During debugging of a user problem in gnupg channel on FreeNode we came across a regression in 2.1.21 that I can reproduce on my own setup using a smartcard that only have subkeys available (no primary).
In versions before (at least up to 2.1.20) trying to lsign another key results in failure of non-available secret key, in 2.1.21 it signs the key using the signing subkey, which causes natural issues in trustdb calcualtion (it is not considered), so user experience is hurt as confusion arise why the key does not get any validity.
This can be reproduced using test keys