Learned a bit o #python #gnupg bindings to automate tasks, as gpg command line can be sometimes a bit confusing and ambiguous.

E.g. this is how to purge revoked keys after gpg --refresh-keys:

#!/usr/bin/env python3

import gnupg

if __name__ == "__main__":
    gpg = gnupg.GPG()
    keys = gpg.list_keys(True)
    for k in keys:
        info_db = k['subkey_info']
        for subk in k['subkeys']:
            info = info_db[subk[0]]
            if info['trust'] == 'r':
                fp = subk[2]
                print(f"{fp} {gpg.delete_keys(fp, expect_passphrase=False, exclamation_mode=True)}")

Definitely worth of trouble because I’m super-talented on making destructive mistakes with command-line arguments :-)

@jarkko

I made enc a while ago, which is gnupg but modern and friendly:

https://github.com/life4/enc

It is 100% compatible with gnupg, and the keys are just files. My goal was to make cryptography simple and approachable for everyone.

@orsinium OK, cool, sounds interesting!

Does it play together with hardware such as Yubikey?

@orsinium I've yet to meet a person who would describe gpg command-line as "approachable", so even "approachable to someone" would be a level up...

@orsinium BTW, I'd suggest you to do some day comparison with your tool and https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html.

That sets the bar for considering alternative tool. That is not to say that the current version does not but I don't have that information. If it can do equivalent management and is fully compatible with the existing management, then it can be potentially used for kernel development.

@orsinium Right one other thing is that any tool must by practical means be compatible with gpg-agent. I'm voting for better interface but because of incompatibility issues it actually would be better off if it could persist to the gnupg's backing storage. This for compatibility with session managers, gpg-agent and all sorts of GUI applications dealing with OpenPGP keys.

@orsinium So I did look into it a bit and if I got the right understanding it has its own backing storage thing.

So my thought are that:

• A more stream-lined interface for OpenPGP keys would be more than welcome.
• That said it should be able to fully connect to the existing GnuPG infrastructure because of compatibility sake. It would be tedious to switch whole “ecosystem” just for a better command-line tool.
• As long as the tool takes care of the shenanigans it does not matter how complicated the storage format is.

I.e. if I have a fresh GNOME desktop it already has gpg-agent ongoing with zero configuration (thanks to systemd). So by all practical means the backend side is sort of almost defacto standard.