Have a primary key with "C" only capability.
It doesn't work with --default-key, to sign a key.
(I'm adding reproducible scenario).
Description
Description
Revisions and Commits
Revisions and Commits
| rG GnuPG | |||
| rGa7840777e427 gpg: default-key: Simply don't limit by capability. | |||
| rG1aa2a0a46dc1 gpg: default-key: Simply don't limit by capability. | |||
| rG9287f9e87b21 gpg: Cert only key should be usable with --default-key. | |||
Related Objects
Related Objects
- Mentioned In
- T4860: Release GnuPG 2.2.20
- Mentioned Here
- rGe573e6188dad: gpg: Fix --default-key checks.
Event Timeline
Comment Actions
$ export GNUPGHOME=<somewhere> # Create a key with "C"-only capability $ gpg --quick-gen-key "test-user <chuji@gniibe.org>" ed25519 cert # Create another key (or get/import it) $ gpg --quick-gen-key "2020-user <chuji2020@gniibe.org>" ed25519 # Sign with the first key to the second key with --default-key $ gpg --default-key 7694AB44DED1154CEB981059B0B36418AF85C918 --lsign 72FF31542DB059A507BAF81BE05523DEB4B018E6
(where 7694AB...85C918 is the first key and 72FF31..B018E6 is the second key)
gpg complains:
gpg: Warning: not using '7694AB44DED1154CEB981059B0B36418AF85C918' as default key: No secret key gpg: all values passed to '--default-key' ignored
... while it is valid key to certify.
Comment Actions
I think rGe573e6188dad: gpg: Fix --default-key checks. should be fixed as:
diff --git a/g10/getkey.c b/g10/getkey.c index ad5dd8e01..cc908964e 100644 --- a/g10/getkey.c +++ b/g10/getkey.c @@ -1860,7 +1860,8 @@ parse_def_secret_key (ctrl_t ctrl) PKT_public_key *pk = node->pkt->pkt.public_key; /* Check that the key has the signing capability. */ - if (! (pk->pubkey_usage & PUBKEY_USAGE_SIG)) + if (! (pk->pubkey_usage & PUBKEY_USAGE_SIG) + && ! (pk->pubkey_usage & PUBKEY_USAGE_CERT)) continue; /* Check if the key is valid. */
Comment Actions
Err.. Just removing the check may be the correct fix; It doesn't make sense to limit capability here.