0

I'm trying to figure out how to cross-sign two keys. One reference says we should use:

gpg --local-user 0xfedcba98 --edit 0x76543210 sign
gpg --local-user 0x76543210 --edit 0xfedcba98 sign

That's an old reference, so I assume we should be using --edit-key now. When I try, I am able to get the first key to sign the second, but the reverse fails....

Edit: After repairing one error having to do with proper quotation of passwords on the command line, I tried Esa's suggestion with --default-key, and which appears in his first linked article by Daniel Pecos Martínez. I was still unable to sign the first key by the second. I was getting this error:

$ gpg --default-key 76543210 --edit-key fedcba98 sign

[snip]

gpg: Warning: not using '76543210' as default key: No secret key
gpg: all values passed to '--default-key' ignored
"MyName <me@mine.com>" was already signed by key fedcba98
Nothing to sign with key fedcba98

The solution I found, and this is necessary whether using --edit-key ... sign, --sign-key or --quick-sign-key, is to use --local-user as stated in the link above. --default-key does not work!

The man page says that --local-user overrides --default-key, so I am guessing that the key database has some notion of default which will not be overridden by --default-key but will be by --local-user. I am uncertain, but this may be complicated by the fact that both of my keys have the same UID. If anyone can confirm and maybe even offer a way to change the database's default, perhaps they might add it in the comments.

I am running:

$ gpg --version
gpg (GnuPG) 2.2.4
libgcrypt 1.8.1
Diagon
  • 283
  • 1
  • 8

1 Answers1

1

You don't need the 0x prefix when specifying a key, and you could use --sign-key.

--sign-key name Signs a public key with your secret key. This is a shortcut version of the subcommand sign from --edit.

gpg --local-user FEDCBA98 --sign-key 76543210
gpg --local-user 76543210 --sign-key FEDCBA98

OR

gpg --default-key FEDCBA98 --sign-key 76543210
gpg --default-key 76543210 --sign-key FEDCBA98

as used e.g. in Daniel Pecos Martínez: How to rotate your OpenPGP / GnuPG keys. Never stick with the first tutorial you find, as there are plenty of recent documentation available, e.g.

Esa Jokinen
  • 16,725
  • 5
  • 51
  • 56
  • Esa - I appreciated your links. Unfortunately, in my version of gpg, I had to discover that `--default-key` would not work. See my Edit in the original question. – Diagon Jul 29 '20 at 02:13