gpg 在可用时声明 "No secret key"

gpg claiming "No secret key" while it is available

我正在尝试使用 gpg --sign-key 签署另一个 public 密钥,然后出现 signing failed: No secret key

错误

完整输出:

❯ gpg --ask-cert-level --sign-with tinoheuberger@protonmail.com  --sign-key 0x9303B33A305224CB

pub  rsa4096/0x9303B33A305224CB
     created: 2017-10-05  expires: never       usage: C   
     trust: unknown       validity: unknown
sub  rsa4096/0x9B79B45691DB4173
     created: 2017-10-05  expires: 2021-07-27  usage: S   
sub  rsa4096/0xDAB71C6FBCD75257
     created: 2017-10-05  expires: 2021-07-27  usage: E   
sub  rsa4096/0x7651CCCB55BC4D56
     created: 2017-10-05  expires: 2021-07-27  usage: A   
[ unknown] (1). --------------) <----------------->


pub  rsa4096/0x9303B33A305224CB
     created: 2017-10-05  expires: never       usage: C   
     trust: unknown       validity: unknown
 Primary key fingerprint: A8FC 55F3 B04B A314 6F34  92E7 9303 B33A 3052 24CB

     ----- (-----) <-------->

How carefully have you verified the key you are about to sign actually belongs
to the person named above?  If you don't know what to answer, enter "0".

   (0) I will not answer. (default)
   (1) I have not checked at all.
   (2) I have done casual checking.
   (3) I have done very careful checking.

Your selection? (enter '?' for more information): 3
Are you sure that you want to sign this key with your
key "Tino Heuberger (Personal MasterKey) <tinoheuberger@protonmail.com>" (0xB4B88025927E502D)

I have checked this key very carefully.

Really sign? (y/N) y
gpg: signing failed: No secret key
gpg: signing failed: No secret key

Key not changed so no update needed.

虽然这个命令可以正常工作:

echo "test message string" | gpg --armor --clearsign > signed.txt

gpg -K

的输出
/home/cobra/.gnupg/pubring.kbx
------------------------------
sec#  rsa4096/0xB4B88025927E502D 2021-04-05 [C]
      Key fingerprint = 90BD 307D 847F 7524 EA22  2F27 B4B8 8025 927E 502D
uid                   [ultimate] Tino Heuberger (Personal MasterKey) <tinoheuberger@protonmail.com>
ssb>  rsa4096/0x4AE34056E26AE417 2021-04-05 [S] [expires: 2022-04-05]
ssb>  rsa4096/0x1F0B2D0F39B5549D 2021-04-05 [E] [expires: 2022-04-05]
ssb>  rsa4096/0x3659102D72DF0E6C 2021-04-05 [A] [expires: 2022-04-05]

gpg --card-status 的输出(我使用的是 yubikey):

❯ gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240103040006111828330000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 11182833
Name of cardholder: Tino Heuberger
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: tinoheuberger@protonmail.com
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 28
KDF setting ......: off
Signature key ....: 7C2C E04B 91AE 02D5 1935  F438 4AE3 4056 E26A E417
      created ....: 2021-04-05 16:31:24
Encryption key....: 6408 7413 4AEC F845 E176  D6C9 1F0B 2D0F 39B5 549D
      created ....: 2021-04-05 16:32:46
Authentication key: 45E1 05AD 16FA F864 16BB  CC75 3659 102D 72DF 0E6C
      created ....: 2021-04-05 16:33:35
General key info..: sub  rsa4096/0x4AE34056E26AE417 2021-04-05 Tino Heuberger (Personal MasterKey) <tinoheuberger@protonmail.com>
sec#  rsa4096/0xB4B88025927E502D  created: 2021-04-05  expires: never     
ssb>  rsa4096/0x4AE34056E26AE417  created: 2021-04-05  expires: 2022-04-05
                                  card-no: 0006 11182833
ssb>  rsa4096/0x1F0B2D0F39B5549D  created: 2021-04-05  expires: 2022-04-05
                                  card-no: 0006 11182833
ssb>  rsa4096/0x3659102D72DF0E6C  created: 2021-04-05  expires: 2022-04-05
                                  card-no: 0006 11182833

我无法弄清楚我无法使用 gpg --sign-key 而所有其他 gpg 命令都可以正常工作

过了一段时间我弄明白了。

gpg --sign-key 仅在您拥有主密钥的私钥时才有效,这意味着我必须使用主私钥在离线计算机上签署 public 密钥。子项不适用于 gpg --sign-key