GPG decrypt/sign does not play well with OpenPGP cards

[h3lix1]

I have all my keys generated on Yubikey or GnuPG cards. I was able to import the public key using "keybase pgp select", but it seems like keybase really wants the private key for any real operations.

:~ $ keybase pgp sign asdfasdfasdfasdf ▶ ERROR Bad key found: no private key material or GPGKey

I can run the content through gpg itself though. It seems like keybase has control of it's own pgp keystore, and doesn't really support cards.

[johntdyer]

I believe I am running in to the same issue

[maxtaco]

We do support cards. We can't claim to support the n^k different GPG configurations that are possible, for sizable n and k, so likely you hit some sort of problem. If you run a keybase log send after the failed operation we can try to take a look. Maybe try keybase pgp select --no-import as a first step

[trinitronx]

I am seeing this with Yubikey Nano 4 on Mac:

$ keybase version
Client:  1.0.36-20171122003217+f68b10ef8
Service: 1.0.36-20171122003217+f68b10ef8

$ gpg2 --card-status
# [...SNIP...]
Reader ...........: Yubico Yubikey 4 OTP U2F CCID
Version ..........: 2.1
# [...SNIP...]

gpg2 --version
gpg (GnuPG/MacGPG2) 2.2.0
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/jcuzella/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

It appears that Keybase does not like signing with PGP keys it does not own within keychain. GPG standalone is happy to sign using the key.

I sent a log as you asked after running test command:

$ keybase pgp sign -m 'foo' -c
▶ ERROR No secret key available

$ keybase log send
# [...SNIP...]
my log id: 21144e204948de34f28d211c

$ echo 'foo' | gpg2 --sign --default-key 0x2689A459B1568D09 --clearsign
gpg: using "0x2689A459B1568D09" as default secret key for signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

foo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEm9bHrs1mCJLPb6GgJomkWbFWjQkFAlodsEwACgkQJomkWbFW
jQk49g//e2p8FTDXj0zR5irszSeRdxa7XPqzfY2Caacir5fdKAQReUsgIyqZ8SjV
d8607mUQbXVrctJ6e6FdRPS1GoP6Booz6x8jInqxoUPoM6IFnydvR9p+yev70zXX
WtTM3lpCFoJhqOlOW0M8bu3k4/J+rsEU3FKYUyy+O6xDpX7x8Pm3XTymMEqkU8Ol
M4a6pLUQ58JFOYbLx7ZkeUpHOSS+hUgBqM+kSslDYmhe7UT2fKbCcFC7GXqc+MBx
PzKxjnd2SciAqf6AuVL01ZnBrP3q+a8iuwwZ6yz3MVNYQOcNmyVj8e+Elkipf+rs
VNLJMn1yViCKXx+9YmvDX9ejdEOAeYOBB2/ie+etDJVuyLf/GIZN/Hq9eVPCI6uQ
pwkiIhJ+yRPgtYNRoDy3Ho3g0/FDucNeyWFiSOdqfFyRZ1P2JLgLfb9r5BOXcypD
IKFnw2WOsk9dSTur920VzOwKr1KAakMxfj5q6mCSwb5nRwPhs8E+rGuM4CWEkqsr
y208CkW7bSigzpmKFOOP+NWsNJCxyju/+Kzf5ZAUVrSB/MyOFA+BmkjzEU86Mk7u
NYTMmYGIaxhnYLkC5AEBooqA7Sh5ncNleUf0an286rkUvP644qsOH+C/VGAiUaAt
cS6Ak9V45DY9p+Qzgfli5cyQe5pSV9oWrk9cmBPKlpDyEmgNyrk=
=yY7C
-----END PGP SIGNATURE-----

[johntdyer]

same as above w/ Yubikey 4c on OSX

keybase version
Client:  1.0.36-20171122003217+f68b10ef8
Service: 1.0.36-20171122003217+f68b10ef8

  git2consul-testing  (dev)   gpg2 --card-status
[READACTED]
Reader ...........: Yubico Yubikey 4 OTP U2F CCID
Version ..........: 2.1
Manufacturer .....: Yubico
[READACTED]

gpg2 --version
gpg (GnuPG/MacGPG2) 2.2.0
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/johndye/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

However when I try to encrypt using keybase I get ERROR Bad key found: no private key material or GPGKey

💥  git2consul-testing  (dev)    keybase log send
This command will send recent keybase log entries to keybase.io
for debugging purposes only.

These logs don’t include your private keys or encrypted data,
but they will include filenames and other metadata keybase normally
can’t read, for debugging purposes.

Continue sending logs to keybase.io? (type 'YES' to confirm): YES
Enter feedback (or ENTER to send): https://github.com/keybase/client/issues/3648#issuecomment-347625869
Enter feedback (or ENTER to send):

------------
Success! Your log ID is:

  34eba9131bc9e3536c51971c

Here's a URL to submit new bug reports containing this ID:

  https://github.com/keybase/client/issues/new?body=[write%20something%20useful%20and%20descriptive%20here]%0A%0Amy%20log%20id:%2034eba9131bc9e3536c51971c

Thanks!
------------

as you can see gpg by itself works fine

echo 'foo' | gpg2 --sign --default-key 0x4BF22384539F5ECB --clearsign
gpg: using "0x4BF22384539F5ECB" as default secret key for signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

foo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1hR7+eBsFpq8y0rgS/IjhFOfXssFAlodsPQACgkQS/IjhFOf
Xss58BAAlt+K9liatsU4YczNslTH0/aSYE2SQwzOVz8OSns8RBkcdNSI8940E5Nq
bezNacAoj4INVbYgDHJONWXZ1WdQ/58qAPXdFbx3WbNVdY+lE2iwtbGsLbhXTOUv
+B3Ce4GHN9FUXp2lPusA3pMIVIp5eI8MmQ+7lrprwygdeoMPhMT961uhtbZ5EFFP
5Eee/S9KCrkeXHy0VMNcoZUg2V9GbSnOx5IBZXv49sgWZ+iukFK94+/lv9SP5EuO
l2H0tKv8ZO3J7tdoDKPgjGc5mO7+Lgy1kRtLBMpRBALhGbd9oALB8k4VCA3qooiG
xnYFkrC1SV1xRUNTbZdHsz+dufld2pniXs1BUjziIbfiKKDWmIaVsFngQITrDeP7
t53q1Bb8RBQ2Yqj3pTkfe/tKwplRzYo+VBelOHSB/ULhxkiJwiefKzDTQW8C5yyG
lAaB9/utiy16aRRLNOVQ45TWmIVzP5UrvXomsWvf6bwZyCDPHzZFuK4Llszdf+Jj
cyOpkmkCX/hM86IB25yC0V19THUO2l8zC6kksrEluAkPDx8oAxpUTXtdmMw/SA1d
iF7qqlSmzjHsNTpENsQgFpknIWLEJTxZ4VXCeiEPEltefQLyfZPVWc+6dfNa4dtq
jkSyEwKx7wsF6n5MNrdIgK1FaaDlX+uylRomkz4WWzsoez9veck=
=CqQj
-----END PGP SIGNATURE-----
  git2consul-testing  (dev)  

[nethershaw]

We do support cards.

This is confusing. I cannot find any example of it. There is no mention of smartcards throughout the Keybase documentation.

Has there been any movement from Keybase in the last ... four years toward natively supporting these devices for signing and encryption? The advantage of having private key material stored on a secure element supersedes any advantages of using Keybase, so being unable to combine the two makes Keybase unsuitable for any purpose that requires those keys and prevents any serious use of the application.

Also, including this issue, there are at least six open issues in this project and the keybase-issues project containing people asking the same question since 2016. To avoid this persistent confusion, a statement somewhere obvious indicating Keybase's plans to support smartcards (I really don't think you have the option of not deciding on one anymore considering their rapid proliferation) and the current state of affairs would be appropriate.