gpg --sign --local-user ... fails with smartcard
Open, NormalPublic

Description

I have a smart card with my signing subkey (0xADCF72E06DBC3057), and I have a stubbed master key locally (0xF012A6E298C66655) on the machine; the actual master key is offline. I have the following in my ~/.gnupg/gpg.conf

default-key 0xF012A6E298C66655
local-user 0xADCF72E06DBC3057!

All works well when signing with the default values

$ echo test | gpg -vbsa
gpg: Note: signature key 0x6CDA813213912971 expired Fri 26 Oct 2012 23:17:20 AEDT
gpg: Note: signature key 0x6CDA813213912971 has been revoked
gpg: Note: signature key 0x9CA49F44ABCF4EFA expired Mon 21 Jan 2013 14:11:29 AEDT
gpg: Note: signature key 0x9CA49F44ABCF4EFA has been revoked
gpg: Note: signature key 0xF9EB425E6D1886A7 expired Wed 02 Nov 2016 22:02:08 AEDT
gpg: using subkey 0xADCF72E06DBC3057 instead of primary key 0xF012A6E298C66655
gpg: writing to stdout
gpg: RSA/SHA512 signature from: "0xADCF72E06DBC3057 Olivier Mehani <shtrom@ssji.net>"
-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEEK9H+AsmH1DijNv0qrc9y4G28MFcFAlkAR5oACgkQrc9y4G28
MFfpygf8CBKoHRH41XUEyEO+qlNqJzq5XDLYq73FrlsY+Yw4wSCV4D6IWUP6efzm
1XghV7CvlkCE1FtGJYR0dy7iqSdnWftTKmr9q3cu/wptPvwUfv2BhXsFY6982+sg
DhJW8vGcQ+vXkjV3gVsy/5+Xr3iZA0Zv6cBR2KQJQ3UZXFcGYkoN+4NmBYodkvbz
ptR8YOVI64tfKSraAXRHPureRq7gy7zGrsqJW4RHMRGQsQ3yA42mOnCR6EvSzQN0
QxB8pZZajbAo6fZxF3TPYKYWJ/LtG034WE3ZUhJy1AEIIBqwCDTC3drlsMk6mqN3
/jjYoI21jOwwTu0Q9l+raXALiqrCaQ==
=9/4p
-----END PGP SIGNATURE-----

This, however, fails if I specify the same key ID as the local user on the command line:

$ echo test | gpg -vbsau 0xADCF72E06DBC3057                                                                                                                                                                                     
gpg: Note: signature key 0x6CDA813213912971 expired Fri 26 Oct 2012 23:17:20 AEDT
gpg: Note: signature key 0x6CDA813213912971 has been revoked
gpg: Note: signature key 0x9CA49F44ABCF4EFA expired Mon 21 Jan 2013 14:11:29 AEDT
gpg: Note: signature key 0x9CA49F44ABCF4EFA has been revoked
gpg: Note: signature key 0xF9EB425E6D1886A7 expired Wed 02 Nov 2016 22:02:08 AEDT
gpg: using subkey 0x2349101368E456BD instead of primary key 0xF012A6E298C66655
gpg: Note: signature key 0x6CDA813213912971 expired Fri 26 Oct 2012 23:17:20 AEDT
gpg: Note: signature key 0x6CDA813213912971 has been revoked
gpg: Note: signature key 0x9CA49F44ABCF4EFA expired Mon 21 Jan 2013 14:11:29 AEDT
gpg: Note: signature key 0x9CA49F44ABCF4EFA has been revoked
gpg: Note: signature key 0xF9EB425E6D1886A7 expired Wed 02 Nov 2016 22:02:08 AEDT
gpg: using subkey 0xADCF72E06DBC3057 instead of primary key 0xF012A6E298C66655
gpg: writing to stdout
gpg: RSA/SHA512 signature from: "0xADCF72E06DBC3057 Olivier Mehani <shtrom@ssji.net>"
gpg: signing failed: No secret key
gpg: signing failed: No secret key

This is rather annoying, as the second mode is how git uses gpg, which leads to signed commits failing with

$ git commit -S0xADCF72E06DBC3057 -m 'test'                                              
error: gpg failed to sign the data
fatal: failed to write commit object
shtrom created this task.Apr 26 2017, 9:13 AM
shtrom created this object in space S1 Public.
gniibe added a subscriber: gniibe.Apr 26 2017, 10:14 AM

Appending exclamation mark (!) to the keyid, you can specify exact match for the key.
I think that you can use 0xADCF72E06DBC3057! for git commit.
Please try.

shtrom added a comment.EditedApr 26 2017, 12:37 PM

Ah, yeah, that worked. I was confused by the fact that I already have the bang in my .gnupg/gpg.conf, and got a warning when explicitely passing it to GPG.

$ echo test | gpg -basu 0xADCF72E06DBC3057!
gpg: skipped "0xADCF72E06DBC3057!": duplicated

I have a signed commit now. Looks good!

gniibe triaged this task as Normal priority.Apr 28 2017, 1:04 AM
werner moved this task from gpg21 to gpg22 on the gnupg board.Oct 20 2017, 1:57 PM
werner edited projects, added gnupg (gpg22); removed gnupg (gpg21).