Cannot sign (but can decrypt) after importing stub-keys from smart-card

Olivier Mehani shtrom at ssji.net
Thu Dec 4 07:54:58 CET 2014 

Hi all,

I am using
* gpg (GnuPG) 2.0.26 (2.0.26-1 [ArchLinux]),
* the card reader integrated with the Broadcom BCM5880 subsystem on my
  laptop,
* pcsclite 1.8.13-1 and ccid 1.4.18-1 (ArchLinux),
* an already initialised OpenPGP card (from Kernel Concepts),
* a fresh user account.

I had to downgrade from GPG 2.1 to 2.0 to be able to create the stubs, as
suggested on this ML to work around [0] (In short: --card-edit/fetch;
--edit-key/trust; --refresh-keys; --card-status).

  $ gpg --list-key
  /home/omehani/.gnupg/pubring.gpg
  --------------------------------
  pub   2048R/0xF012A6E298C66655 2009-05-11
  uid                 [ultimate] Olivier Mehani <shtrom at ssji.net>
  [...]
  sub   2048R/0xE9566B9D0957D2D3 2013-01-24 [expires: 2015-01-24]
  sub   2048R/0xF12C167116C243A9 2013-01-24 [expires: 2015-01-24]
  [...]
  sub   2048R/0xB3B251E0CCFEA0EF 2013-09-12
  [...]
  
  $ gpg --list-secret-key
  /home/omehani/.gnupg/secring.gpg
  --------------------------------
  sec#  2048R/0xF012A6E298C66655 2009-05-11
  uid                            Olivier Mehani <shtrom at ssji.net>
  [...]
  [...]
  ssb>  2048R/0xE9566B9D0957D2D3 2013-01-24
  ssb>  2048R/0xF12C167116C243A9 2013-01-24
  [...]
  ssb>  2048R/0xB3B251E0CCFEA0EF 2013-09-12
  [...]

(other keys edited out are not stubbed, and suffixed with '#')

I can now decrypt messages
  $ gpg -er shtrom at ssji.net  | gpg -d
  test
  ^D

and get the expected output after a PIN request.

  gpg: encrypted with 2048-bit RSA key, ID 0xB3B251E0CCFEA0EF, created
  2013-09-12
        "Olivier Mehani <shtrom at ssji.net>"
        test

Unfortunately I don't seem to be able to sign

  gpg --debug expert  -s
  gpg: reading options from `/home/omehani/.gnupg/gpg.conf'
  gpg: secret key parts are not available
  gpg: no default secret key: Unusable secret key

I have the following in my .gnupg/gpg.conf

  default-key 0xE9566B9D0957D2D3
  keyserver x-hkp://sks.pkqs.net
  use-agent
  cert-digest-algo SHA256
  default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
  CAST5 ZLIB BZIP2 ZIP Uncompressed
  photo-viewer /usr/bin/display
  
  fixed-list-mode
  keyid-format 0xlong
  personal-digest-preferences SHA512 SHA384 SHA256 SHA224
  default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
  CAST5 BZIP2 ZLIB ZIP Uncompressed
  verify-options show-uid-validity
  list-options show-uid-validity
  sig-notation issuer-fpr at notations.openpgp.fifthhorseman.net=%g

0xE9566B9D0957D2D3 is the signature subkey on the card, but the same
happens with 0xF012A6E298C66655 (master key, not on the card) as the
default-key, or without any .gnupg/gpg.conf.

What am I doing wrong?

[0] https://bugs.g10code.com/gnupg/issue1759

-- 
Olivier Mehani <shtrom at ssji.net>
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE  F5F9 F012 A6E2 98C6 6655
Confidentiality cannot be guaranteed on emails sent or received unencrypted.

More information about the Gnupg-users mailing list