Thank you for the response. I suspected it was something to do with the fact that my master certification key is on a USB stick because it worked when I used another non-yubikey PGP key. I will try to certify it via the master certification key. Thanks for the help. I appreciate it!
Best regards, Joel Sent from my iPhone > On 1 Feb 2023, at 10:01, Andrew Gallagher <andr...@andrewg.com> wrote: > > On 31 Jan 2023, at 19:52, Joel via Gnupg-users <gnupg-users@gnupg.org> wrote: >> >> Hello! >> >> I am trying to sign a public key, but I get an error saying, `gpg: signing >> failed: No secret key`. However, a normal signing on a file works perfectly >> fine. I suspect it could be something because I have a yubikey and it might >> not work as I initially expected. Have anyone had similar problems and know >> how to fix it when you use a yubikey? > > Yes, this is expected behaviour with a yubikey. The confusion arises with an > unfortunate clash of terminology. When you “sign” someone else’s public key, > you are technically “certifying” it - even though signing and certification > use the same cryptographic operation (also called “signing”, hence the > confusion), they are two different modes of operation and PGP treats them as > entirely separate things. > > The normal structure of a key is to have a primary key which is allowed to > certify and sign, and an encryption subkey that is only allowed to (de)crypt. > When using a yubikey, standard practice is to also create a signing subkey > and store that and the encryption subkey (and optionally an authentication > subkey) on the yubikey, but leave the primary on disk. The advantage is that > if your yubikey is stolen, you can generate new subkeys and revoke the old > ones, without having to revoke the primary. The disadvantage is that > certification subkeys are not supported by the standard, so yubikeys (and > other forms of smartcard) cannot normally certify other people’s keys. > > You may be able to get around this by ensuring that your primary key is > signing-capable (it is by default) and storing it instead of a signing subkey > in the signing slot of your yubikey (caveat: I have not tested this!). But > then you lose the main advantage of a yubikey (sacrificial subkeys). > Otherwise, you can only certify other keys using the original computer that > has your primary key on disk. > > A > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
