如何限制 OpenPGP 证书中主密钥对的使用标志？

您需要使用标志 certify C，这是 OpenPGP 规范所要求的。身份验证A很少使用，这意味着您可以验证自己的身份（类似于基于 SSH 密钥的身份验证）。

然而，无法更改 GnuPG 中的使用标志（但通过破解代码）来自Resul Cetin 的留言在该邮件列表主题中：

好的，这很容易做到（不是干净利落，但可以快速而巧妙地完成）。只需搜索gnupg-1.4.9/g10/getkey.c:parse_key_usage并更改p为non-const并始终设置(*p) &=~2;。之后，我开始新编译的 hackish-gpg --edit-key并设置主密钥的过期时间。完成此过程后，我只设置了 Cert 标志。谢谢 Christoph - 你是我今天的个人英雄 :)

要更改现有的主密钥，Jens 引用的 gnupg-users 线程涵盖了我所见过的唯一方法。

将主密钥设置为仅在创建时认证稍微容易一些：

bash-3.2$ gpg --gen-key --expert
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Sign Certify Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Certify Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Certify 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 16384 bits long.
What keysize do you want? (2048)   C-c C-c
gpg: Interrupt caught ... exiting

bash-3.2$ 

但是，您随后需要使用 gpg --edit-key 命令手动创建子键。

change-usage是将改变允许操作的隐藏子命令。

$ gpg --edit-key $KEYID

gpg> change-usage
Changing usage of the primary key.

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Sign Certify 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection?

来源 -

1. 详细说明这答案是三昧另一个问题。