I am trying to sign another key with my key and gpg is complaining that the it’s not self-signed, but when I do --list-sigs the self signatures show up. What’s going on?
$ gpg --sign-key PUBLIC_KEY_HEX_2
sec ed25519/SHORT_PUBLIC_KEY_HEX_2
created: 1970-01-01 expires: never usage: SC
trust: unknown validity: unknown
ssb cv25519/DONT_KNOW_HEX_2
created: 1970-01-01 expires: never usage: E
[ unknown] (1). Me (key2) <me@example.com>
gpg: using "Me (key1) <me@example.com>" as default secret key for signing
User ID "Me (key2) <me@example.com>" is not self-signed. Unable to sign.
Nothing to sign with key SHORT_PUBLIC_KEY_HEX_1
Key not changed so no update needed.
$ gpg --list-sigs PUBLIC_KEY_HEX_2
pub ed25519 1970-01-01 [SC]
PUBLIC_KEY_HEX_2
uid [ unknown] Me (key2) <me@example.com>
sig 3 SHORT_PUBLIC_KEY_HEX_2 1970-01-01 [self-signature]
sub cv25519 1970-01-01 [E]
sig SHORT_PUBLIC_KEY_HEX_2 1970-01-01 [self-signature]
As far as I can tell this is telling me that a key that clearly is self-signed isn’t self-signed. I’ve tried googling a bit and everything talks about how to self-sign or similar, but I don’t see anything where --list-sigs and says it’s self signed and some other component says it isn’t.
Possibly relevant details:
key1 is a key that was created in this environment
key2 is a key that was created in a different GNUPGHOME directory, exported from there and is getting imported here
I’m using GNUPGHOME=~/.gnupg/onlykey/
I’m using a hardware encryption device (onlykey), I don’t actually have the secret key, just the public key (never had trouble with this before, but just thought I’d mention it)
P.S. The reason I’m trying to do this is because I have one off-line key and two hardware keys. I want to have all the keys signed by each other so that as I import them they’ll just be automatically trusted on any computer I’m pulling them into that already has one of the keys trusted.
I tried my other key, which is just a standard file based gpg key and it worked. I’m starting to think you’re right that’s it’s related to the time number being 0. Is this not a bug in gpg (not handling epoch properly)? I’ll also check to see if there’s any way to get a proper date from onlykey-gpg, but I’m guessing there might not be.
Ok, seems that it’s a feature to make it possible to recreate the gpg identity without having to remember anything and just needing the key: OnlyKey SSH/GPG agent | Docs
Would be nice to use that feature if I could and still sign keys.
Is this not a bug in gpg (not handling epoch properly)?
No, this is not a bug but a side effect of using unix time. By convention 0 (which is displayed in unix time context as 1970-01-01 00:00:00) is used for “no date”. So the selfsignature has no date and as a signature has to have a date it does not exist from gpgs point of view.
So you should use the -t option of onlykey-gpg (as described in the link you gave) if you want to sign that key with gpg.
Though it might be that adding --expert to your gpg --sign-key command would make it work despite the “missing” date of the selfsignature. Try it out.