So, I created the subkeys for the OpenPGP card, and it works.
Now I'd like to upload some Debian packages, but the uploads fail because my new subkeys aren't yet known to the Debian keyring. I tried to push my subkeys to keyring.debian.org, but uploading afterwards still was rejected. Maybe it takes some time for propagation, maybe there's some other procedure to follow,
I don't know. I didn't manage to figure out what is the procedure for getting a new subkey in the Debian keyring. I wish to replace this paragraph with proper details if I'll ever find out.
Now, failing to use the subkeys, I had to convince gpg to use my good old main key. The quick and dirty way was to make a backup of the keyring, delete the subkeys, sign and upload.
Seconds after hours of searching terminated in the above crude hack, as it
normally happens, someone (Holger in this case) suggested the correct way to do
it: use --default-key
and append an exclamation mark at the end of the key
ID.
This was in the gpg manpage, but nowhere near the documentation of
--default-key
:
Note that you can append an exclamation mark (!) to key IDs or fingerprints.
This flag tells GnuPG to use the specified primary or secondary key and not
to try and calculate which primary or secondary key to use.
So, now I'm happy:
$ gpg --sign --default-key '797ebfab!'
You need a passphrase to unlock the secret key for
user: [...]
$ gpg --sign
gpg: signatures created so far: xx
Please enter the PIN
[sigs done: xx]