https://dev.gnupg.org/rG1a5d95e7319e7e6f0dd11064a26cbbc371b05214
introduces this comment:
/* Fixme: Should we also check the signing capability here for data * signature? */
The answer is clearly "yes, we should".
The only thing that prevents a stolen encryption-capable subkey from being misused as a signing key at the moment is the missing cross-certification from the parent primary key.
even the error messages are currently misleading, because they refer to the subkey as a "signing key", which it is not. Below is an example transcript from which it should be possible to recreate the errors.
0 tester@host$ gpg --with-subkey-fingerprint --list-keys /tmp/tester/pubring.kbx -------------------------------- pub rsa3072 2018-06-08 [SC] [expires: 2020-06-07] 0921969A56F420AF90E6663A79AB2899CEAF2EF0 uid [ultimate] bananas sub rsa3072 2018-06-08 [E] 3CEA0FC885E0919E89099CFABA0D05488E06702C 0 tester@host$ cat test.txt -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 this is a test -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEPOoPyIXgkZ6JCZz6ug0FSI4GcCwFAlsbAXwACgkQug0FSI4G cCymWQv+OK9DvOG8IANPcsY31/7bKZrGGHX4mtPi3ZAziOFgf6zv7HkD6jLiBXHE 2ubbFAXpdNBRVucz5WnWCTe9DzXmZ1PDiFz45Yg2M8pd5BQrM2l9xikctz3tejgm MamWTWhBjY13yPnI/C27qXrgRVwNg4YHYfKBjAFf7VErOyL/SdJfUhW6WBBlAdEO 1SO+EQL+Rbu1sIVP2/bYo/vDzoHdF2llO71hQ7B0ZT0sWBp/GlDxqfDtKPp0Uv4o YkRKdJ0oOygYSXTM9B0IHfeOyOpqLCTk2thutpO/zKn+EiHHK+Pk7NUSvbCED1As YDw+d1c4nfSDpCECMYJ64+burtHeAJeHBVKtj+5VYsq39xniaMOHLxDTz7TXSsA3 Al2o6N9ikw/Cufc4vwS6ASkYEVjszmS9K4Bb0ZJD7BS02UDaGX529fQT6SGwNEyp QGAa71npy6lCo/70wIePdik+WRWRrZ8SVJ2Jf0/tvcF+3MUgBC8OM94V6JD+Lx/y Ikymub8E =lVTR -----END PGP SIGNATURE----- 0 tester@host$ gpg --export --armor -----BEGIN PGP PUBLIC KEY BLOCK----- mQGNBFsZxwABDADEKkZ3IiJ1ZjWAJAeJT8chSvo/N5QxtfFQhTh5E9EJ0mtx5kuC bF9LaQYYbSKDP4BbPCl0I1PATdKJqR8CTBoxiLFPnIhVWKASqlEOa/+kAze6IaH1 ypVYIAZgp5jJ/znQzs2ZTSe2QaeAtNHmRgiUFTOzfk5c+IJGxt7nuZsU+dOt/bxe QN6cHBJEahkkLt3I/pI8JO1sZ+rrhFXXJa6wPpRttHRYL4XwFToBHMed+8I30heu uohzG5icC1f/SPvRxJGuulhpDIiaO0bVXD2DQH5eqZ5dyACyeuurLP5e4cY+G0bJ Nk3Kzf6Ab2V6pAJPnOBdcQAuQZy0FJbIdk1JHF/wxFVekbd/UpDuMKEaQQ9g/A6X NhybO3TNXynzJ+uUyPeaW0COcdTvZfHlgZVrM8s3VndLMpV4Kly7pUCtANYJZ61V BcvsNLgGCbNiFWOCbShB0ngoL1klYD8lVFj/94Sm9LZjFwTA7/H8QvsCIA3QahKN DBObMItD7pFe2A8AEQEAAbQHYmFuYW5hc4kB1AQTAQoAPhYhBAkhlppW9CCvkOZm OnmrKJnOry7wBQJbGccAAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA AAoJEHmrKJnOry7w80IL/14l7A/bs7BvFpNuy3eQD6LjrkPjifssrq5k93q8JHSk a71c/uvT2VxlnAgPrcXHk1w4A+1CVM7TSU1umGeZJaC37dbHal8y6DyDnTC7RgOZ H0ecMgRV0tiIfNk6kz+su3jVRAxwUe+JnubNmC2zhpmzHUfl534iS2/gnLW5qqj7 XAMLiHRgiH4GD3buGQBxT4L4R8HQEVBF9xKyiBXBXsCJD4AzNigcWJEWZYWilBoz a0fnNR3r4JZFCl13j4XMGrpZvpz+3I6Jd6U/BACiORfAl7A1DglQtq4havTumA7C xuyY8w696WhcCID+/8oOTL42TlSGCrYqJ3UGBxV8Bk5NovmFQhtPbtggfhxYOOvy fnCw1w9fkZXKwLoFr3lvPwhhLJixs4jUscObSErLH0D8SLwkHdYhaPE9xJCEj/ov o2JvJzJ6Dg+Xy/YL9bg5bWKYi4nzDcF9WOF2wQ2IY+mUnzmQsLnJAA5dAP6qk9Li tuMtBUMBBZuJn3HBFwswWbkBjQRbGccAAQwArPtb/LibK7zOAgIJ0CATKkCFcCXq 7B2akG73fD3deUWynEEd/Lz3QLRoqkyQTF+BQkEKWPTjSsdfDhwFrEgRu2sPYJWY 7ff/Yys2tcAEshx4ZNb3OmFaco2Cnr6qJ5M3b7Yx3AtBFjj2oLeGEi8FMkxKRZj3 Aa1Vj2AGvN0t3Yhm6TItMdqEsn4n43fnRawbPWS3wq3KDYF/hEChrswLiKE9G8XS 7rmY7fE+ProN1AgceDXF1LagrhcwcJwwXNvlk7GANqbtUH9wbAICQbAXsB6MGoe3 ztvzHbuTwAHZI1GzcJfalO71mYKQYUX88Kr/66N6DSDWfgquYMr67CDsey2qGSrz NBnrSTa0G2s6zUWn5pJvLW4rZpRlMY3rY5oV4FST2+IXuPjgNxSkBf8QegFblBAI kg1bYLki15o+uaSwyZu+IhwGmmxK3hMzeALQRq2taykGX1WGyQF3P9PDkI69uuPg WYSP094oKPxRF+mjlgwl/GN4samF0MEmXG8fABEBAAGJAbYEGAEKACAWIQQJIZaa VvQgr5DmZjp5qyiZzq8u8AUCWxnHAAIbDAAKCRB5qyiZzq8u8AFOC/4hT6ioiTGM hu6exMB/3178c3aKv6Wh2t/VcPG6faQDs487zqpq8/LUJevvVIqj5Xjnou/fTHob zCB9k7T8nxM1f2sbjyg00LCFsGI2hC5Shwscr7FQR3uVOIuIhqZ4Gq78VGKzS+EP r6w6aZDNYoU4q/kpN6W6BkWsxTNJofEgd3MAsObE2xbiV98pMe4mBRXZntSOsxAu Kloh6mUsLB+ZxWhUmrKjLaa3s5h41OMwW8tyKcroliNzIAkipoOGHc1LHTo0P7kQ JV1ydzWvolG5H11VSthqWbDJDGJFUcd6UzoqbgAsHproJKpcN+ZZeMzObDmQpXtE elrmnxGwQQ/t/bwmwGcbHRouUyFuI7e4DxRMoye8yDZCJCWdvfLHhZ+5j6rWbV+l Gx9gSIvqB0maoxlJAEkBsNtiwclBpcQJ2n1nSsbOqR+e/x07iKtucoAKeoR1BYcj mmgKewvoLs/e7rnEXdnKePTbisd6ffC+4lc3fTmxtNgBn3QdkWjsz5o= =IfRI -----END PGP PUBLIC KEY BLOCK----- 0 tester@host$ gpg --verify test.txt gpg: Signature made Fri 08 Jun 2018 06:21:48 PM EDT gpg: using RSA key 3CEA0FC885E0919E89099CFABA0D05488E06702C gpg: WARNING: signing subkey BA0D05488E06702C is not cross-certified gpg: please see https://gnupg.org/faq/subkey-cross-certify.html for more information gpg: Can't check signature: General error 2 tester@host$ gpg --no-require-cross-certification --verify test.txt gpg: Signature made Fri 08 Jun 2018 06:21:48 PM EDT gpg: using RSA key 3CEA0FC885E0919E89099CFABA0D05488E06702C gpg: WARNING: signing subkey BA0D05488E06702C is not cross-certified gpg: please see https://gnupg.org/faq/subkey-cross-certify.html for more information gpg: Good signature from "bananas" [ultimate] 0 tester@host$