Gpg: public key decryption failed: Wrong secret key used

Dear community,
please help, i can’t decrypt a message, however i have the right secret subkey.

$ gpg -d encrypted.asc
gpg: encrypted with rsa4096 key, ID 585B20744DCCC0E0, created 2023-11-05
      "<MY NAME AND EMAIL>"

$ gpg --list-secret-keys 585B20744DCCC0E0
sec>  rsa4096 2023-11-05 [SC] [expires: 2033-11-02]
      C9FA40DC68794345B5DBBCAABDE737DA37CD67EF
      Card serial no. = 0006 23747386
uid           [ultimate] <MY NAME AND EMAIL>
ssb#  rsa4096 2023-11-05 [E] [expires: 2033-11-02]
ssb#  rsa4096 2023-11-07 [S] [expires: 2027-11-07]
ssb>  rsa4096 2023-11-24 [A] [expires: 2033-11-21]

$gpg -d --try-all-secrets encrypted.asc
gpg: encrypted with rsa4096 key, ID 585B20744DCCC0E0, created 2023-11-05
      "<MY NAME AND EMAIL>"
gpg: using "C9FA40DC68794345B5DBBCAABDE737DA37CD67EF" as default secret key for signing
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: used key is not marked for encryption use.
gpg: public key decryption failed: Wrong secret key used
gpg: decryption failed: Wrong secret key used

Hi @garaboncias
did you plug-in the card or token?

Which version of GnuPG are you using and on which platform?

Yes it was plugged in. I use macOS 14.6.1

$ gpg --version
gpg (GnuPG) 2.4.5
libgcrypt 1.10.3
Copyright (C) 2024 g10 Code GmbH

Might it be that the file contains “” and nothing else? That is only 2 parenthesis? That would look like this.

File contains ascii armored PGP message. “” originally contains my name and email address, which is removed from the post.

What does

gpg -v -d encrypted.asc

show? Please leave everything as original as possible and substitute the sensitive data, e.g. substitute your name with Foo and your mail address with foo@bar.com, to avoid confusion.

$gpg -v -d encrypted.asc
gpg: enabled compatibility flags:
gpg: public key is 585B20744DCCC0E0
gpg: public key is D753682D6D9310D1
gpg: using subkey 585B20744DCCC0E0 instead of primary key BDE737DA37CD67EF
gpg: encrypted with rsa4096 key, ID 585B20744DCCC0E0, created 2023-11-05
      "Foo <foo@bar.com>"
gpg: using pgp trust model
gpg: using "C9FA40DC68794345B5DBBCAABDE737DA37CD67EF" as default secret key for signing
gpg: Note: signature key 5915CB43C5F4B670 expired 2022-01-19 09:41:03
gpg: Note: signature key 46FDA608C2373CB1 expired 2022-01-19 09:40:35
gpg: public key decryption failed: No secret key
gpg: decryption failed: No secret key

“No secret key” is clear, gpg does not get access to the secret key.

What does gpg-card show? Probably “Error reading card” I would guess.

But I have no experience with macOS and how to get to the core of it there. @cklassen, can you help?

Currently, I don’t have a system with macOS available to I cannot try to see how it looks like on it. @garaboncias maybe someone on the gnupg-users mailing list can help.

Thank you for your help. It turn out Yubico key does not hold secret key:
$gpg-card
[…]
Signature key …: A827177B8B122DE49ED78FF8F7DD8081747973DB
keyref …: OPENPGP.1 (sign,cert)
algorithm …: rsa4096
stored fpr .: C9FA40DC68794345B5DBBCAABDE737DA37CD67EF
created …: 2023-11-05 21:21:27
used for …: OpenPGP
main key .:
fpr …: C9FA40DC68794345B5DBBCAABDE737DA37CD67EF
created …: 2023-11-05 21:21:27
user id …: Foo Bar foo@bar.com>
Encryption key…: [none]
keyref …: OPENPGP.2
algorithm …: rsa4096
Authentication key: A6CEF1107A9BFD1D310C6BEF51C065DEABE3C30A
keyref …: OPENPGP.3 (sign,auth)
algorithm …: rsa4096
stored fpr .: 9177AE61DCE70B44A62CF53CAA5E3E943F67EA8B
created …: 2023-11-24 15:14:23
used for …: OpenPGP
main key .:
fpr …: 9177AE61DCE70B44A62CF53CAA5E3E943F67EA8B
created …: 2023-11-24 15:14:23
user id …: Foo Bar foo@bar.com>

It is strange, because I’m sure I transferred it to the key, that’s why it was removed from my local keychain. Fortunately I can restore it from an off-site backup.

Were you successful?

Yes. Thank you for your help.

What was confusing too, that GPG command line tools and “GPG Keychain” (from GPG utils) use different key database on MacOS.
.gnupg/public-keys.d and .gnupg/private-keys-v1.d vs. .gnupg/pubring.gpg and .gnupg/secring.gpg