Re: Cannot choose specific signing key with option --default-key

2017-06-14 Thread Kristian Fiskerstrand 
On 06/14/2017 07:38 AM, Yanzhe Lee wrote:
> Maybe there was a priority when sign files with RSA and ECC keys? How
> can I override it?

Try adding a "!" suffix to the fingerprint specification of the subkey

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

"Be a yardstick of quality. Some people aren't used to an environment
where excellence is expected."
(Steve Jobs)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Cannot choose specific signing key with option --default-key

2017-06-14 Thread Yanzhe Lee 
GPG Version: gpg (GnuPG) 2.1.21 libgcrypt 1.7.6
Operate System: macOS sierra 10.12.5

I have these keys with private key

pub brainpoolP512r1/3EA647C79FDA9CD1
created: 2017-01-08 expires: 2032-01-05 usage: SCA
trust: ultimate validity: ultimate

ssb brainpoolP512r1/2D8801CE07BCC5B5
created: 2017-01-08 expires: 2032-01-05 usage: S

ssb brainpoolP512r1/C78A6E620F55
created: 2017-01-08 expires: 2032-01-05 usage: E

ssb nistp521/D97F950D0F500332
created: 2017-02-04 expires: 2027-02-02 usage: A

ssb rsa4096/5BE7F1861B56E399
created: 2017-02-09 expires: 2025-02-07 usage: S
card-no: 0006 04175643

ssb rsa4096/9149FF3E60054D0C
created: 2017-02-09 expires: 2025-02-07 usage: E
card-no: 0006 04175643

ssb rsa4096/8C31540043B61A0A
created: 2017-02-09 expires: 2025-02-07 usage: A
card-no: 0006 04175643

[ultimate] (1). TEST (Local) 
[ultimate] (2) TEST (Online) 

RSA private keys are stored in a yubikey smart card
ECC private keys are stored in keyring.

When I use the command to specify using ECC key 2D8801CE07BCC5B to sign a
file

gpg2 -v -u 2D8801CE07BCC5B5 -a -s test.jpg

It prompt me to insert my smart card. After I insert it and input my pin,
it outputs:

gpg: using subkey 5BE7F1861B56E399 instead of primary key 3EA647C79FDA9CD1
gpg: writing to 'test.jpg.asc'
gpg: RSA/SHA512 signature from: "5BE7F1861B56E399 TEST "

So when I verify the signature file, it was signed by my RSA key which was
not what I specified.
It was supposed not to prompt me to insert my smart card because the
private key of my ECC key was not in the card.
The key 2D8801CE07BCC5B5 was not my primary key, so gpg shouldn't change
the signature key with a subkey.

I tried other options as follows, and the result was same.
gpg2 -v --default-key 2D8801CE07BCC5B5 -a -s test.jpg
gpg2 -v --local-user 2D8801CE07BCC5B5 -a -s test.jpg

However, if I delete the RSA subkey, it will sign my file with correct ECC
key.

Maybe there was a priority when sign files with RSA and ECC keys? How can I
override it?


-- 

Best regards!

LI YANZHE
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users