GnuPG2.1 is using the wrong signing subkey

Question

So I am having an issue signing documents with gpg2.1. Every time I try and sign something, I get:

λ dixonwille [~] → gpg2 --detach-sign Images/EinsteinWP.jpg 
gpg: using "0xEC933DA229123788" as default secret key for signing
gpg: signing failed: No secret key
gpg: signing failed: No secret key

As the above message specifies I do have a default key set in my config. Here is what my private listing shows:

λ dixonwille [~] → gpg2 -K --with-keygrip
/home/dixonwille/.gnupg/pubring.kbx
-----------------------------------
sec#  rsa4096/0x496AC5165C585343 2017-01-14 [SC]
      Key fingerprint = 2092 7961 2A0C EF20 83D0  8244 496A C516 5C58 5343
      Keygrip = 308FF7DD37FB9E175378D76125FCB2BC4C5C225C
uid                   [ultimate] William E. Dixon <[email protected]>
uid                   [ultimate] William E. Dixon <[email protected]>
uid                   [ultimate] William E. Dixon <[email protected]>
uid                   [ultimate] [jpeg image of size 5910]
ssb   rsa4096/0xD3522B485A800AFD 2017-01-14 [E] [expires: 2018-01-14]
      Keygrip = 178AB20F816E5FAA31440968AD6EA06B0340FB90
ssb   rsa4096/0xEC933DA229123788 2017-01-14 [S] [expires: 2018-01-14]
      Keygrip = 89A90662E5908D5F271B87A5DC6D26F01B53C9EC
ssb   rsa4096/0xBAA693EC561AD6D9 2017-01-14 [A] [expires: 2018-01-14]
      Keygrip = 9D48688AF67C407BB91900BA07725CCE7E08B546
ssb   rsa4096/0x7A3D17611B1FFDD2 2017-01-14 [S] [expires: 2018-01-14]
      Keygrip = 50EE902E41E323600B02769FA2A96FE8C51D5A35
ssb   rsa4096/0xB64824658CE421C8 2017-01-14 [A] [expires: 2018-01-14]
      Keygrip = D3BD87D77B844A5AE54CEC0466353030A816441B
ssb   rsa4096/0x7642000294227858 2017-01-16 [S] [expires: 2018-01-14]
      Keygrip = B10269A98E3D357F3B32C155367B1CEDCAE998E8
ssb   rsa4096/0x32C4DD59E753B43B 2017-01-16 [A] [expires: 2018-01-14]
      Keygrip = 40E86DAAEDEE6BA714F26B09FBA38C35C4E4F264

Now all these keys do not have a private conterpart. Only three of them do (0xD3522B485A800AFD, 0xEC933DA229123788, 0xBAA693EC561AD6D9). To make sure I ran gpg-connect-agent then ran keyinfo --list.

λ dixonwille [~] → gpg-connect-agent 
> keyinfo --list
S KEYINFO 178AB20F816E5FAA31440968AD6EA06B0340FB90 D - - - P - - -
S KEYINFO 89A90662E5908D5F271B87A5DC6D26F01B53C9EC D - - - P - - -
S KEYINFO 9D48688AF67C407BB91900BA07725CCE7E08B546 D - - - P - - -
OK
> 

So as you can see my secrets are stored in the gpg-agent. Running echo foo | gpg --clearsign -v --debug ipc for debug information showed these intresting lines:

gpg: DBG: chan_5 -> HAVEKEY 308FF7DD37FB9E175378D76125FCB2BC4C5C225C
gpg: DBG: chan_5 <- ERR 67108881 No secret key <GPG Agent>
gpg: DBG: chan_5 -> HAVEKEY 89A90662E5908D5F271B87A5DC6D26F01B53C9EC
gpg: DBG: chan_5 <- OK
gpg: using "0xEC933DA229123788" as default secret key for signing
gpg: DBG: chan_5 -> HAVEKEY 308FF7DD37FB9E175378D76125FCB2BC4C5C225C 178AB20F816E5FAA31440968AD6EA06B0340FB90 89A90662E5908D5F271B87A5DC6D26F01B53C9EC 9D48688AF67C407BB91900BA07725CCE7E08B546 50EE902E41E323600B02769FA2A96FE8C51D5A35 D3BD87D77B844A5AE54CEC0466353030A816441B B10269A98E3D357F3B32C155367B1CEDCAE998E8 40E86DAAEDEE6BA714F26B09FBA38C35C4E4F264
gpg: DBG: chan_5 <- OK
gpg: using subkey 0x7642000294227858 instead of primary key 0x496AC5165C585343
gpg: writing to stdout
gpg: DBG: chan_5 -> KEYINFO B10269A98E3D357F3B32C155367B1CEDCAE998E8
gpg: DBG: chan_5 <- ERR 67108891 Not found <GPG Agent>

Which confuses me. It first checks my Primary Master key for secret, it can't find it so fails. Then it checks the keygrip for my default key and then states using "0xEC933DA229123788" as default secret key for signing. That sounds good please do. But then it sends another HAVEKEY for what looks like all my keygrips. This returns true as one of them does have a secret. So it then states using subkey 0x7642000294227858 instead of primary key 0x496AC5165C585343 which is the latest signing key I did make.

How can I force GnuPG2.1 to use the key I specified in the default-key? Seems like it gets over written with whatever GnuPG2.1 feels like.

To debunk the pinentry answer I know someone might mention if I don't mention it now. If I run ssh [email protected] I get popped up a dialog to input my key password (I use the Authentication key for my ssh keys and store in gpg-agent as well). So I know my gpg-agent.conf is set correctly and gpg.conf is set correctly.

Answer 1

Use the following in '.gnupg/gpg.conf':

default-key 0xEC933DA229123788!

Note the '!' at the end. From the gpg man page:

"When using gpg an exclamation mark (!) may be appended to force using the specified primary or secondary key and not to try and calculate which primary or secondary key to use."