Cannot choose specific signing key with option --default-key

Yanzhe Lee lee.yanzhe at yanzhe.org
Wed Jun 14 07:38:50 CEST 2017 

GPG Version: gpg (GnuPG) 2.1.21 libgcrypt 1.7.6
Operate System: macOS sierra 10.12.5

I have these keys with private key

pub brainpoolP512r1/3EA647C79FDA9CD1
created: 2017-01-08 expires: 2032-01-05 usage: SCA
trust: ultimate validity: ultimate

ssb brainpoolP512r1/2D8801CE07BCC5B5
created: 2017-01-08 expires: 2032-01-05 usage: S

ssb brainpoolP512r1/C78A6E620F333355
created: 2017-01-08 expires: 2032-01-05 usage: E

ssb nistp521/D97F950D0F500332
created: 2017-02-04 expires: 2027-02-02 usage: A

ssb rsa4096/5BE7F1861B56E399
created: 2017-02-09 expires: 2025-02-07 usage: S
card-no: 0006 04175643

ssb rsa4096/9149FF3E60054D0C
created: 2017-02-09 expires: 2025-02-07 usage: E
card-no: 0006 04175643

ssb rsa4096/8C31540043B61A0A
created: 2017-02-09 expires: 2025-02-07 usage: A
card-no: 0006 04175643

[ultimate] (1). TEST (Local) <test at test.org>
[ultimate] (2) TEST (Online) <admin at test.org>

RSA private keys are stored in a yubikey smart card
ECC private keys are stored in keyring.

When I use the command to specify using ECC key 2D8801CE07BCC5B to sign a
file

gpg2 -v -u 2D8801CE07BCC5B5 -a -s test.jpg

It prompt me to insert my smart card. After I insert it and input my pin,
it outputs:

gpg: using subkey 5BE7F1861B56E399 instead of primary key 3EA647C79FDA9CD1
gpg: writing to 'test.jpg.asc'
gpg: RSA/SHA512 signature from: "5BE7F1861B56E399 TEST <test at test.org>"

So when I verify the signature file, it was signed by my RSA key which was
not what I specified.
It was supposed not to prompt me to insert my smart card because the
private key of my ECC key was not in the card.
The key 2D8801CE07BCC5B5 was not my primary key, so gpg shouldn't change
the signature key with a subkey.

I tried other options as follows, and the result was same.
gpg2 -v --default-key 2D8801CE07BCC5B5 -a -s test.jpg
gpg2 -v --local-user 2D8801CE07BCC5B5 -a -s test.jpg

However, if I delete the RSA subkey, it will sign my file with correct ECC
key.

Maybe there was a priority when sign files with RSA and ECC keys? How can I
override it?


-- 

Best regards!

LI YANZHE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170614/543f5713/attachment.html>

More information about the Gnupg-users mailing list