9
0
Fork
You've already forked locksmith
0

caution secret new rejects default macOS GPG keys — missing authentication subkey not documented #4

Open
opened 2026年06月10日 16:47:06 +02:00 by vkobel · 1 comment

gpg --full-generate-key on macOS produces a certificate with a certify primary key and an encryption subkey only. caution secret new rejects this with:

Error: keyring contains no Keymaker-eligible public certificates (each certificate needs authentication and storage-encryption keys)

The check in generate_quorum.rs requires each cert to have both for_authentication() and for_storage_encryption(). Default macOS GPG keys have for_storage_encryption() but no authentication subkey:

 pub ed25519 [SC]
 sub cv25519 [E] ← present
 ← authentication subkey missing

Adding one requires expert mode — not mentioned anywhere in the docs:

gpg --expert --edit-key alice@example.com
# addkey → (11) ECC (set your own capabilities) → toggle Sign OFF, Auth ON → Curve 25519 → save

After adding it:

pub ed25519 [SC]
sub cv25519 [E]
sub ed25519 [A] ← now eligible

We should either document this requirement on the key services page, or make the error message actionable with the fix inline.

`gpg --full-generate-key` on macOS produces a certificate with a certify primary key and an encryption subkey only. `caution secret new` rejects this with: ``` Error: keyring contains no Keymaker-eligible public certificates (each certificate needs authentication and storage-encryption keys) ``` The check in generate_quorum.rs requires each cert to have both for_authentication() and for_storage_encryption(). Default macOS GPG keys have for_storage_encryption() but no authentication subkey: ``` pub ed25519 [SC] sub cv25519 [E] ← present ← authentication subkey missing ``` Adding one requires expert mode — not mentioned anywhere in the docs: ```bash gpg --expert --edit-key alice@example.com # addkey → (11) ECC (set your own capabilities) → toggle Sign OFF, Auth ON → Curve 25519 → save ``` After adding it: ``` pub ed25519 [SC] sub cv25519 [E] sub ed25519 [A] ← now eligible ``` We should either document this requirement on the key services page, or make the error message actionable with the fix inline.
Author
Owner
Copy link

likely will be fixed by caution/platform#280

likely will be fixed by https://codeberg.org/caution/platform/pulls/280
Sign in to join this conversation.
No Branch/Tag specified
main
feat/hosted-keymaker
deploy/hosted
deploy-tests
fix/preferred-hash-fallback
anton/fix-error-handling
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
caution/locksmith#4
Reference in a new issue
caution/locksmith
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?