Search code examples
gnupg

Is it possible to (locally) sign a UID using a signing subkey

I'm trying to add a trust for a system account (to stop the nagging message when using it to encrypt data using that key). I've got subkeys setup and an offline master key:

$ gpg --edit-key AAAAAAAA
[...]
Secret key is available.

pub  4096R/AAAAAAAA  created: 2015-09-09  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/BBBBBBBB  created: 2015-09-09  expires: never       usage: E   
sub  4096R/CCCCCCCC  created: 2015-09-09  expires: never       usage: S   
sub  4096R/DDDDDDDD  created: 2015-09-09  expires: never       usage: A

$ gpg --list-secret-keys
sec#  4096R/AAAAAAAA 2015-09-09
uid                  $NAME <$EMAIL>
ssb   4096R/BBBBBBBB 2015-09-09
ssb   4096R/CCCCCCCC 2015-09-09
ssb   4096R/DDDDDDDD 2015-09-09

If I want to sign a document I can use:

$ gpg --encrypt --sign --recipient AAAAAAAA --local-user CCCCCCCC! --output out.gpg in.gpg

Which uses exactly the specified subkey to sign (although in this case AAAAAAAA is actually unavailable so it couldn't be used in any case). However, if I try and do something similar to lsign another UID:

$ gpg --lsign-key --local-user CCCCCCCC! 'Mentor Root'                                                                                                                          

pub  4096R/DDDDDDDD  created: 2015-09-14  expires: never       usage: SC  
                     trust: undefined     validity: unknown
sub  4096R/EEEEEEEE  created: 2015-09-14  expires: never       usage: E   
[ unknown] (1). $OTHER_NAME <$OTHER_EMAIL>


pub  4096R/DDDDDDDD  created: 2015-09-14  expires: never       usage: SC  
                     trust: undefined     validity: unknown
 Primary key fingerprint: DDDD DDDD DDDD DDDD DDDD  DDDD DDDD DDDD DDDD DDDD

     $OTHER_NAME <$OTHER_EMAIL>

Are you sure that you want to sign this key with your
key "$NAME <$EMAIL>" (AAAA)

The signature will be marked as non-exportable.

Really sign? (y/N) y
gpg: secret key parts are not available
gpg: signing failed: general error

Key not changed so no update needed.

Is this just a hard limitation of gpg, or is there some step I am missing?

(Or equally possible, am I totally misunderstanding the intent of all this?)

EDIT: Is it simply that the CCCCCCCC subkey does not have the C capability? Is it possible to have a subkey with the C capability (it seems not from cursory searching)?

Solution

  • Only primary keys can have the certification capability C. You cannot sign (ceritfy) keys/user IDs with a subkey.

    From RFC 4880, OpenPGP, 12.1 Key Structures:

    In a V4 key, the primary key MUST be a key capable of certification. The subkeys may be keys of any other type.

    The math might well allow certification subkeys, but the standard prevents it.