Cannot add new identities with offline secret key

[wsargent]

Say that you have a GPG key generated as per the instructions. If you want to add any additional email addresses (i.e. you want both will.sargent@gmail.com and will.sargent@lightbend.com, to make Github email verification of the GPG keys easier) then you MUST specify adduid when you have the secret key material available -- i.e. before you move everything to the card and use it.

It would be good to add a "add additional identities" before the "Using GPG keys" section.

[Astorsoft]

It could also be interesting to add information about the impact of adding identities after the fact. As it was not part of the tutorial I forgot to do it in the first place, then realised I forgot to add my other emails once everything was done. I restored my master key, edited it, added the emails, saved, then sent the public key again to key servers. I just hope this is enough and I don't have to re-create subkeys and/or re-import them into the yubikey. I could not find any clear information on the latter.

[plajjan]

I'm not GPG expert but I don't think you need to update the keys on the yubikey. You are absolutely right in that you have to bring out your secret keys again to perform the adduid but from there all I think you need to do is export a new public key that contains the new uid, then move that to wherever you want and import it. At least that's what I just tested and it seems to work. I did NOT perform a new keytocard, yet my yubikey is able to decrypt the content. There's only one decrypt / encrypt subkey after all and it doesn't change, only the association between that key and UIDs change. Since that association lies with GPG on the computer and not on the yubikey (AFAIK) then we shouldn't need to update the yubikey.

Would be great if someone else could verify the theory behind this or if by not updating the yubikey we are missing out on something and also good if someone can just practically verify this by repeating.

[plajjan]

@drduh while it's good that you now point out that adduid should be run while the secret keys are available, perhaps it is also worth pointing out what steps need to be taken if someone wants to run adduid at a later point in time as per @Astorsoft comment.

[MTRNord]

@drduh while it's good that you now point out that adduid should be run while the secret keys are available, perhaps it is also worth pointing out what steps need to be taken if someone wants to run adduid at a later point in time as per @Astorsoft comment.

Is there any info on how to add them later on? I am stuck at that as I now have another email to add but gpg for the above reasons doesnt let me. And I dont want to break the existing key by trying something wrong :)