const char *string)
--- a/agent/keyformat.txt
+++ b/agent/keyformat.txt
@ -29,8 +29,8 @@ convention.  Example (here indented with two spaces):
  Use-for-ssh: yes
  OpenSSH-cert: long base64 encoded string wrapped so that this
    key file can be easily edited with a standard editor.
-  Token: D2760001240102000005000011730000 OPENPGP.1
-  Token: FF020001008A77C1 PIV.9C
+  Token: D2760001240102000005000011730000 OPENPGP.1 -
+  Token: FF020001008A77C1 PIV.9C -
  Key: (shadowed-private-key
    (rsa
    (n #00AA1AD2A55FD8C8FDE9E1941772D9CC903FA43B268CB1B5A1BAFDC900
@ -48,7 +48,7 @@ convention.  Example (here indented with two spaces):
    )))

 GnuPG 2.2 is also able to read and write keys using the new format
-However, it only makes use of the value stored under the name 'Key:'.
+However, it only makes use of some of the values.

 Keys in the extended format can be recognized by looking at the first
 byte of the file.  If it starts with a '(' it is a naked S-expression,
@ -72,8 +72,7 @@ of a continuation line encodes a newline.
 Lines containing only whitespace, and lines starting with whitespace
 followed by '#' are considered to be comments and are ignored.

-** Well defined names
-
+** Well known names
 *** Description
 This is a human readable string describing the key.

@ -106,12 +105,18 @@ items can be used.
 If such an item exists it overrides the info given by the "shadow"
 parameter in the S-expression.  Using this item makes it possible to
 describe a key which is stored on several tokens and also makes it
-easy to update this info using a standard editor.  The syntax is the
-same as with the "shadow" parameter:
+easy to update this info using a standard editor.  The syntax is
+similar to the "shadow" parameter:
+
+- Serialnumber of the token.
+- Key reference from the token in full format (e.g. "OpenPGP.2").
+- An optional fixed length of the PIN or "-".
+- The human readable serial number of a card.  This is usually what is
+  printed on the actual card.  This value is taken directly from the
+  card but when asking to insert a card it is useful to have this
+  value available.  GnuPG takes care of creating and possibly updating
+  this entry.  This is percent-plus-escaped.

- Serialnumber of the token
- Key reference from the token in full format (e.g. "OpenPGP.2")
- An optional fixed length of the PIN.

 *** Use-for-ssh
 If given and the value is "yes" or "1" the key is allowed for use by
@ -119,6 +124,11 @@ gpg-agent's ssh-agent implementation.  This is thus the same as
 putting the keygrip into the 'sshcontrol' file.  Only one such item
 should exist.

+*** Use-for-p11
+If given and the value is "yes" or "1" the key is allowed for use by
+GnuPG's PKCS#11 interface (Scute).  Note that Scute needs to be
+configured to use this optimization.
+
 *** Confirm
 If given and the value is "yes", a user will be asked confirmation by
 a dialog window when the key is about to be used for