Using stored GPG keys with OnlyKey DUO

SSH, OpenPGP, GPG
1

Hello,

I recently have been trying to get my OnlyKey DUO set up to use my secret keys for signing and decrypting with the OnlyKey. However I am running into some issues as the onlykey-gpg tool seems to have changed significantly and the documentation does not reflect this as far as I can tell.

I have a GPG identity that I have generated separately consisting of the main ECC key for certification only and 2 subkeys, 1 for signing, and 1 for encryption (Stored in ECC1 and ECC2 respectively). The secret subkeys are stored on the OnlyKey and the public keys have been exported so I can then import them on another machine.

I would like to use my GPG secret keys stored onto my OnlyKey DUO. For using a stored key the documentation here when talking about using stored GPG keys shows the following:

Then to use the stored keys the -sk (signing key) and -dk (decryption key) flags are used like this:

$ onlykey-gpg init "Bob Smith <bob@protonmail.com>" -sk ECC5 -dk ECC4 -i publickey.bob@protonmail.com.asc

However, the options seem to have changed since the documentation was written. Running onlykey-gpg init -h shows this:

onlykey-gpg init -h
usage: onlykey-gpg init [-h] [-e ECDSA_CURVE] [-t TIME] [-v] [-s] [--homedir HOMEDIR]
                        [--pin-entry-binary PIN_ENTRY_BINARY]
                        [--passphrase-entry-binary PASSPHRASE_ENTRY_BINARY]
                        [--cache-expiry-seconds CACHE_EXPIRY_SECONDS]
                        user_id

positional arguments:
  user_id

options:
  -h, --help            show this help message and exit
  -e, --ecdsa-curve ECDSA_CURVE
  -t, --time TIME
  -v, --verbose
  -s, --subkey
  --homedir HOMEDIR     Customize GnuPG home directory for the new identity.
  --pin-entry-binary PIN_ENTRY_BINARY
                        Path to PIN entry UI helper.
  --passphrase-entry-binary PASSPHRASE_ENTRY_BINARY
                        Path to passphrase entry UI helper.
  --cache-expiry-seconds CACHE_EXPIRY_SECONDS
                        Expire passphrase from cache after this duration.

So, how do I:

  1. Tell onlykey-agent I don’t want to create a new GPG identity for my OnlyKey to use (as I already have one)
  2. Point onlykey-agent to my pre-existing GPG identity in a keyring that already exists and tell it that the secret keys are on the OnlyKey and not stored locally.

Pointers and assistance would be much appreciated. Thanks.