Unable to sign public key

Joel joellidin at gmail.com
Wed Feb 1 12:12:08 CET 2023


Thank you for the response. I suspected it was something to do with the fact that my master certification key is on a USB stick because it worked when I used another non-yubikey PGP key. I will try to certify it via the master certification key. Thanks for the help. I appreciate it!

Best regards,

Joel

Sent from my iPhone

> On 1 Feb 2023, at 10:01, Andrew Gallagher <andrewg at andrewg.com> wrote:
> 
> On 31 Jan 2023, at 19:52, Joel via Gnupg-users <gnupg-users at gnupg.org> wrote:
>> 
>> Hello!
>> 
>> I am trying to sign a public key, but I get an error saying, `gpg: signing failed: No secret key`. However, a normal signing on a file works perfectly fine. I suspect it could be something because I have a yubikey and it might not work as I initially expected. Have anyone had similar problems and know how to fix it when you use a yubikey?
> 
> Yes, this is expected behaviour with a yubikey. The confusion arises with an unfortunate clash of terminology. When you “sign” someone else’s public key, you are technically “certifying” it - even though signing and certification use the same cryptographic operation (also called “signing”, hence the confusion), they are two different modes of operation and PGP treats them as entirely separate things.
> 
> The normal structure of a key is to have a primary key which is allowed to certify and sign, and an encryption subkey that is only allowed to (de)crypt. When using a yubikey, standard practice is to also create a signing subkey and store that and the encryption subkey (and optionally an authentication subkey) on the yubikey, but leave the primary on disk. The advantage is that if your yubikey is stolen, you can generate new subkeys and revoke the old ones, without having to revoke the primary. The disadvantage is that certification subkeys are not supported by the standard, so yubikeys (and other forms of smartcard) cannot normally certify other people’s keys.
> 
> You may be able to get around this by ensuring that your primary key is signing-capable (it is by default) and storing it instead of a signing subkey in the signing slot of your yubikey (caveat: I have not tested this!). But then you lose the main advantage of a yubikey (sacrificial subkeys). Otherwise, you can only certify other keys using the original computer that has your primary key on disk.
> 
> A
> 



More information about the Gnupg-users mailing list