Thank you for the response. I suspected it was something to do with the fact 
that my master certification key is on a USB stick because it worked when I 
used another non-yubikey PGP key. I will try to certify it via the master 
certification key. Thanks for the help. I appreciate it!

Best regards,

Joel

Sent from my iPhone

> On 1 Feb 2023, at 10:01, Andrew Gallagher <andr...@andrewg.com> wrote:
> 
> On 31 Jan 2023, at 19:52, Joel via Gnupg-users <gnupg-users@gnupg.org> wrote:
>> 
>> Hello!
>> 
>> I am trying to sign a public key, but I get an error saying, `gpg: signing 
>> failed: No secret key`. However, a normal signing on a file works perfectly 
>> fine. I suspect it could be something because I have a yubikey and it might 
>> not work as I initially expected. Have anyone had similar problems and know 
>> how to fix it when you use a yubikey?
> 
> Yes, this is expected behaviour with a yubikey. The confusion arises with an 
> unfortunate clash of terminology. When you “sign” someone else’s public key, 
> you are technically “certifying” it - even though signing and certification 
> use the same cryptographic operation (also called “signing”, hence the 
> confusion), they are two different modes of operation and PGP treats them as 
> entirely separate things.
> 
> The normal structure of a key is to have a primary key which is allowed to 
> certify and sign, and an encryption subkey that is only allowed to (de)crypt. 
> When using a yubikey, standard practice is to also create a signing subkey 
> and store that and the encryption subkey (and optionally an authentication 
> subkey) on the yubikey, but leave the primary on disk. The advantage is that 
> if your yubikey is stolen, you can generate new subkeys and revoke the old 
> ones, without having to revoke the primary. The disadvantage is that 
> certification subkeys are not supported by the standard, so yubikeys (and 
> other forms of smartcard) cannot normally certify other people’s keys.
> 
> You may be able to get around this by ensuring that your primary key is 
> signing-capable (it is by default) and storing it instead of a signing subkey 
> in the signing slot of your yubikey (caveat: I have not tested this!). But 
> then you lose the main advantage of a yubikey (sacrificial subkeys). 
> Otherwise, you can only certify other keys using the original computer that 
> has your primary key on disk.
> 
> A
> 

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to