Page MenuHome GnuPG

Fingerprint signing fails with 'gpg: signing failed: No secret key'
Open, Needs TriagePublic

Description

I'm using gpg on Fedora 34:

$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.9.3-unknown

I created my key locally, but have since moved the signing and encryption subkeys to a yubikey.

I could earlier sign others' keys using this setup, but this has been failing for me recently with this error message:

gpg: signing failed: No secret key

Signing messages with gpg2 --clearsign works well.

Appended below is some output from commands and logs.

sec#  rsa4096/0x1E9A3B5F854083B6 2011-10-05 [SC]
      Key fingerprint = 48CA 3722 5FE7 F4A8 B337  2735 1E9A 3B5F 8540 83B6
uid                   [ unknown] Amit Shah <amit@amitshah.net>
uid                   [ unknown] Amit Shah <amit@kernel.org>
uid                   [ unknown] Amit Shah <amitshah@gmx.net>
ssb#  rsa4096/0x5CDEF05333DE9424 2011-10-05 [E]
ssb>  rsa4096/0x54C877E13EF1D38F 2016-04-01 [A]
ssb>  rsa4096/0xEB0B4DFC657EF670 2016-04-01 [S]

From a failed run to sign a key:

2021-09-13 20:37:55 gpg-agent[8215] listening on socket '/run/user/1000/gnupg/S.gpg-agent'
2021-09-13 20:37:55 gpg-agent[8215] listening on socket '/run/user/1000/gnupg/S.gpg-agent.extra'
2021-09-13 20:37:55 gpg-agent[8215] listening on socket '/run/user/1000/gnupg/S.gpg-agent.browser'
2021-09-13 20:37:55 gpg-agent[8215] listening on socket '/run/user/1000/gnupg/S.gpg-agent.ssh'
2021-09-13 20:37:55 gpg-agent[8216] gpg-agent (GnuPG) 2.2.27 started
2021-09-13 20:37:59 gpg-agent[8216] DBG: agent_cache_housekeeping
2021-09-13 20:38:03 gpg-agent[8216] DBG: agent_cache_housekeeping
2021-09-13 20:38:07 gpg-agent[8216] DBG: agent_cache_housekeeping
2021-09-13 20:38:11 gpg-agent[8216] DBG: agent_cache_housekeeping
2021-09-13 20:38:15 gpg-agent[8216] DBG: agent_cache_housekeeping
2021-09-13 20:38:19 gpg-agent[8216] DBG: agent_cache_housekeeping
2021-09-13 20:38:23 gpg-agent[8216] DBG: agent_cache_housekeeping
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK Pleased to meet you, process 8254
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- RESET
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- OPTION ttyname=/dev/pts/2
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- OPTION ttytype=xterm-256color
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- OPTION display=:1
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- OPTION xauthority=/run/user/1000/gdm/Xauthority
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- OPTION putenv=XMODIFIERS=@im=none
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- OPTION putenv=QT_IM_MODULE=xim
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- OPTION lc-ctype=en_US.UTF-8
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- OPTION lc-messages=en_US.UTF-8
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- GETINFO version
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> D 2.2.27
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- OPTION allow-pinentry-notify
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- OPTION agent-awareness=2.1.0
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- KEYINFO CBA7C81541B0AFE48A0EB7AE5B50170588ABFDF4
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> ERR 67108891 Not found <GPG Agent>
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- KEYINFO 04206DA8AA4C4ADDFE7531C1F9D5B99F75F9E5AD
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> ERR 67108891 Not found <GPG Agent>
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- KEYINFO 6D4FA23B21B5A614C1D07D7669B9A59F3CCB6261
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> ERR 67108891 Not found <GPG Agent>
021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- SCD SERIALNO
2021-09-13 20:38:24 gpg-agent[8216] no running SCdaemon - starting it
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 <- OK GNU Privacy Guard's Smartcard server ready
2021-09-13 20:38:24 gpg-agent[8216] DBG: first connection to SCdaemon established
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 -> GETINFO socket_name
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 <- D /run/user/1000/gnupg/S.scdaemon
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 <- OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: additional connections at '/run/user/1000/gnupg/S.scdaemon'
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 -> OPTION event-signal=12
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 <- OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 -> SERIALNO
2021-09-13 20:38:24 gpg-agent[8216] SIGUSR2 received - updating card event counter
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 <- S SERIALNO D2760001240102010006040316860000
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> S SERIALNO D2760001240102010006040316860000
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 <- OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- SCD SERIALNO
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 -> SERIALNO
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 <- S SERIALNO D2760001240102010006040316860000
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> S SERIALNO D2760001240102010006040316860000
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 <- OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- SCD GETATTR KEY-FPR
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 -> GETATTR KEY-FPR
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 <- S KEY-FPR 1 CC63D332AB8F461745296534EB0B4DFC657EF670
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> S KEY-FPR 1 CC63D332AB8F461745296534EB0B4DFC657EF670
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 <- S KEY-FPR 3 CB8DB7CA595108AD5476DCAC54C877E13EF1D38F
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> S KEY-FPR 3 CB8DB7CA595108AD5476DCAC54C877E13EF1D38F
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_11 <- OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 <- KEYINFO CBA7C81541B0AFE48A0EB7AE5B50170588ABFDF4
2021-09-13 20:38:24 gpg-agent[8216] DBG: chan_10 -> ERR 67108891 Not found <GPG Agent>
2021-09-13 20:38:26 gpg-agent[8216] DBG: chan_10 <- RESET
2021-09-13 20:38:26 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:26 gpg-agent[8216] DBG: chan_10 <- SIGKEY 68E7EFC751BF3A305A967226EF8441FFB205AC30
2021-09-13 20:38:26 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:26 gpg-agent[8216] DBG: chan_10 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22Amit+Shah+<amit@amitshah.net>%22%0A4096-bit+RSA+key,+ID+0x1E9A3B5F854083B6,%0Acreated+2011-10-05.%0A
2021-09-13 20:38:26 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:26 gpg-agent[8216] DBG: chan_10 <- SETHASH 8 9DBA5F901664C8A241F8FF795258153EAC4EF40091B516B9B92875E14164D1EB
2021-09-13 20:38:26 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:38:26 gpg-agent[8216] DBG: chan_10 <- PKSIGN
2021-09-13 20:38:26 gpg-agent[8216] command 'PKSIGN' failed: No secret key
2021-09-13 20:38:26 gpg-agent[8216] DBG: chan_10 -> ERR 67108881 No secret key <GPG Agent>
2021-09-13 20:38:26 gpg-agent[8216] DBG: chan_10 <- [eof]
2021-09-13 20:38:26 gpg-agent[8216] DBG: chan_11 -> RESTART
2021-09-13 20:38:26 gpg-agent[8216] DBG: chan_11 <- OK

Here are logs of a run where the gpg2 --clearsign command succeeds, and actually picks up the right key from the yubikey:

...
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_11 -> SERIALNO
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_11 <- S SERIALNO D2760001240102010006040316860000
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_10 -> S SERIALNO D2760001240102010006040316860000
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_11 <- OK
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_10 <- SCD GETATTR KEY-FPR
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_11 -> GETATTR KEY-FPR
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_11 <- S KEY-FPR 1 CC63D332AB8F461745296534EB0B4DFC657EF670
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_10 -> S KEY-FPR 1 CC63D332AB8F461745296534EB0B4DFC657EF670
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_11 <- S KEY-FPR 3 CB8DB7CA595108AD5476DCAC54C877E13EF1D38F
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_10 -> S KEY-FPR 3 CB8DB7CA595108AD5476DCAC54C877E13EF1D38F
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_11 <- OK
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_10 <- KEYINFO E969E5C44EEC900CB898C84AE92B6723AC869E38
2021-09-13 20:39:04 gpg-agent[8216] DBG: agent_get_cache 'E969E5C44EEC900CB898C84AE92B6723AC869E38'.0 (mode 2) ...
2021-09-13 20:39:04 gpg-agent[8216] DBG: ... miss
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_10 -> S KEYINFO E969E5C44EEC900CB898C84AE92B6723AC869E38 T D2760001240102010006040316860000 OPENPGP.1 - - - - -
2021-09-13 20:39:04 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_10 <- RESET
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_10 <- SIGKEY E969E5C44EEC900CB898C84AE92B6723AC869E38
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_10 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22Amit+Shah+<amit@amitshah.net>%22%0A4096-bit+RSA+key,+ID+0xEB0B4DFC657EF670,%0Acreated+2016-04-01+(main+key+ID+0x1E9A3B5F854083B6).%0A
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_10 <- SETHASH 8 43989060734A02C509A8E58110275A755A556361B5F5DC583F1D40B3562809AD
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_10 -> OK
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_10 <- PKSIGN
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_11 -> SERIALNO --demand=D2760001240102010006040316860000
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_11 <- S SERIALNO D2760001240102010006040316860000
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_11 <- OK
2021-09-13 20:39:06 gpg-agent[8216] detected card with S/N D2760001240102010006040316860000
2021-09-13 20:39:06 gpg-agent[8216] DBG: encoded hash: 30 31 30 0D 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 43 98 90 60 73 4A 02 C5 09 A8 E5 81 10 27 5A 75 5A 55 63 61 B5 F5 DC 58 3F 1D 40 B3 56 28 09 AD
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_11 -> SETDATA 3031300D06096086480165030402010500042043989060734A02C509A8E58110275A755A556361B5F5DC583F1D40B3562809AD
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_11 <- OK
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_11 -> PKSIGN --hash=sha256 E969E5C44EEC900CB898C84AE92B6723AC869E38
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_11 <- [ 49 4e 51 55 49 52 45 20 4e 45 45 44 50 49 4e 20 ...(82 byte(s) skipped) ]
2021-09-13 20:39:06 gpg-agent[8216] starting a new PIN Entry
2021-09-13 20:39:06 gpg-agent[8216] DBG: connection to PIN entry established
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_10 -> INQUIRE PINENTRY_LAUNCHED 8290 gnome3 1.1.1 /dev/pts/0 xterm-256color :1 20620/1000/5 1000/1000 0
2021-09-13 20:39:06 gpg-agent[8216] DBG: chan_10 <- END
2021-09-13 20:39:07 gpg-agent[8216] DBG: agent_cache_housekeeping
2021-09-13 20:39:09 gpg-agent[8216] DBG: chan_11 -> [ 44 20 31 39 38 34 31 39 00 00 00 00 00 00 00 00 ...(76 byte(s) skipped) ]
2021-09-13 20:39:09 gpg-agent[8216] DBG: chan_11 -> END
2021-09-13 20:39:11 gpg-agent[8216] DBG: agent_cache_housekeeping
2021-09-13 20:39:11 gpg-agent[8216] DBG: chan_11 <- [ 44 20 5a ca 42 72 a1 c5 58 2a b9 3e 9b 80 90 17 ...(506 byte(s) skipped) ]
2021-09-13 20:39:11 gpg-agent[8216] DBG: chan_11 <- OK
2021-09-13 20:39:11 gpg-agent[8216] DBG: PKCS#1 block type 1 encoded data:+01ffffff
....
...
...
2021-09-13 20:39:11 gpg-agent[8216] DBG: rsa_verify    => Good

It's possible this is a config error, but since this setup worked previously, I'm supposing it's a regression in my configuration.

Thanks!

Related Objects

Event Timeline

amit created this object in space S1 Public.

Just noting that the logs were captured by enabling debug logs for the agent:

eval $(gpg-agent --daemon --debug-all --log-file /var/tmp/gpgagent.log)

When you sign data, then the signing subkey is used

ssb>  rsa4096/0xEB0B4DFC657EF670 2016-04-01 [S]

But when you (want to) sign a key, then the certification key (i.e. the primary key) is used

sec#  rsa4096/0x1E9A3B5F854083B6 2011-10-05 [SC]

Maybe you have forced gpg to use your signing subkey for signing keys previously. (Not sure if this is actually possible.)

@amit: Do you say it used to work with GnuPG 2.2.27 or did it worked with an older version?

I'm not really sure which version it worked with earlier. This yubikey setup is quite old now, and I've not signed keys recently. I think the last I signed were at least 2 yrs back, hence the very vague allusion to the setup working previously. Apologies, no definite answer there.

Hey, are there any other logs that I can grab? Is there a way to override the defaults, which will allow me to use the right key to sign?