https://dev.gnupg.org/rG1a5d95e7319e7e6f0dd11064a26cbbc371b05214
introduces this comment:
/* Fixme: Should we also check the signing capability here for data * signature? */
The answer is clearly "yes, we should".
The only thing that prevents a stolen encryption-capable subkey from being misused as a signing key at the moment is the missing cross-certification from the parent primary key.
even the error messages are currently misleading, because they refer to the subkey as a "signing key", which it is not. Below is an example transcript from which it should be possible to recreate the errors.
0 tester@host$ gpg --with-subkey-fingerprint --list-keys
/tmp/tester/pubring.kbx
--------------------------------
pub rsa3072 2018-06-08 [SC] [expires: 2020-06-07]
0921969A56F420AF90E6663A79AB2899CEAF2EF0
uid [ultimate] bananas
sub rsa3072 2018-06-08 [E]
3CEA0FC885E0919E89099CFABA0D05488E06702C
0 tester@host$ cat test.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
this is a test
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEPOoPyIXgkZ6JCZz6ug0FSI4GcCwFAlsbAXwACgkQug0FSI4G
cCymWQv+OK9DvOG8IANPcsY31/7bKZrGGHX4mtPi3ZAziOFgf6zv7HkD6jLiBXHE
2ubbFAXpdNBRVucz5WnWCTe9DzXmZ1PDiFz45Yg2M8pd5BQrM2l9xikctz3tejgm
MamWTWhBjY13yPnI/C27qXrgRVwNg4YHYfKBjAFf7VErOyL/SdJfUhW6WBBlAdEO
1SO+EQL+Rbu1sIVP2/bYo/vDzoHdF2llO71hQ7B0ZT0sWBp/GlDxqfDtKPp0Uv4o
YkRKdJ0oOygYSXTM9B0IHfeOyOpqLCTk2thutpO/zKn+EiHHK+Pk7NUSvbCED1As
YDw+d1c4nfSDpCECMYJ64+burtHeAJeHBVKtj+5VYsq39xniaMOHLxDTz7TXSsA3
Al2o6N9ikw/Cufc4vwS6ASkYEVjszmS9K4Bb0ZJD7BS02UDaGX529fQT6SGwNEyp
QGAa71npy6lCo/70wIePdik+WRWRrZ8SVJ2Jf0/tvcF+3MUgBC8OM94V6JD+Lx/y
Ikymub8E
=lVTR
-----END PGP SIGNATURE-----
0 tester@host$ gpg --export --armor
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBFsZxwABDADEKkZ3IiJ1ZjWAJAeJT8chSvo/N5QxtfFQhTh5E9EJ0mtx5kuC
bF9LaQYYbSKDP4BbPCl0I1PATdKJqR8CTBoxiLFPnIhVWKASqlEOa/+kAze6IaH1
ypVYIAZgp5jJ/znQzs2ZTSe2QaeAtNHmRgiUFTOzfk5c+IJGxt7nuZsU+dOt/bxe
QN6cHBJEahkkLt3I/pI8JO1sZ+rrhFXXJa6wPpRttHRYL4XwFToBHMed+8I30heu
uohzG5icC1f/SPvRxJGuulhpDIiaO0bVXD2DQH5eqZ5dyACyeuurLP5e4cY+G0bJ
Nk3Kzf6Ab2V6pAJPnOBdcQAuQZy0FJbIdk1JHF/wxFVekbd/UpDuMKEaQQ9g/A6X
NhybO3TNXynzJ+uUyPeaW0COcdTvZfHlgZVrM8s3VndLMpV4Kly7pUCtANYJZ61V
BcvsNLgGCbNiFWOCbShB0ngoL1klYD8lVFj/94Sm9LZjFwTA7/H8QvsCIA3QahKN
DBObMItD7pFe2A8AEQEAAbQHYmFuYW5hc4kB1AQTAQoAPhYhBAkhlppW9CCvkOZm
OnmrKJnOry7wBQJbGccAAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
AAoJEHmrKJnOry7w80IL/14l7A/bs7BvFpNuy3eQD6LjrkPjifssrq5k93q8JHSk
a71c/uvT2VxlnAgPrcXHk1w4A+1CVM7TSU1umGeZJaC37dbHal8y6DyDnTC7RgOZ
H0ecMgRV0tiIfNk6kz+su3jVRAxwUe+JnubNmC2zhpmzHUfl534iS2/gnLW5qqj7
XAMLiHRgiH4GD3buGQBxT4L4R8HQEVBF9xKyiBXBXsCJD4AzNigcWJEWZYWilBoz
a0fnNR3r4JZFCl13j4XMGrpZvpz+3I6Jd6U/BACiORfAl7A1DglQtq4havTumA7C
xuyY8w696WhcCID+/8oOTL42TlSGCrYqJ3UGBxV8Bk5NovmFQhtPbtggfhxYOOvy
fnCw1w9fkZXKwLoFr3lvPwhhLJixs4jUscObSErLH0D8SLwkHdYhaPE9xJCEj/ov
o2JvJzJ6Dg+Xy/YL9bg5bWKYi4nzDcF9WOF2wQ2IY+mUnzmQsLnJAA5dAP6qk9Li
tuMtBUMBBZuJn3HBFwswWbkBjQRbGccAAQwArPtb/LibK7zOAgIJ0CATKkCFcCXq
7B2akG73fD3deUWynEEd/Lz3QLRoqkyQTF+BQkEKWPTjSsdfDhwFrEgRu2sPYJWY
7ff/Yys2tcAEshx4ZNb3OmFaco2Cnr6qJ5M3b7Yx3AtBFjj2oLeGEi8FMkxKRZj3
Aa1Vj2AGvN0t3Yhm6TItMdqEsn4n43fnRawbPWS3wq3KDYF/hEChrswLiKE9G8XS
7rmY7fE+ProN1AgceDXF1LagrhcwcJwwXNvlk7GANqbtUH9wbAICQbAXsB6MGoe3
ztvzHbuTwAHZI1GzcJfalO71mYKQYUX88Kr/66N6DSDWfgquYMr67CDsey2qGSrz
NBnrSTa0G2s6zUWn5pJvLW4rZpRlMY3rY5oV4FST2+IXuPjgNxSkBf8QegFblBAI
kg1bYLki15o+uaSwyZu+IhwGmmxK3hMzeALQRq2taykGX1WGyQF3P9PDkI69uuPg
WYSP094oKPxRF+mjlgwl/GN4samF0MEmXG8fABEBAAGJAbYEGAEKACAWIQQJIZaa
VvQgr5DmZjp5qyiZzq8u8AUCWxnHAAIbDAAKCRB5qyiZzq8u8AFOC/4hT6ioiTGM
hu6exMB/3178c3aKv6Wh2t/VcPG6faQDs487zqpq8/LUJevvVIqj5Xjnou/fTHob
zCB9k7T8nxM1f2sbjyg00LCFsGI2hC5Shwscr7FQR3uVOIuIhqZ4Gq78VGKzS+EP
r6w6aZDNYoU4q/kpN6W6BkWsxTNJofEgd3MAsObE2xbiV98pMe4mBRXZntSOsxAu
Kloh6mUsLB+ZxWhUmrKjLaa3s5h41OMwW8tyKcroliNzIAkipoOGHc1LHTo0P7kQ
JV1ydzWvolG5H11VSthqWbDJDGJFUcd6UzoqbgAsHproJKpcN+ZZeMzObDmQpXtE
elrmnxGwQQ/t/bwmwGcbHRouUyFuI7e4DxRMoye8yDZCJCWdvfLHhZ+5j6rWbV+l
Gx9gSIvqB0maoxlJAEkBsNtiwclBpcQJ2n1nSsbOqR+e/x07iKtucoAKeoR1BYcj
mmgKewvoLs/e7rnEXdnKePTbisd6ffC+4lc3fTmxtNgBn3QdkWjsz5o=
=IfRI
-----END PGP PUBLIC KEY BLOCK-----
0 tester@host$ gpg --verify test.txt
gpg: Signature made Fri 08 Jun 2018 06:21:48 PM EDT
gpg: using RSA key 3CEA0FC885E0919E89099CFABA0D05488E06702C
gpg: WARNING: signing subkey BA0D05488E06702C is not cross-certified
gpg: please see https://gnupg.org/faq/subkey-cross-certify.html for more information
gpg: Can't check signature: General error
2 tester@host$ gpg --no-require-cross-certification --verify test.txt
gpg: Signature made Fri 08 Jun 2018 06:21:48 PM EDT
gpg: using RSA key 3CEA0FC885E0919E89099CFABA0D05488E06702C
gpg: WARNING: signing subkey BA0D05488E06702C is not cross-certified
gpg: please see https://gnupg.org/faq/subkey-cross-certify.html for more information
gpg: Good signature from "bananas" [ultimate]
0 tester@host$