gpg --full-generate-key on macOS produces a certificate with a certify primary key and an encryption subkey only. caution secret new rejects this with:
Error: keyring contains no Keymaker-eligible public certificates (each certificate needs authentication and storage-encryption keys)
The check in generate_quorum.rs requires each cert to have both for_authentication() and for_storage_encryption(). Default macOS GPG keys have for_storage_encryption() but no authentication subkey:
pub ed25519 [SC]
sub cv25519 [E] ← present
← authentication subkey missing
Adding one requires expert mode — not mentioned anywhere in the docs:
gpg --expert --edit-key alice@example.com
# addkey → (11) ECC (set your own capabilities) → toggle Sign OFF, Auth ON → Curve 25519 → save
After adding it:
pub ed25519 [SC]
sub cv25519 [E]
sub ed25519 [A] ← now eligible
We should either document this requirement on the key services page, or make the error message actionable with the fix inline.
`gpg --full-generate-key` on macOS produces a certificate with a certify primary key and an encryption subkey only. `caution secret new` rejects this with:
```
Error: keyring contains no Keymaker-eligible public certificates (each certificate needs authentication and storage-encryption keys)
```
The check in generate_quorum.rs requires each cert to have both for_authentication() and for_storage_encryption(). Default macOS GPG keys have for_storage_encryption() but no authentication subkey:
```
pub ed25519 [SC]
sub cv25519 [E] ← present
← authentication subkey missing
```
Adding one requires expert mode — not mentioned anywhere in the docs:
```bash
gpg --expert --edit-key alice@example.com
# addkey → (11) ECC (set your own capabilities) → toggle Sign OFF, Auth ON → Curve 25519 → save
```
After adding it:
```
pub ed25519 [SC]
sub cv25519 [E]
sub ed25519 [A] ← now eligible
```
We should either document this requirement on the key services page, or make the error message actionable with the fix inline.