If I try to change expire date I get this error message:
gpg: signing failed: No secret key
gpg: make_keysig_packet failed: No secret key
I tried it using this procedure:
gpg --expert --edit-key 0x8891383EF89D9F5A
Select relevant subkey
expire
1y
My understanding is that I cannot modify expired subkeys on the security card directly. Instead I must create new subkeys and export these keys to the security card.
You need the primary key (the [C]ertificate capable key) to make any key signatures. That is, to change anything in the key itself. In the program’s output above the sec# means that this keyring does not have the primary key.
I have exported the private key using command gpg -a --export-secret-keys 0x8891383EF89D9F5A > private.key.
I verified the generated file private.key, and it shows this at the end of the file:
I had my subkeys expired recently as well, what I did was the following and it worked:
# display card status for keyid
gpg2 --card-status
# edit key that you specified by it's keyid
gpg2 --edit-key keyid
# select the keys you want to renew
# after selection they should be marked with a *
key 1
key 2
key 3
# renew selected keys
expire
1y
y
save
since my cert key was on another nitrokey I needed to plug in that nitrokey as well for the second last step.
and the keys on the card were renewed, I didn’t have to transfer new keys.
edit: I re-tested it a minute ago for all my subkeys and it worked without any issues.
no sec# but it specifies the serial number of the other nitrokey it’s on.
Also, I thought Nitrokeys can only store up to three keypairs. In your case this would mean that you’d have three subkeys + the cert key on it which shouldn’t work afaik
In general extending is a public key operation - one needs to modify public key data, sign it and send to key server / recipients.
The private key never leaves any Nitrokey USB stick by design. What you should get from GPG is a private key stub, referring to the hardware location.
You might need to remove the private key stubs, and recreate them with gpg2 --card-status, with the Nitrokey connected. If you use the same keys on multiple Nitrokey USB sticks, then the GnuPG could be confused, and ask for the originally used device with this key. Here the key stub removal could help.
If you are using Nitrokey Start, please make sure you are on the right Identity.
sec# means that the particular secret key file is completely missing in .gnupg/private-keys-v1.d directory.
sec> means that there is a stub key file in .gnupg/private-keys-v1.d but the actual key data has been moved to (or created in) a smart card, like Nitrokey. The stub key file knows the serial number of the smart card so GnuPG can prompt for a smart card.
gpg has its own keyring in $HOME/.gnupg directory (by default). Public keys are in pubring.kbx file and secret keys are in subdirectory private-keys-v1.d. Commands gpg --export (for public keys) and gpg --export-secret-keys (for public and secret keys) export keys from those places in the filesystem. They can’t export anything from a smart card (like Nitrokey).