Unable to sign public key

Andrew Gallagher andrewg at andrewg.com
Wed Feb 1 10:01:15 CET 2023


On 31 Jan 2023, at 19:52, Joel via Gnupg-users <gnupg-users at gnupg.org> wrote:
> 
> Hello!
> 
> I am trying to sign a public key, but I get an error saying, `gpg: signing failed: No secret key`. However, a normal signing on a file works perfectly fine. I suspect it could be something because I have a yubikey and it might not work as I initially expected. Have anyone had similar problems and know how to fix it when you use a yubikey?

Yes, this is expected behaviour with a yubikey. The confusion arises with an unfortunate clash of terminology. When you “sign” someone else’s public key, you are technically “certifying” it - even though signing and certification use the same cryptographic operation (also called “signing”, hence the confusion), they are two different modes of operation and PGP treats them as entirely separate things.

The normal structure of a key is to have a primary key which is allowed to certify and sign, and an encryption subkey that is only allowed to (de)crypt. When using a yubikey, standard practice is to also create a signing subkey and store that and the encryption subkey (and optionally an authentication subkey) on the yubikey, but leave the primary on disk. The advantage is that if your yubikey is stolen, you can generate new subkeys and revoke the old ones, without having to revoke the primary. The disadvantage is that certification subkeys are not supported by the standard, so yubikeys (and other forms of smartcard) cannot normally certify other people’s keys.

You may be able to get around this by ensuring that your primary key is signing-capable (it is by default) and storing it instead of a signing subkey in the signing slot of your yubikey (caveat: I have not tested this!). But then you lose the main advantage of a yubikey (sacrificial subkeys). Otherwise, you can only certify other keys using the original computer that has your primary key on disk.

A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230201/a657c47a/attachment.sig>


More information about the Gnupg-users mailing list