Is it possible to certify (sign) a key using a subkey?

Mario Castelán Castro marioxcc.MT at
Thu Aug 17 04:48:14 CEST 2017

Suppose I would like to sign another user's key using one of my
secp256k1 subkeys, instead of my primary key, because it generates
smaller signatures. gpg does not appear to support this. If I try to
generate a subkey with certify capability “gpg --expert --edit-key ...”
and then “addkey”, the option to toggle capability is not shown. Also,
if I try to force gpg to use an *existing* subkey for signing another
key with “gpg -u FINGERPRINT1! --sign-key ANOTER_KEY” (where
FINGERPRINT1 is the fingerprint of the subkey, and it is followed by “!”
to try to force use of this subkey) it still uses my primary key.

Why is this behavior? I took a glance at RFC4880 and I could not find a
requirement that only primary keys are used for certifying, although it
is very possible that I just missed it.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170816/265609c6/attachment.sig>

More information about the Gnupg-users mailing list