Yubikey+GPG2 issue - can encrypt/sign emails & files - but cannot sign public keys (error code 17, no secret key)

gpg_dude's Avatar

gpg_dude

03 Jan, 2018 07:09 PM

Which of our tools is giving you problems?

gpg2

Attach a screenshot of the version info for all installed components (how to: https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...):

Attached

Describe your problem. Add as much detail as possible.

When attempting to sign other people's public keys, gpg fails with an error code 17 saying it cannot find my secret key. All other gpg operations, such as encrypting & signing emails/files using the same secret key works fine.

I am able to sign other people's public keys using another secret key I have that does not use a Yubikey.

What did you expect instead

I expect gpg to prompt me for my Yubikey PIN (if it hasn't already been input for another operation) and sign other people's public keys successfully.

Describe steps leading to the problem.

In GPG Keychain, right-clicking another person's public key, then clicking sign, then selecting the secret key that is on a Yubikey, then selecting how carefully I have verified the public key, then setting an expiration, and then clicking generate signature.

I have also attempted to perform this operation on the command line using gpg --edit-key and receive the same error after submitting the "sign" command at the gpg> prompt & answering the same question/settings that GPG Keychain asks/displays.

Are you using any other Mail.app plugins?

No, but also this problem does not involve Mail.app

  1. Support Staff 1 Posted by Luke Le on 22 Jan, 2018 12:25 PM

    Luke Le's Avatar

    Hi gpg_dude,

    if you are seeing the same error using the command line, this seems to be a bug of GnuPG core. It would be great if you could file this issue with the GnuPG team at https://gnupg.org

    Sorry we can't be of more help here.

  2. 2 Posted by gpg_dude on 24 Jan, 2018 04:45 AM

    gpg_dude's Avatar

    Hi Luke,
    Oddly enough, after I posted this I remembered another thread about this. I even commented in said thread, but my interest at the time was getting my Yubikey-based GPG key to work with 2017.1 at all vs. my current issue of trying to get use the key it holds for signing other keys.

    This is the comment that seems to shed some light on the situation: https://gpgtools.tenderapp.com/discussions/problems/50900-unable-to...

    Quoted below just in case it gets edited/deleted:

    Error text: gpg: secret key parts are not available
    gpg: signing failed: Unusable secret key

    This error message may simply be due to the Certification piece of the key not being present. The Certification function is not the same as the Sign function in GPG. Signing files is a simple sign procedure but signing keys requires Certification. If, for example, the Yubikey has been configured with an offline master key and has subkeys on it for Sign, Encrypt, and Authorization - it will not have the component necessary for signing other people's keys and this error message will be produced. To sign other's keys in this scenario, the keys to be signed will have to be ferried to the offline master and signed and then ferried back so they can be shared with recipients or uploaded to a keyserver.

    Hopefully this is useful to any others running into this error when trying to sign keys.

    See the "Signing keys" section of this blog for more information: https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-...

    -Travis

    Also re-quoting the relevant text from the "Signing keys" section of the URL Travis lists:

    Signing keys

    This needs to be done using your master key, since it is your certification key that will be used. So boot the Live CD and make the usual GnuPG configurations. Below I’m signing my own old key (0xB565716F) so the output may look a bit confusing with me signing my own key, but there is really two different keys involved here. The same process apply if you want to sign someone else’s key too.

    If all of this is accurate, it sounds like it is impossible to use a Yubikey-based GPG key to sign other public keys with as it does not contain the "certification key", but rather an encryption key, signing key, & authentication key.

    Sadly, it sounds like that means those of us using Yubikey-based GPG keys for daily use cannot sign other public keys and would need to ferry such keys to our offline rigs and use our master GPG keys for this purpose and then ferry the signed public keys back to an internet-connected machine to publish them to the keyservers. All in all, a big old bummer.

  3. Support Staff 3 Posted by Luke Le on 25 Jan, 2018 09:11 AM

    Luke Le's Avatar

    Hi gpg_dude,

    unfortunately we haven't tried using a smart card to signing keys yet, so I'm not much help in this regard. The GnuPG user mailing list would be your best bet for it.
    What I could find is, that it seems possible to create a authentication/certification subkey and transfer it to your smart card. See the following guide on how to do that:
    https://github.com/drduh/YubiKey-Guide#create-subkeys

    So I believe it should be possible to use your smart card to sign other keys.

    Hope that helps.

  4. gpg_dude closed this discussion on 13 Mar, 2018 03:55 PM.

  5. Steve re-opened this discussion on 03 May, 2021 10:35 AM

  6. Support Staff 4 Posted by Steve on 03 May, 2021 10:36 AM

    Steve's Avatar

    We have a ticket for this problem. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you stay in the loop and will receive info as soon as we have news. Feel free to open a new discussion should you run into further problems or need assistance.

  7. Steve closed this discussion on 03 May, 2021 10:36 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac