List all keys signed by a given key

Question

Using the GNU Privacy Guard (GnuPG): for some given key, say 0xDEADBEEF, how can a user readily list only the public keys in their keyring that have a UID that has been signed by that key?

It would be helpful if you could specify whether your answer is intended for use with GnuPG Modern (2.1.x), GnuPG Stable (2.0.x), or GnuPG Classic (1.4.x).

Answer 1

There is no such option in GnuPG, but you can use a simple script to list all matching keys. A little bit faster and more robust against malicious input than @grochmal's script is reading GnuPG's --with-colons output format, which is intended to be parsed programatically. I'm also restraining to a single GnuPG call:

#!/bin/sh
keyid=${1:-'0000000000000000'}
gpg --with-colons --fingerprint --list-sigs |
while read line; do
  packettype="$(echo "${line}" | cut -d':' -f1)"
  case $packettype in
    fpr)
      fingerprint="$(echo "${line}" | cut -d':' -f10)"
      ;;
    sig)
      issuedby="$(echo "${line}" | cut -d':' -f5)"
      if [ "x${issuedby}" = "x${keyid}" ]; then
        echo "${fingerprint}"
      fi
      ;;
  esac
done |
uniq

This relies on the long key ID to be passed as first parameter, short key IDs should not be used anyway.

Answer 2

As far as I am aware there is no such option. Yet, it is trivial to script one together:

#!/bin/sh
KEY=${1:-'C840C4F6'}  # that's my key
gpg -k |
grep 'pub ' |
cut -d ' ' -f 4 |
cut -d / -f 2 |
while read x; do
    if gpg --list-sigs "$x" | grep C840C4F6 >/dev/null; then
        echo "$x"
    fi
done

And, thanks to the fact that GnuPG is pretty quick, it runs fast enough. With >300 keys that runs in less than a second on a cheap VPS.

Both -k and --list-sigs are very old gpg options. I've tested this only on 2.0 and 2.1, yet, I'm confident it will work on 1.4.