Yubikey: Unable to sign other people's public keys in GPG Keychain (to be tested w gpg 2.1)
GPG Keychain
When attempting to sign a public key in the GPG Keychain using a private key that is stored on a Yubikey 4 I get the following error:
Sign userID failed!
Code = 0
Error text:
gpg: secret key parts are not available
gpg: signing failed: Unusable secret key
What did you expect instead
I expected to be prompted for my Yubikey PIN and for the key to get signed.
Describe steps leading to the problem.
1) Attempt to sign a public key with my private key stored on a Yubikey 4
2) Above error occurs
-
Versions.png
23.4 KB
Versions.png
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
1 Posted by Peter Nöu on 09 Feb, 2017 03:19 PM
Same issue. cannot sign validity of other's public keys.
Support Staff 2 Posted by Steve on 15 Jun, 2017 10:53 AM
Hi bogdrakonov and Peter,
welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.
Please excuse the long silence. We think this issue may be resolved by switching to using gpg 2.1. We had hoped to have a GPG Suite with 2.1 ready a bit earlier, but now it's here.
GPG Suite 1922n and newer include gpg 2.1.
It would be great if you could test this build and let us know if run into any trouble. Please note, that downgrading to the current beta release will require additional steps in case new keys were created using this test build. Depending on the test results, gpg 2.1 may soon land in the beta branch.
All the best,
steve
3 Posted by bogdrakonov on 22 Jun, 2017 12:51 AM
Thanks Steve.
Will this allow Yubikey 4 to sign other public keys even though the SC key is offline and not on the machine? The Yubikey 4 only contains the S, E, and A subkeys.
4 Posted by bogdrakonov on 22 Jun, 2017 12:55 AM
Oh your link just redirects to the main page.
Support Staff 5 Posted by Steve on 22 Jun, 2017 08:47 PM
Hi bogdrakonov,
gpg 2.1 is now included in the nightly build which you can grab here:
https://releases.gpgtools.org/nightlies/
Sorry for the confusion.
Could you test and see how Yubikey behaves in the scenario you are describing?
All the best,
steve
Support Staff 6 Posted by Steve on 11 Aug, 2017 06:16 PM
Closing, since no further user feedback was received. Should your problem persist, feel free to re-open this discussion any time.
All the best, steve
Steve closed this discussion on 11 Aug, 2017 06:16 PM.
bogdrakonov re-opened this discussion on 11 Aug, 2017 06:30 PM
7 Posted by bogdrakonov on 11 Aug, 2017 06:30 PM
I did not get a request for comments. Just that this is closed.
-BogDrakonov
Ti ne mozhesh pobedit' menya
Support Staff 8 Posted by Steve on 11 Aug, 2017 06:35 PM
Hi Bog,
on June 22nd I updated this discussion to let you know that we've integrated gpg 2.1 into the nightly build of GPG Suite:
https://gpgtools.tenderapp.com/discussions/problems/50900-unable-to...
It would be great if you could test that build and see how your Yubikey behaves then.
Kindly,
steve
9 Posted by bogdrakonov on 11 Aug, 2017 07:11 PM
Oh neat! I'll be sure to give that a shot in a Sierra VM.
Thanks!
-BogDrakonov
Vy ne mozhete razgrom menya
10 Posted by Travis Farral on 17 Sep, 2017 01:35 PM
Error text:
gpg: secret key parts are not available
gpg: signing failed: Unusable secret key
This error message may simply be due to the Certification piece of the key not being present. The Certification function is not the same as the Sign function in GPG. Signing files is a simple sign procedure but signing keys requires Certification. If, for example, the Yubikey has been configured with an offline master key and has subkeys on it for Sign, Encrypt, and Authorization - it will not have the component necessary for signing other people's keys and this error message will be produced. To sign other's keys in this scenario, the keys to be signed will have to be ferried to the offline master and signed and then ferried back so they can be shared with recipients or uploaded to a keyserver.
Hopefully this is useful to any others running into this error when trying to sign keys.
See the "Signing keys" section of this blog for more information: https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-...
-Travis
Support Staff 11 Posted by Steve on 17 Sep, 2017 01:37 PM
Bog, did you ever get around to test the nightly? Is your problem still persisting with the latest nightly build from https://releases.gpgtools.org/nightlies/ ?
12 Posted by bogdrakonov on 17 Sep, 2017 02:23 PM
Interesting. Is there a "proper" way to configure the Yubikey to have the key signing certificate on it as well?
Steve,
I'm sorry I've been so busy but this week I'll build a VM to do testing in.
-BogDrakonov
Ti ne mozhesh pobedit' menya
13 Posted by bogdrakonov on 25 Sep, 2017 03:19 PM
Using GPG 2.2.0 and the Yubikey still cannot sign public keys of other users. I get a “no secret key” error.
Do I need to remake configure the Yubikey differently?
-BogDrakonov
Ti ne mozhesh pobedit' menya
14 Posted by gpg_dude on 25 Sep, 2017 07:28 PM
This might be related to an issue I just filed https://gpgtools.tenderapp.com/discussions/problems/58454-after-upd...
Support Staff 15 Posted by Steve on 10 Oct, 2017 01:51 PM
If after the update to GPG Suite 2017.1 which comes with the migration from MacGPG 2.0.x to 2.2.0 your Yukibey no longer works as expected, please visit the following KB-article. Follow the steps closely and let me know if that brings you back to working state.
Support Staff 16 Posted by Steve on 26 Feb, 2018 11:41 AM
Closing, since no further user feedback was received. Should your problem persist, feel free to re-open this discussion any time.
All the best, steve
Steve closed this discussion on 26 Feb, 2018 11:41 AM.
bogdrakonov re-opened this discussion on 27 Feb, 2018 12:44 AM
17 Posted by bogdrakonov on 27 Feb, 2018 12:44 AM
I think because I generated my key offline I can only sign via the offline
master. I think it's missing some key signing key on the Yubi.
Support Staff 18 Posted by Steve on 22 Mar, 2018 03:17 PM
Hi bogdrakonov,
could you please send a debug log from your affected machine: Open System Preferences > GPG Suite > Send Report. Check the box to "attach debug log". Since you already described your issue in this discussion, you don't need to add a lot of detail, but please do add the link to your existing discussion, so I can then merge your debug info with this existing discussion.
And also send us the output to the following command:
All the best,
steve
19 Posted by gpg_dude on 26 Mar, 2018 04:08 PM
I don't believe you can sign other GPG public keys with a Yubikey-based GPG key setup per https://gpgtools.tenderapp.com/discussions/problems/66299-yubikeygp...
Quoted below just in case it gets edited/deleted:
Also re-quoting the relevant text from the "Signing keys" section of the URL Travis lists:
If all of this is accurate, it sounds like it is impossible to use a Yubikey-based GPG key to sign other public keys with as it does not contain the "certification key", but rather an encryption key, signing key, & authentication key.
Sadly, it sounds like that means those of us using Yubikey-based GPG keys for daily use cannot sign other public keys and would need to ferry such keys to our offline rigs and use our master GPG keys for this purpose and then ferry the signed public keys back to an internet-connected machine to publish them to the keyservers. All in all, a big old bummer.
20 Posted by bogdrakonov on 27 Mar, 2018 12:36 AM
Ah so it’s due to the way I created keys offline. Ok in that case I guess
I’m stuck using the offline master once in a while.
Support Staff 21 Posted by Steve on 29 Mar, 2018 12:46 PM
I'm closing this discussion.
This specific case may also be taken to the gnupg users mailling list.
Steve closed this discussion on 29 Mar, 2018 12:46 PM.