tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/50900-unable-to-sign-other-peoples-public-keys-in-the-gpg-keychain-app-when-using-a-yubikeyGPGTools: Discussion 2019-05-29T14:19:51Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-02-09T15:19:18Z2017-02-09T15:19:23ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Same issue. cannot sign validity of other's public keys.</p></div>Peter Nöutag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-06-15T10:53:43Z2017-06-22T20:46:03ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Hi bogdrakonov and Peter,</p>
<p>welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.</p>
<p>Please excuse the long silence. We think this issue may be resolved by switching to using gpg 2.1. We had hoped to have a GPG Suite with 2.1 ready a bit earlier, but now it's here.</p>
<p>GPG Suite 1922n and newer include gpg 2.1.</p>
<p>It would be great if you could test this build and let us know if run into any trouble. Please note, that downgrading to the current beta release will require additional steps in case new keys were created using this test build. Depending on the test results, gpg 2.1 may soon land in the beta branch.</p>
<p>All the best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-06-22T00:51:22Z2017-06-22T00:55:38ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Thanks Steve.</p>
<p>Will this allow Yubikey 4 to sign other public keys even though the SC key is offline and not on the machine? The Yubikey 4 only contains the S, E, and A subkeys.</p></div>bogdrakonovtag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-06-22T00:55:00Z2017-06-22T00:55:26ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Oh your link just redirects to the main page.</p></div>bogdrakonovtag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-06-22T20:47:19Z2017-06-22T20:47:19ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Hi bogdrakonov,</p>
<p>gpg 2.1 is now included in the nightly build which you can grab here:<br>
<a href="https://releases.gpgtools.org/nightlies/">https://releases.gpgtools.org/nightlies/</a></p>
<p>Sorry for the confusion.</p>
<p>Could you test and see how Yubikey behaves in the scenario you are describing?</p>
<p>All the best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-08-11T18:16:06Z2017-08-11T18:16:06ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Closing, since no further user feedback was received. Should your problem persist, feel free to re-open this discussion any time.</p>
<p>All the best, steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-08-11T18:30:54Z2017-08-11T18:30:54ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>I did not get a request for comments. Just that this is closed.</p>
<p>-BogDrakonov</p>
<p>Ti ne mozhesh pobedit' menya</p></div>bogdrakonovtag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-08-11T18:35:51Z2017-08-11T18:35:51ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Hi Bog,</p>
<p>on June 22nd I updated this discussion to let you know that we've integrated gpg 2.1 into the nightly build of GPG Suite:<br>
<a href="https://gpgtools.tenderapp.com/discussions/problems/50900-unable-to-sign-other-peoples-public-keys-in-the-gpg-keychain-app-when-using-a-yubikey#comment_42830459">https://gpgtools.tenderapp.com/discussions/problems/50900-unable-to...</a></p>
<p>It would be great if you could test that build and see how your Yubikey behaves then.</p>
<p>Kindly,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-08-11T19:11:56Z2017-08-11T19:11:56ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Oh neat! I'll be sure to give that a shot in a Sierra VM.</p>
<p>Thanks!</p>
<p>-BogDrakonov</p>
<p>Vy ne mozhete razgrom menya</p></div>bogdrakonovtag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-09-17T13:35:32Z2017-09-17T13:35:34ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Error text:<br>
gpg: secret key parts are not available<br>
gpg: signing failed: Unusable secret key</p>
<p>This error message may simply be due to the Certification piece of the key not being present. The Certification function is not the same as the Sign function in GPG. Signing files is a simple sign procedure but signing keys requires Certification. If, for example, the Yubikey has been configured with an offline master key and has subkeys on it for Sign, Encrypt, and Authorization - it will not have the component necessary for signing other people's keys and this error message will be produced. To sign other's keys in this scenario, the keys to be signed will have to be ferried to the offline master and signed and then ferried back so they can be shared with recipients or uploaded to a keyserver.</p>
<p>Hopefully this is useful to any others running into this error when trying to sign keys.</p>
<p>See the "Signing keys" section of this blog for more information: <a href="https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/">https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-...</a></p>
<p>-Travis</p></div>Travis Farraltag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-09-17T13:37:47Z2017-09-17T13:37:47ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Bog, did you ever get around to test the nightly? Is your problem still persisting with the latest nightly build from <a href="https://releases.gpgtools.org/nightlies/">https://releases.gpgtools.org/nightlies/</a> ?</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-09-17T14:23:01Z2017-09-17T14:23:01ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Interesting. Is there a "proper" way to configure the Yubikey to have the key signing certificate on it as well?</p>
<p>Steve,</p>
<p>I'm sorry I've been so busy but this week I'll build a VM to do testing in.</p>
<p>-BogDrakonov</p>
<p>Ti ne mozhesh pobedit' menya</p></div>bogdrakonovtag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-09-25T15:19:25Z2017-09-25T15:19:25ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Using GPG 2.2.0 and the Yubikey still cannot sign public keys of other users. I get a “no secret key” error.</p>
<p>Do I need to remake configure the Yubikey differently?</p>
<p>-BogDrakonov</p>
<p>Ti ne mozhesh pobedit' menya</p></div>bogdrakonovtag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-09-25T19:28:57Z2017-09-25T19:28:58ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>This might be related to an issue I just filed <a href="https://gpgtools.tenderapp.com/discussions/problems/58454-after-updating-to-gpgtools-20171-yubikey-no-longer-functions-properly-both-in-mail-gpg2-card-edit">https://gpgtools.tenderapp.com/discussions/problems/58454-after-upd...</a></p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852017-10-10T13:51:26Z2017-10-10T13:51:26ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>If after the update to GPG Suite 2017.1 which comes with the migration from MacGPG 2.0.x to 2.2.0 your Yukibey no longer works as expected, please visit the following <a href="https://gpgtools.tenderapp.com/kb/faq/gpg-suite-20171-gnupg-20-gnupg-22-migration-help#my-yubikey-does-no-longer-work-">KB-article</a>. Follow the steps closely and let me know if that brings you back to working state.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852018-02-26T11:41:56Z2018-02-26T11:41:56ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Closing, since no further user feedback was received. Should your problem persist, feel free to re-open this discussion any time.</p>
<p>All the best, steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852018-02-27T00:44:57Z2018-02-27T00:44:57ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>I think because I generated my key offline I can only sign via the offline<br>
master. I think it's missing some key signing key on the Yubi.</p></div>bogdrakonovtag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852018-03-22T15:17:37Z2018-03-22T15:17:37ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Hi bogdrakonov,</p>
<p>could you please send a debug log from your affected machine: Open System Preferences > GPG Suite > Send Report. Check the box to "attach debug log". Since you already described your issue in this discussion, you don't need to add a lot of detail, but please do add the link to your existing discussion, so I can then merge your debug info with this existing discussion.</p>
<p>And also send us the output to the following command:</p>
<pre>
<code> gpg --card-status</code>
</pre>
<p>All the best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852018-03-26T16:08:14Z2018-03-26T16:08:14ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>I don't believe you can sign other GPG public keys with a Yubikey-based GPG key setup per <a href="https://gpgtools.tenderapp.com/discussions/problems/66299-yubikeygpg2-issue-can-encryptsign-emails-files-but-cannot-sign-public-keys-error-code-17-no-secret-key">https://gpgtools.tenderapp.com/discussions/problems/66299-yubikeygp...</a></p>
<p>Quoted below just in case it gets edited/deleted:</p>
<blockquote>
<p>Error text: gpg: secret key parts are not available<br>
gpg: signing failed: Unusable secret key</p>
<p>This error message may simply be due to the Certification piece of the key not being present. The Certification function is not the same as the Sign function in GPG. Signing files is a simple sign procedure but signing keys requires Certification. If, for example, the Yubikey has been configured with an offline master key and has subkeys on it for Sign, Encrypt, and Authorization - it will not have the component necessary for signing other people's keys and this error message will be produced. To sign other's keys in this scenario, the keys to be signed will have to be ferried to the offline master and signed and then ferried back so they can be shared with recipients or uploaded to a keyserver.</p>
<p>Hopefully this is useful to any others running into this error when trying to sign keys.</p>
<p>See the "Signing keys" section of this blog for more information: <a href="https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-">https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-</a>...</p>
<p>-Travis</p>
</blockquote>
<p>Also re-quoting the relevant text from the "Signing keys" section of the URL Travis lists:</p>
<blockquote>
<p>Signing keys</p>
<p>This needs to be done using your master key, since it is your certification key that will be used. So boot the Live CD and make the usual GnuPG configurations. Below I’m signing my own old key (0xB565716F) so the output may look a bit confusing with me signing my own key, but there is really two different keys involved here. The same process apply if you want to sign someone else’s key too.</p>
</blockquote>
<p>If all of this is accurate, it sounds like it is impossible to use a Yubikey-based GPG key to sign other public keys with as it does not contain the "certification key", but rather an encryption key, signing key, & authentication key.</p>
<p>Sadly, it sounds like that means those of us using Yubikey-based GPG keys for daily use cannot sign other public keys and would need to ferry such keys to our offline rigs and use our master GPG keys for this purpose and then ferry the signed public keys back to an internet-connected machine to publish them to the keyservers. All in all, a big old bummer.</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852018-03-27T00:36:35Z2018-03-27T00:36:35ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>Ah so it’s due to the way I created keys offline. Ok in that case I guess<br>
I’m stuck using the offline master once in a while.</p></div>bogdrakonovtag:gpgtools.tenderapp.com,2011-11-04:Comment/418043852018-03-29T12:46:26Z2018-03-29T12:46:26ZYubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)<div><p>I'm closing this discussion.</p>
<p>This specific case may also be taken to the <a href="https://gnupg.org/documentation/mailing-lists.html">gnupg users mailling list</a>.</p></div>Steve