Yubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)

bogdrakonov's Avatar

bogdrakonov

23 Jan, 2017 07:34 PM

GPG Keychain

When attempting to sign a public key in the GPG Keychain using a private key that is stored on a Yubikey 4 I get the following error:
Sign userID failed!
Code = 0

Error text:
gpg: secret key parts are not available
gpg: signing failed: Unusable secret key

What did you expect instead

I expected to be prompted for my Yubikey PIN and for the key to get signed.

Describe steps leading to the problem.

1) Attempt to sign a public key with my private key stored on a Yubikey 4
2) Above error occurs

  1. 1 Posted by Peter Nöu on 09 Feb, 2017 03:19 PM

    Peter Nöu's Avatar

    Same issue. cannot sign validity of other's public keys.

  2. Support Staff 2 Posted by Steve on 15 Jun, 2017 10:53 AM

    Steve's Avatar

    Hi bogdrakonov and Peter,

    welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.

    Please excuse the long silence. We think this issue may be resolved by switching to using gpg 2.1. We had hoped to have a GPG Suite with 2.1 ready a bit earlier, but now it's here.

    GPG Suite 1922n and newer include gpg 2.1.

    It would be great if you could test this build and let us know if run into any trouble. Please note, that downgrading to the current beta release will require additional steps in case new keys were created using this test build. Depending on the test results, gpg 2.1 may soon land in the beta branch.

    All the best,
    steve

  3. 3 Posted by bogdrakonov on 22 Jun, 2017 12:51 AM

    bogdrakonov's Avatar

    Thanks Steve.

    Will this allow Yubikey 4 to sign other public keys even though the SC key is offline and not on the machine? The Yubikey 4 only contains the S, E, and A subkeys.

  4. 4 Posted by bogdrakonov on 22 Jun, 2017 12:55 AM

    bogdrakonov's Avatar

    Oh your link just redirects to the main page.

  5. Support Staff 5 Posted by Steve on 22 Jun, 2017 08:47 PM

    Steve's Avatar

    Hi bogdrakonov,

    gpg 2.1 is now included in the nightly build which you can grab here:
    https://releases.gpgtools.org/nightlies/

    Sorry for the confusion.

    Could you test and see how Yubikey behaves in the scenario you are describing?

    All the best,
    steve

  6. Support Staff 6 Posted by Steve on 11 Aug, 2017 06:16 PM

    Steve's Avatar

    Closing, since no further user feedback was received. Should your problem persist, feel free to re-open this discussion any time.

    All the best, steve

  7. Steve closed this discussion on 11 Aug, 2017 06:16 PM.

  8. bogdrakonov re-opened this discussion on 11 Aug, 2017 06:30 PM

  9. 7 Posted by bogdrakonov on 11 Aug, 2017 06:30 PM

    bogdrakonov's Avatar

    I did not get a request for comments. Just that this is closed.

    -BogDrakonov

    Ti ne mozhesh pobedit' menya

  10. Support Staff 8 Posted by Steve on 11 Aug, 2017 06:35 PM

    Steve's Avatar

    Hi Bog,

    on June 22nd I updated this discussion to let you know that we've integrated gpg 2.1 into the nightly build of GPG Suite:
    https://gpgtools.tenderapp.com/discussions/problems/50900-unable-to...

    It would be great if you could test that build and see how your Yubikey behaves then.

    Kindly,
    steve

  11. 9 Posted by bogdrakonov on 11 Aug, 2017 07:11 PM

    bogdrakonov's Avatar

    Oh neat! I'll be sure to give that a shot in a Sierra VM.

    Thanks!

    -BogDrakonov

    Vy ne mozhete razgrom menya

  12. 10 Posted by Travis Farral on 17 Sep, 2017 01:35 PM

    Travis Farral's Avatar

    Error text:
    gpg: secret key parts are not available
    gpg: signing failed: Unusable secret key

    This error message may simply be due to the Certification piece of the key not being present. The Certification function is not the same as the Sign function in GPG. Signing files is a simple sign procedure but signing keys requires Certification. If, for example, the Yubikey has been configured with an offline master key and has subkeys on it for Sign, Encrypt, and Authorization - it will not have the component necessary for signing other people's keys and this error message will be produced. To sign other's keys in this scenario, the keys to be signed will have to be ferried to the offline master and signed and then ferried back so they can be shared with recipients or uploaded to a keyserver.

    Hopefully this is useful to any others running into this error when trying to sign keys.

    See the "Signing keys" section of this blog for more information: https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-...

    -Travis

  13. Support Staff 11 Posted by Steve on 17 Sep, 2017 01:37 PM

    Steve's Avatar

    Bog, did you ever get around to test the nightly? Is your problem still persisting with the latest nightly build from https://releases.gpgtools.org/nightlies/ ?

  14. 12 Posted by bogdrakonov on 17 Sep, 2017 02:23 PM

    bogdrakonov's Avatar

    Interesting. Is there a "proper" way to configure the Yubikey to have the key signing certificate on it as well?

    Steve,

    I'm sorry I've been so busy but this week I'll build a VM to do testing in.

    -BogDrakonov

    Ti ne mozhesh pobedit' menya

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Already uploaded files

  • Versions.png 23.4 KB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac