Page MenuHome GnuPG

gpgsm --sign prints misleading error message when using default key
Closed, ResolvedPublic

Description

When creating a signature with gpgsm --sign using the default key (without the -u option), the following error message it output:

gpgsm: certificate is not usable for signing

But the program still continues and creates the signature:

gpgsm: signature create

The first error message is confusing to the user, hinting that there is something wrong with the signing certificate.

The error message only occurs when the default signature key in the database is preceded by at least one public key with a keyUsage extension lacking the digitalSignature and nonRepuditions bits.

For example, the following key database triggers the error message.

$ gpgsm -k

/home/user/.gnupg/pubring.kbx
           ID: <ID of first key: root CA certificate without secret key>
           ...
    key usage: certSign crlSign
           ...
           ID: <ID of second key: signing key certificate with secret key available>
           ...
    key usage: digitalSignature certSign crlSign
           ...

The confusing error message is output by gpgsm_cert_use_sign_p as a side effect when gpgsm_get_default_cert enumerates the certificates in the key database, searching for the first key to use as the default signature key.

Related Objects

Event Timeline

werner claimed this task.
werner added a subscriber: werner.

Thanks to your very good analysis, this was easy to fix.

There are some other places where we may get diagnostics which might be confusing. However, this would be a lot more work to fix thus I won't go after them.

Thank you for a quick fix (despite this being a minor problem).