From 47cd08551856a4353a6732c165d1c493b3d9f2ad Mon Sep 17 00:00:00 2001 From: James O'Beirne Date: Thu, 25 Mar 2021 11:37:43 -0400 Subject: [PATCH] Add note about pass insert error and `trust-key` usage When using a previously provisioned YubiKey on a new computer, I was met with an "Unusable public key" error when trying to insert a new password, despite being able to decrypt pass entries. I tried setting the trust on the key via `gpg --edit-key`, but was then met with "Need secret key to do this." I found that the solution is apparently to use the `trust-key` directive in `~/.gnupg/gpg.conf`, which is not mentioned in the README at the moment. --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index 47f5c0b..1b6c125 100644 --- a/README.md +++ b/README.md @@ -2480,6 +2480,17 @@ Admin PIN: 12345678 - If you receive the error, `Please insert the card with serial number: *` see [using of multiple keys](#using-multiple-keys). - If you receive the error, `There is no assurance this key belongs to the named user` or `encryption failed: Unusable public key` use `gpg --edit-key` to set `trust` to `5 = I trust ultimately`. + - If, when you try the above `--edit-key` command, you get the error + `Need the secret key to do this.`, you can manually specify trust for the key in + `~/.gnupg/gpg.conf` by using the `trust-key [your key ID]` directive. + +- If, when using a previously provisioned YubiKey on a new computer with `pass`, you see the + following error on `pass insert`: + ``` + gpg: 0x0000000000000000: There is no assurance this key belongs to the named user + gpg: [stdin]: encryption failed: Unusable public key + ``` + you need to adjust the trust associated with the key. See the above bullet. - If you receive the error, `gpg: 0x0000000000000000: skipped: Unusable public key` or `encryption failed: Unusable public key` the sub-key may be expired and can no longer be used to encrypt nor sign messages. It can still be used to decrypt and authenticate, however.