Adding new uid to causes bad signature

Rens Rikkerink contact at ikkerens.com
Wed May 22 19:10:52 CEST 2024


Hey there!

There's been a bit of an interesting development which I think
explains the issues I've been having, I'm just not sure if there's a
way to recover this.
I found out that gpg has a way to run the --full-gen-key option using
an existing key from card.

$ gpg --expert --full-gen-key
<snip>
Your selection? 14 (Existing key from card)
Available keys:
   (1) 4DCD2F5D0F303B60FAFDB469BA33F314281B2D1B OPENPGP.1 ed25519 (cert,sign*)
   (2) 993197BDCB9A09A16C4918DED4310EEF4B6582E2 OPENPGP.2 cv25519 (encr*)
   (3) EB59A450FF4E1B233C523B860E458EF6D043DFE8 OPENPGP.3 ed25519 (sign,auth*)

So far, so good, however if I then continue with option 1, I get a key
with key ID 6AA6FC5597E89BDC19ADD6AFCF2FEC503A89BCFF, and this allows
me to add more UIDs as I deem fit.
Now... that's weird. My key so far had key id
408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3

I delete the keys from my keyring again (leaving yubikey intact), and
run the same for option 3. Now I do get key id
408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3. But I can't create UIDs.
However, GPG grants this the capabilities SCA.... Where did that C
come from? Probably because that's now the primary key?
My best bet is that when I originally made this key, I uploaded the
keys into the wrong slots on the yubikey, which I believe have a fixed
capability-set?

Either way, it feels like that at this point... I'm screwed. Unless
there's a way to rectify this?

Thank you all for your time so far.

Yours,
Rens Rikkerink



More information about the Gnupg-users mailing list