Heiko
@hko@floss.social  ยท  activity timestamp 2 weeks ago

Let's look at the output of the "status" command, in three examples:

First, we can check out the contents of my certificate, e.g. by pulling it from a public keyserver, like this:

$ curl -s "https://pgpkeys.eu/pks/lookup?op=get&search=0x23da7c0eaa711f0170013595b518d342eb2d4805" | rpgp status

The output shows the top-level primary key material and its metadata in a first block, followed by a series of subkeys with their respective metadata, and finally a set of four User IDs.

Validity of each component is shown both as emoji and explanatory text.

๐Ÿงต 2/5

A terminal session that shows the following command and output: $ curl -s "https://pgpkeys.eu/pks/lookup?op=get&search=0x23da7c0eaa711f0170013595b518d342eb2d4805" | rpgp status ๐Ÿ” EdDSA/Curve25519 v4 23da7c0eaa711f0170013595b518d342eb2d4805 โฑ๏ธ Created 2023-04-23 03:04:56 UTC โœ… Active, expires 2026-04-22 03:04:56 UTC ๐Ÿด Key flags: Certify ๐Ÿ”‘ EdDSA/Curve25519 v4 954fc07eb1a70fc30bfc10f839d6c12995a8d067 โฑ๏ธ Created 2023-05-09 21:02:23 UTC โœ… Active, expires 2026-04-22 10:12:46 UTC ๐Ÿด Key flags: Auth ๐Ÿ”‘ ECDH/Curve25519 v4 f84f06b6f44c9090f1c27f89c8edabd42aa0c4e8 โฑ๏ธ Created 2023-05-09 21:02:12 UTC โœ… Active, expires 2026-04-22 10:12:46 UTC ๐Ÿด Key flags: Encrypt ๐Ÿ”‘ EdDSA/Curve25519 v4 03c75b9e40375ce18d815946dae9a9050fccf1eb โฑ๏ธ Created 2023-05-09 21:01:49 UTC โœ… Active, expires 2026-04-22 10:12:46 UTC ๐Ÿด Key flags: Sign ๐Ÿ”‘ ECDH/Curve25519 v4 c09cbaaf8dcc628209789ad3c283ad022c2ed0de โฑ๏ธ Created 2023-04-23 03:04:56 UTC ๐Ÿšซ Revoked (soft): KeySuperseded "subkey is retired", 2023-12-09 23:58:06 UTC ๐Ÿชช ID "<heiko.schaefer@posteo.de>" โœ… Active, expires 2026-04-22 10:46:31 UTC ๐Ÿชช ID "Heiko Schaefer" โœ… Active, expires 2026-04-22 10:46:31 UTC ๐Ÿชช ID "Heiko Schaefer <heiko@schaefer.name>" โœ… Active, expires 2026-04-22 10:46:31 UTC ๐Ÿชช ID "Heiko Schaefer <heiko.schaefer@posteo.de>" โœ… Active, expires 2026-04-22 10:46:31 UTC
A terminal session that shows the following command and output: $ curl -s "https://pgpkeys.eu/pks/lookup?op=get&search=0x23da7c0eaa711f0170013595b518d342eb2d4805" | rpgp status ๐Ÿ” EdDSA/Curve25519 v4 23da7c0eaa711f0170013595b518d342eb2d4805 โฑ๏ธ Created 2023-04-23 03:04:56 UTC โœ… Active, expires 2026-04-22 03:04:56 UTC ๐Ÿด Key flags: Certify ๐Ÿ”‘ EdDSA/Curve25519 v4 954fc07eb1a70fc30bfc10f839d6c12995a8d067 โฑ๏ธ Created 2023-05-09 21:02:23 UTC โœ… Active, expires 2026-04-22 10:12:46 UTC ๐Ÿด Key flags: Auth ๐Ÿ”‘ ECDH/Curve25519 v4 f84f06b6f44c9090f1c27f89c8edabd42aa0c4e8 โฑ๏ธ Created 2023-05-09 21:02:12 UTC โœ… Active, expires 2026-04-22 10:12:46 UTC ๐Ÿด Key flags: Encrypt ๐Ÿ”‘ EdDSA/Curve25519 v4 03c75b9e40375ce18d815946dae9a9050fccf1eb โฑ๏ธ Created 2023-05-09 21:01:49 UTC โœ… Active, expires 2026-04-22 10:12:46 UTC ๐Ÿด Key flags: Sign ๐Ÿ”‘ ECDH/Curve25519 v4 c09cbaaf8dcc628209789ad3c283ad022c2ed0de โฑ๏ธ Created 2023-04-23 03:04:56 UTC ๐Ÿšซ Revoked (soft): KeySuperseded "subkey is retired", 2023-12-09 23:58:06 UTC ๐Ÿชช ID "<heiko.schaefer@posteo.de>" โœ… Active, expires 2026-04-22 10:46:31 UTC ๐Ÿชช ID "Heiko Schaefer" โœ… Active, expires 2026-04-22 10:46:31 UTC ๐Ÿชช ID "Heiko Schaefer <heiko@schaefer.name>" โœ… Active, expires 2026-04-22 10:46:31 UTC ๐Ÿชช ID "Heiko Schaefer <heiko.schaefer@posteo.de>" โœ… Active, expires 2026-04-22 10:46:31 UTC
A terminal session that shows the following command and output: $ curl -s "https://pgpkeys.eu/pks/lookup?op=get&search=0x23da7c0eaa711f0170013595b518d342eb2d4805" | rpgp status ๐Ÿ” EdDSA/Curve25519 v4 23da7c0eaa711f0170013595b518d342eb2d4805 โฑ๏ธ Created 2023-04-23 03:04:56 UTC โœ… Active, expires 2026-04-22 03:04:56 UTC ๐Ÿด Key flags: Certify ๐Ÿ”‘ EdDSA/Curve25519 v4 954fc07eb1a70fc30bfc10f839d6c12995a8d067 โฑ๏ธ Created 2023-05-09 21:02:23 UTC โœ… Active, expires 2026-04-22 10:12:46 UTC ๐Ÿด Key flags: Auth ๐Ÿ”‘ ECDH/Curve25519 v4 f84f06b6f44c9090f1c27f89c8edabd42aa0c4e8 โฑ๏ธ Created 2023-05-09 21:02:12 UTC โœ… Active, expires 2026-04-22 10:12:46 UTC ๐Ÿด Key flags: Encrypt ๐Ÿ”‘ EdDSA/Curve25519 v4 03c75b9e40375ce18d815946dae9a9050fccf1eb โฑ๏ธ Created 2023-05-09 21:01:49 UTC โœ… Active, expires 2026-04-22 10:12:46 UTC ๐Ÿด Key flags: Sign ๐Ÿ”‘ ECDH/Curve25519 v4 c09cbaaf8dcc628209789ad3c283ad022c2ed0de โฑ๏ธ Created 2023-04-23 03:04:56 UTC ๐Ÿšซ Revoked (soft): KeySuperseded "subkey is retired", 2023-12-09 23:58:06 UTC ๐Ÿชช ID "<heiko.schaefer@posteo.de>" โœ… Active, expires 2026-04-22 10:46:31 UTC ๐Ÿชช ID "Heiko Schaefer" โœ… Active, expires 2026-04-22 10:46:31 UTC ๐Ÿชช ID "Heiko Schaefer <heiko@schaefer.name>" โœ… Active, expires 2026-04-22 10:46:31 UTC ๐Ÿชช ID "Heiko Schaefer <heiko.schaefer@posteo.de>" โœ… Active, expires 2026-04-22 10:46:31 UTC
Heiko
@hko@floss.social replied  ยท  activity timestamp 2 weeks ago

Analogously, we can inspect a modern v6 OpenPGP certificate, which uses up-to-date formats from the very recent RFC 9580.

We'll make a fresh example v6 certificate to look at with the "rsop" tool:

$ rsop generate-key --profile rfc9580 "" | rsop extract-cert > alice_v6.cert

And then look into it with:

$ rpgp status alice_v6.cert

๐Ÿงต 3/5

A terminal session that shows the following commands and output: $ rsop generate-key --profile rfc9580 "<alice@example.org>" | rsop extract-cert > alice_v6.cert $ rpgp status alice_v6.cert ๐Ÿ” Ed25519 v6 82d496f62a2419443eb2b9be73159edd0fbdddaf9860db2cdb1164ad16ce918e โฑ๏ธ Created 2025-08-24 22:16:36 UTC โœ… Active (no expiration) ๐Ÿด Key flags: Certify, Sign ๐Ÿ”‘ X25519 v6 513694cc5bb335f0d5c991defbd94ddc7e6e4ce3025b0d489cf67301ec9d3093 โฑ๏ธ Created 2025-08-24 22:16:36 UTC โœ… Active (no expiration) ๐Ÿด Key flags: Encrypt ๐Ÿชช ID "<alice@example.org>" (primary) โœ… Active (no expiration)
A terminal session that shows the following commands and output: $ rsop generate-key --profile rfc9580 "<alice@example.org>" | rsop extract-cert > alice_v6.cert $ rpgp status alice_v6.cert ๐Ÿ” Ed25519 v6 82d496f62a2419443eb2b9be73159edd0fbdddaf9860db2cdb1164ad16ce918e โฑ๏ธ Created 2025-08-24 22:16:36 UTC โœ… Active (no expiration) ๐Ÿด Key flags: Certify, Sign ๐Ÿ”‘ X25519 v6 513694cc5bb335f0d5c991defbd94ddc7e6e4ce3025b0d489cf67301ec9d3093 โฑ๏ธ Created 2025-08-24 22:16:36 UTC โœ… Active (no expiration) ๐Ÿด Key flags: Encrypt ๐Ÿชช ID "<alice@example.org>" (primary) โœ… Active (no expiration)
A terminal session that shows the following commands and output: $ rsop generate-key --profile rfc9580 "<alice@example.org>" | rsop extract-cert > alice_v6.cert $ rpgp status alice_v6.cert ๐Ÿ” Ed25519 v6 82d496f62a2419443eb2b9be73159edd0fbdddaf9860db2cdb1164ad16ce918e โฑ๏ธ Created 2025-08-24 22:16:36 UTC โœ… Active (no expiration) ๐Ÿด Key flags: Certify, Sign ๐Ÿ”‘ X25519 v6 513694cc5bb335f0d5c991defbd94ddc7e6e4ce3025b0d489cf67301ec9d3093 โฑ๏ธ Created 2025-08-24 22:16:36 UTC โœ… Active (no expiration) ๐Ÿด Key flags: Encrypt ๐Ÿชช ID "<alice@example.org>" (primary) โœ… Active (no expiration)
Heiko
@hko@floss.social replied  ยท  activity timestamp 2 weeks ago

We can also ask the "rpgp" CLI tool to emit the same certificate status information in #JSON format:

$ rpgp status --json alice_v6.cert

Please be aware that the rpgp JSON output format is in a very early stage, and may be subject to change!

(At some point I will commit to not changing the JSON format on a whim, but that point is not right now.)

๐Ÿงต 4/5

A terminal session that shows the following command and output: $ rpgp status --json alice_v6.cert { "primary": { "fingerprint": "9a47c697b8dfa657ad8d2bc31df18da8924a281f2f589600352f7bac05f61a81", "version": 6, "created": "2025-08-24T22:26:06Z", "algorithm": "Ed25519", "status": { "valid": {} }, "key_flags": [ "Certify", "Sign" ] }, "subkeys": [ { "fingerprint": "7e1a88fc27cfbb94ab1e088f32bfc3551bc88b4044a02f8ff685a0b14ad8ff9c", "version": 6, "created": "2025-08-24T22:26:06Z", "algorithm": "X25519", "status": { "valid": {} }, "key_flags": [ "Encrypt" ] } ], "user_ids": [ { "id": "<alice@example.org>", "primary": true, "status": { "valid": {} } } ] }
A terminal session that shows the following command and output: $ rpgp status --json alice_v6.cert { "primary": { "fingerprint": "9a47c697b8dfa657ad8d2bc31df18da8924a281f2f589600352f7bac05f61a81", "version": 6, "created": "2025-08-24T22:26:06Z", "algorithm": "Ed25519", "status": { "valid": {} }, "key_flags": [ "Certify", "Sign" ] }, "subkeys": [ { "fingerprint": "7e1a88fc27cfbb94ab1e088f32bfc3551bc88b4044a02f8ff685a0b14ad8ff9c", "version": 6, "created": "2025-08-24T22:26:06Z", "algorithm": "X25519", "status": { "valid": {} }, "key_flags": [ "Encrypt" ] } ], "user_ids": [ { "id": "<alice@example.org>", "primary": true, "status": { "valid": {} } } ] }
A terminal session that shows the following command and output: $ rpgp status --json alice_v6.cert { "primary": { "fingerprint": "9a47c697b8dfa657ad8d2bc31df18da8924a281f2f589600352f7bac05f61a81", "version": 6, "created": "2025-08-24T22:26:06Z", "algorithm": "Ed25519", "status": { "valid": {} }, "key_flags": [ "Certify", "Sign" ] }, "subkeys": [ { "fingerprint": "7e1a88fc27cfbb94ab1e088f32bfc3551bc88b4044a02f8ff685a0b14ad8ff9c", "version": 6, "created": "2025-08-24T22:26:06Z", "algorithm": "X25519", "status": { "valid": {} }, "key_flags": [ "Encrypt" ] } ], "user_ids": [ { "id": "<alice@example.org>", "primary": true, "status": { "valid": {} } } ] }
Heiko
@hko@floss.social replied  ยท  activity timestamp 2 weeks ago

Finally, rpgp is just as happy to inspect ancient PGP certificates as it is with modern v6 ones:

$ rpgp status hal_1992.cert

This historical PGP certificate is almost 33 years old today, and uses the prehistoric "v2" key format.

While it's certainly not practically useful to use such keys in the current era, it may still sometimes be helpful (or just plain fun) to inspect them, for informational purposes - or to marvel at the longevity of the OpenPGP format for a minute.

๐Ÿงต 5/5