Cannot sign public keys


#1

I have a nitrokey, with keys for signing, authentication and decryption.

I I do “gpg --card-status” I get:

Application ID ...: xxx
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 00003C8C
Name of cardholder: MyName
Language prefs ...: de
Sex ..............: male
URL of public key : someurl
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 1
Signature key ....: XXXX XXXX XXXX XXXX
      created ....: 2017-05-19 12:28:08
Encryption key....: XXXX XXXX XXXX XXXX
      created ....: 2017-05-19 12:27:34
Authentication key: XXXX XXXX XXXX XXXX
      created ....: 2017-05-19 12:28:43
General key info..: sub  rsa4096/XXXXXXXX 2017-05-19 Me
sec#  rsa4096/XXXXXXXX  created: 2017-05-19  expires: 2019-05-19
ssb>  rsa4096/XXXXXXXX  created: 2017-05-19  expires: 2019-05-19
                        card-no: 0005 00003C8C
ssb>  rsa4096/XXXXXXXX  created: 2017-05-19  expires: 2019-05-19
                        card-no: 0005 00003C8C
ssb>  rsa4096/XXXXXXXX  created: 2017-05-19  expires: 2019-05-19
                        card-no: 0005 00003C8C

I can encrypt and decrypt using qtpass - works fine.

By when I try to sign a key from the command line I get:

gpg --sign-key somekey

I get:

(...)
Really sign? (y/N) y
gpg: signing failed: No secret key
gpg: signing failed: No secret key

Key not changed so no update needed.

It is not even asking me for my pin. How can I do this?
Thanks!


#2

Hi,

it looks to me like you got a key on your Signature key slot which is not capable of signing. It seems that you only once singed anything yet (signature counter is set to ‘1’).

Please have a look at something like:

$ gpg --key-edit yourKey

There you can see the usage of your subkey and see if is has the “S” flag, which indicates that it is able to sign.

In normal case it looks something like this:

Secret key is available.
sec  rsa4096/98E2F54A0BA8237F
  created: 2017-12-21  expires: never       usage: SC  
  card-no: 0005 00005F12
  trust: ultimate      validity: ultimate 
ssb  rsa4096/01D0574712949D27
  created: 2017-12-21  expires: never       usage: A   
  card-no: 0005 00005F12
ssb  rsa4096/22A31C89EE29E95A
  created: 2017-12-21  expires: never       usage: E   
  card-no: 0005 00005F12

Kind regards
Alex


#3

Thanks forthe reply, nitroalex.

This is the output:

>gpg --key-edit myKey
gpg (GnuPG) 2.1.9; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  rsa4096/XXXXXXXX
     created: 2017-05-19  expires: 2019-05-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/XXXXXXXX
     created: 2017-05-19  expires: 2019-05-19  usage: E
     card-no: 0005 00003C8C
ssb  rsa4096/XXXXXXXX
     created: 2017-05-19  expires: 2019-05-19  usage: S
     card-no: 0005 00003C8C
ssb  rsa4096/XXXXXXXX
     created: 2017-05-19  expires: 2019-05-19  usage: A
     card-no: 0005 00003C8C
[ultimate] (1). Dr. Nathan Hüsken <myEmail>

So a signing key is there. It looks fine to me. What do you think?


#4

Hi,

yes there it is. Forget what I said about the ‘S’ flag. If you want to sign a key you need the ‘C’ flag (although it is called key signing you actually do certificating its trustworthiness, other than signing a message (which solely needs the ‘S’). Therefore you should have a ‘SC’ key on Signature Slot, but I guess (cant see through XXXXXs) you have the ‘S’ key on this slot, which is not enough for key signing, I am afraid.

You see what I mean?

Kind regards
Alex


#5

Hi,

What do you mean by “Signature Slot”? How can I identify this?
Here is the output without the XXXXX:

pub  rsa4096/EC7604F6
     created: 2017-05-19  expires: 2019-05-19  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/931FE88C
     created: 2017-05-19  expires: 2019-05-19  usage: E
     card-no: 0005 00003C8C
ssb  rsa4096/1FC7283A
     created: 2017-05-19  expires: 2019-05-19  usage: S
     card-no: 0005 00003C8C
ssb  rsa4096/72CE73A4
     created: 2017-05-19  expires: 2019-05-19  usage: A
     card-no: 0005 00003C8C

I have a master key with 3 subkeys: One for authentication, one for signing and one for encryption.


#6

Hi,

OpenPGP Cards have three key slots. If you choose to have three subkeys on your Card you need at least one being able to certificate to do what you want to.

Most people will probably copy the master key (which should have ‘SC’ ability) to the first slot and add two subkeys (one with ‘E’ and one with ‘A’) to the second and third slot.

Have a look at your output of ‘gpg card-status’ and see where ‘1FC7283A’ is situated (can’t see on the output above :wink:). I guess you will see then, that it is on the Signature Slot (makes most sense). On this slot you probably want to have your master key or a new subkey which actually have ‘S’ and ‘C’ ability.

To be honest I am not 100% sure, but in my understandig this should not make a difference for prior actions you did. But I am not sure. But you may have to update you public key on keyserver if you use such thing and if you choose to create a new subkey. When using the master key instead of the subkey now in use, you should be fine. You probably want to study this instructions.

I don’t dare to give you a complete instruction, as I am not sure, what your whole situation is (e. g. do you have backups and how etc.), but as I see it you want to use ‘gpg --key-edit’ -> ‘toggle’ -> ‘keytocard’ to move the master key to the Signature Slot of the card. Be aware that the key on disk got deleted by gpg afterwards, so have a backup if you need one!

I am sorry, that this is not more straightforward, but that’s the way it currently is for every person who wants to use a OpenPGP Card or other smartcard.

Kind regards
Alex