When creating a signature with gpgsm --sign using the default key (without the -u option), the following error message it output:
gpgsm: certificate is not usable for signing
But the program still continues and creates the signature:
gpgsm: signature create
The first error message is confusing to the user, hinting that there is something wrong with the signing certificate.
The error message only occurs when the default signature key in the database is preceded by at least one public key with a keyUsage extension lacking the digitalSignature and nonRepuditions bits.
For example, the following key database triggers the error message.
$ gpgsm -k /home/user/.gnupg/pubring.kbx ID: <ID of first key: root CA certificate without secret key> ... key usage: certSign crlSign ... ID: <ID of second key: signing key certificate with secret key available> ... key usage: digitalSignature certSign crlSign ...
The confusing error message is output by gpgsm_cert_use_sign_p as a side effect when gpgsm_get_default_cert enumerates the certificates in the key database, searching for the first key to use as the default signature key.