问题描述
我正在尝试使用 gpg --sign-key
签署另一个公钥,然后 signing Failed: No secret key
出现错误
完整输出:
❯ gpg --ask-cert-level --sign-with tinoheuberger@protonmail.com --sign-key 0x9303B33A305224CB
pub rsa4096/0x9303B33A305224CB
created: 2017-10-05 expires: never usage: C
trust: unkNown validity: unkNown
sub rsa4096/0x9B79B45691DB4173
created: 2017-10-05 expires: 2021-07-27 usage: S
sub rsa4096/0xDAB71C6FBCD75257
created: 2017-10-05 expires: 2021-07-27 usage: E
sub rsa4096/0x7651CCCB55BC4D56
created: 2017-10-05 expires: 2021-07-27 usage: A
[ unkNown] (1). --------------) <----------------->
pub rsa4096/0x9303B33A305224CB
created: 2017-10-05 expires: never usage: C
trust: unkNown validity: unkNown
Primary key fingerprint: A8FC 55F3 B04B A314 6F34 92E7 9303 B33A 3052 24CB
----- (-----) <-------->
How carefully have you verified the key you are about to sign actually belongs
to the person named above? If you don't kNow what to answer,enter "0".
(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.
Your selection? (enter '?' for more information): 3
Are you sure that you want to sign this key with your
key "Tino Heuberger (Personal MasterKey) <tinoheuberger@protonmail.com>" (0xB4B88025927E502D)
I have checked this key very carefully.
Really sign? (y/N) y
gpg: signing Failed: No secret key
gpg: signing Failed: No secret key
Key not changed so no update needed.
这个命令虽然没有问题:
echo "test message string" | gpg --armor --clearsign > signed.txt
gpg -K
的输出
/home/cobra/.gnupg/pubring.kbx
------------------------------
sec# rsa4096/0xB4B88025927E502D 2021-04-05 [C]
Key fingerprint = 90BD 307D 847F 7524 EA22 2F27 B4B8 8025 927E 502D
uid [ultimate] Tino Heuberger (Personal MasterKey) <tinoheuberger@protonmail.com>
ssb> rsa4096/0x4AE34056E26AE417 2021-04-05 [S] [expires: 2022-04-05]
ssb> rsa4096/0x1F0B2D0F39B5549D 2021-04-05 [E] [expires: 2022-04-05]
ssb> rsa4096/0x3659102D72DF0E6C 2021-04-05 [A] [expires: 2022-04-05]
和 gpg --card-status
的输出(我使用的是 yubikey):
❯ gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240103040006111828330000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 11182833
Name of cardholder: Tino Heuberger
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: tinoheuberger@protonmail.com
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 28
KDF setting ......: off
Signature key ....: 7C2C E04B 91AE 02D5 1935 F438 4AE3 4056 E26A E417
created ....: 2021-04-05 16:31:24
Encryption key....: 6408 7413 4AEC F845 E176 D6C9 1F0B 2D0F 39B5 549D
created ....: 2021-04-05 16:32:46
Authentication key: 45E1 05AD 16FA F864 16BB CC75 3659 102D 72DF 0E6C
created ....: 2021-04-05 16:33:35
General key info..: sub rsa4096/0x4AE34056E26AE417 2021-04-05 Tino Heuberger (Personal MasterKey) <tinoheuberger@protonmail.com>
sec# rsa4096/0xB4B88025927E502D created: 2021-04-05 expires: never
ssb> rsa4096/0x4AE34056E26AE417 created: 2021-04-05 expires: 2022-04-05
card-no: 0006 11182833
ssb> rsa4096/0x1F0B2D0F39B5549D created: 2021-04-05 expires: 2022-04-05
card-no: 0006 11182833
ssb> rsa4096/0x3659102D72DF0E6C created: 2021-04-05 expires: 2022-04-05
card-no: 0006 11182833
我不知道我不能使用 gpg --sign-key
而所有其他 gpg 命令都可以正常工作
解决方法
过了一段时间,我终于明白了。
gpg --sign-key
仅在您拥有主密钥的私钥时才有效,这意味着我必须在我的离线机器上使用主私钥对公钥进行签名。子键不适用于 gpg --sign-key