Yubikey+GPG2 issue - can encrypt/sign emails & files - but cannot sign public keys (error code 17, no secret key)
Which of our tools is giving you problems?
gpg2
Attach a screenshot of the version info for all installed components (how to: https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...):
Attached
Describe your problem. Add as much detail as possible.
When attempting to sign other people's public keys, gpg fails with an error code 17 saying it cannot find my secret key. All other gpg operations, such as encrypting & signing emails/files using the same secret key works fine.
I am able to sign other people's public keys using another secret key I have that does not use a Yubikey.
What did you expect instead
I expect gpg to prompt me for my Yubikey PIN (if it hasn't already been input for another operation) and sign other people's public keys successfully.
Describe steps leading to the problem.
In GPG Keychain, right-clicking another person's public key, then clicking sign, then selecting the secret key that is on a Yubikey, then selecting how carefully I have verified the public key, then setting an expiration, and then clicking generate signature.
I have also attempted to perform this operation on the command line using gpg --edit-key and receive the same error after submitting the "sign" command at the gpg> prompt & answering the same question/settings that GPG Keychain asks/displays.
Are you using any other Mail.app plugins?
No, but also this problem does not involve Mail.app
- gpgver.png 82.9 KB
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Luke Le on 22 Jan, 2018 12:25 PM
Hi gpg_dude,
if you are seeing the same error using the command line, this seems to be a bug of GnuPG core. It would be great if you could file this issue with the GnuPG team at https://gnupg.org
Sorry we can't be of more help here.
2 Posted by gpg_dude on 24 Jan, 2018 04:45 AM
Hi Luke,
Oddly enough, after I posted this I remembered another thread about this. I even commented in said thread, but my interest at the time was getting my Yubikey-based GPG key to work with 2017.1 at all vs. my current issue of trying to get use the key it holds for signing other keys.
This is the comment that seems to shed some light on the situation: https://gpgtools.tenderapp.com/discussions/problems/50900-unable-to...
Quoted below just in case it gets edited/deleted:
Also re-quoting the relevant text from the "Signing keys" section of the URL Travis lists:
If all of this is accurate, it sounds like it is impossible to use a Yubikey-based GPG key to sign other public keys with as it does not contain the "certification key", but rather an encryption key, signing key, & authentication key.
Sadly, it sounds like that means those of us using Yubikey-based GPG keys for daily use cannot sign other public keys and would need to ferry such keys to our offline rigs and use our master GPG keys for this purpose and then ferry the signed public keys back to an internet-connected machine to publish them to the keyservers. All in all, a big old bummer.
Support Staff 3 Posted by Luke Le on 25 Jan, 2018 09:11 AM
Hi gpg_dude,
unfortunately we haven't tried using a smart card to signing keys yet, so I'm not much help in this regard. The GnuPG user mailing list would be your best bet for it.
What I could find is, that it seems possible to create a authentication/certification subkey and transfer it to your smart card. See the following guide on how to do that:
https://github.com/drduh/YubiKey-Guide#create-subkeys
So I believe it should be possible to use your smart card to sign other keys.
Hope that helps.
gpg_dude closed this discussion on 13 Mar, 2018 03:55 PM.
Steve re-opened this discussion on 03 May, 2021 10:35 AM
Support Staff 4 Posted by Steve on 03 May, 2021 10:36 AM
We have a ticket for this problem. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you stay in the loop and will receive info as soon as we have news. Feel free to open a new discussion should you run into further problems or need assistance.
Steve closed this discussion on 03 May, 2021 10:36 AM.