0

Hoping the answer https://unix.stackexchange.com/a/613772/320598 will help, I found out that it did not After asking this question, I found a very similar question at https://stackoverflow.com/q/67001320/6607497). I have basically the same problem that the answer should fix, but it does not:

I created GPG keys locally, transferred them to the card, then deleted the local keys from the keyring and re-imported the public key (from an export made before). I thought everything is fine (following OpenPGP Keys on a YubiKey, I thought), until I tried to sign a key:

gpg: signing failed: No secret key

So I tried the --card-status thing before:

Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240103040006234727620000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 234XXXXX
Name of cardholder: UXXXXX WXXXX
Language prefs ...: de
Salutation .......: Mr.
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 4
KDF setting ......: off
Signature key ....: AC...
      created ....: 2023-01-26 21:05:14
Encryption key....: 6E...
      created ....: 2023-01-26 21:07:30
Authentication key: 61...
      created ....: 2023-01-26 21:11:18
General key info..: sub  rsa4096/B5XXXXXXXXXXXXXX 2023-01-26 UXXXXX WXXXX (XXX)
sec#  rsa4096/A5XXXXXXXXXXXXXX  created: 2023-01-26  expires: 2025-01-25
ssb>  rsa4096/B5XXXXXXXXXXXXXX  created: 2023-01-26  expires: 2025-01-25
                                card-no: 0006 234XXXXX
ssb>  rsa4096/A1XXXXXXXXXXXXXX  created: 2023-01-26  expires: 2025-01-25
                                card-no: 0006 234XXXXX
ssb>  rsa4096/11XXXXXXXXXXXXXX  created: 2023-01-26  expires: 2025-01-25
                                card-no: 0006 234XXXXX

When I use --edit-key to check my key, I get (some details redacted with X):

gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret subkeys are available.


pub  rsa4096/A5XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: C

     trust: ultimate      validity: ultimate
ssb  rsa4096/B5XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: S

     card-no: 0006 234XXXXX
ssb  rsa4096/A1XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: E

     card-no: 0006 234XXXXX
ssb  rsa4096/11XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: A

     card-no: 0006 234XXXXX
[ultimate] (1). UXXXXX WXXXX (XXX)

So I thought this looks good.

However when trying to sign a key I get this:

sec  rsa3072/1CXXXXXXXXXXXXXX
     created: 2023-01-28  expires: 2025-01-27  usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa3072/C1XXXXXXXXXXXXXX
     created: 2023-01-28  expires: 2025-01-27  usage: S   
ssb  rsa3072/99XXXXXXXXXXXXXX
     created: 2023-01-28  expires: 2025-01-27  usage: E   
ssb  rsa3072/DEXXXXXXXXXXXXXX
     created: 2023-01-28  expires: 2025-01-27  usage: A   
[ultimate] (1). UXXXXX WXXXX <XXX>
[ultimate] (2)  UXXXXX WXXXX (Work)

Really sign all user IDs? (y/N) y


sec  rsa3072/1CXXXXXXXXXXXXXX
     created: 2023-01-28  expires: 2025-01-27  usage: C

     trust: ultimate      validity: ultimate
 Primary key fingerprint: E1...


 UXXXXX WXXXX &lt;XXX&gt;
 UXXXXX WXXXX (Work)




This key is due to expire on 2025-01-27.
Are you sure that you want to sign this key with your
key "UXXXXX WXXXX (XXX)" (A5XXXXXXXXXXXXXX)


Really sign? (y/N) y
gpg: signing failed: No secret key
gpg: signing failed: No secret key


Key not changed so no update needed.

How can I recover from this, and what was my mistake setting up the keys on the card most likely?

It seems https://unix.stackexchange.com/a/393166/320598 gives the reason why it does not work, but what created that situation?

U. Windl
  • 1,411

1 Answers1

1

I think the problem is caused by incorrect or unclear instruction found in step 6 of the document cited:

Unplug the YubiKey, delete the card-migrated keys, and re-import your backed up private keys.

gpg --delete-secret-and-public-key XXXXXXXXXXXXXXXX
gpg --import XXXXXXXXXXXXXXXX_secret.asc


At this point you should shutdown, offline, and safely store your offline keys.
Go to your regular online computer and import the public key and subkeys. Then plug in the YubiKey and check the YubiKey’s card status to connect that YubiKey to the matching public key and subkeys.


gpg --import XXXXXXXXXXXXXXXX_public.asc
gpg --card-status

Shouldn't "safely store your offline keys" come before gpg --delete-secret-and-public-key XXXXXXXXXXXXXXXX?

Solution (well, almost)

So I imported my secret key backup using gpg --import A5XXXXXXXXXXXXXX_sec.asc, and now the output is:

gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.


sec  rsa4096/A5XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: C

     trust: ultimate      validity: ultimate
ssb  rsa4096/B5XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: S

     card-no: 0006 234XXXXX
ssb  rsa4096/A1XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: E

     card-no: 0006 234XXXXX
ssb  rsa4096/11XXXXXXXXXXXXXX
     created: 2023-01-26  expires: 2025-01-25  usage: A

     card-no: 0006 234XXXXX
[ultimate] (1). UXXXXX WXXXX (XXX)

However I'm unsure whether the secret keys are duplicated to the local keyring (in addition to being stored on the YubiKey). Actually yes: I could sign the key without having to confirm either the YubiKey PIN, not touch it.

U. Windl
  • 1,411