A key with only "C" capability cannot be selected as default key.
Closed, ResolvedPublic

Description

Have a primary key with "C" only capability.

It doesn't work with --default-key, to sign a key.

(I'm adding reproducible scenario).

gniibe added a comment.EditedJan 14 2020, 8:03 AM
$ export GNUPGHOME=<somewhere>
# Create a key with "C"-only capability
$ gpg --quick-gen-key "test-user <chuji@gniibe.org>" ed25519 cert
# Create another key (or get/import it)
$ gpg --quick-gen-key "2020-user <chuji2020@gniibe.org>" ed25519
# Sign with the first key to the second key with --default-key
$ gpg --default-key 7694AB44DED1154CEB981059B0B36418AF85C918 --lsign 72FF31542DB059A507BAF81BE05523DEB4B018E6

(where 7694AB...85C918 is the first key and 72FF31..B018E6 is the second key)

gpg complains:

gpg: Warning: not using '7694AB44DED1154CEB981059B0B36418AF85C918' as default key: No secret key
gpg: all values passed to '--default-key' ignored

... while it is valid key to certify.

I think rGe573e6188dad: gpg: Fix --default-key checks. should be fixed as:

diff --git a/g10/getkey.c b/g10/getkey.c
index ad5dd8e01..cc908964e 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -1860,7 +1860,8 @@ parse_def_secret_key (ctrl_t ctrl)
           PKT_public_key *pk = node->pkt->pkt.public_key;
 
           /* Check that the key has the signing capability.  */
-          if (! (pk->pubkey_usage & PUBKEY_USAGE_SIG))
+          if (! (pk->pubkey_usage & PUBKEY_USAGE_SIG)
+              && ! (pk->pubkey_usage & PUBKEY_USAGE_CERT))
             continue;
 
           /* Check if the key is valid.  */

Err.. Just removing the check may be the correct fix; It doesn't make sense to limit capability here.

Fixed and backported.

gniibe changed the task status from Open to Testing.Mar 12 2020, 6:43 AM
gniibe added a project: Testing.
werner closed this task as Resolved.Mar 20 2020, 5:59 PM