I have been using pass (cli pw manager) for a couple of years now, and I just started using yubikeys. I have (2) YKs which I configured as duplicates of each other, transferring the same gpg subkeys (S, E, and A) to each one. I added the YK gpg-key id to my ~/.password-store/.gpg-id file, and re-initialized the store to re-encrypt the entries using the new key. I can now use pass with either of my YKs to open a password-store entry using pass, however, when I try either to edit an existing entry or to add a new one, I am met with:

$pass add test
Enter password for test: 
Retype password for test: 
gpg: B7C0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1BB7: skipped: No public key
gpg: [stdin]: encryption failed: No public key
Password encryption aborted.

A check on the key returns:

$gpg -K YUBI
sec#  rsa4096/289xxxxxxxxxx8B5 2024-11-01 [SC] [expires: 2034-10-30]
      Key fingerprint = 8C6B xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 58B5
      Keygrip = E7608xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx37AFD
uid                 [ultimate] Fname Lname (YUBIKEY) 
ssb>  rsa4096/130xxxxxxxxxxA7D 2024-11-01 [S] [expires: 2034-10-30]
      Keygrip = 18DD9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1599B
ssb>  rsa4096/A39xxxxxxxxxxEBD 2024-11-01 [E] [expires: 2034-10-30]
      Keygrip = 5BD06xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8B9FD
ssb>  rsa4096/779xxxxxxxxxxBAA 2024-11-01 [A] [expires: 2034-10-30]
      Keygrip = 0A10BxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAFA2F

and

gpg -k YUBI
pub   rsa4096/289xxxxxxxxxx8B5 2024-11-01 [SC] [expires: 2034-10-30]
      Key fingerprint = 8C6B xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 58B5
      Keygrip = E7608xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx37AFD
uid                 [ultimate] Fname Lname (YUBIKEY) 
ssb>  rsa4096/130xxxxxxxxxxA7D 2024-11-01 [S] [expires: 2034-10-30]
      Keygrip = 18DD9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1599B
ssb>  rsa4096/A39xxxxxxxxxxEBD 2024-11-01 [E] [expires: 2034-10-30]
      Keygrip = 5BD06xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8B9FD
ssb>  rsa4096/779xxxxxxxxxxBAA 2024-11-01 [A] [expires: 2034-10-30]
      Keygrip = 0A10BxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAFA2F

Trying to re-import the **pub** made no changes, as expected. Encrypting a file like: $ gpg -r YUBIKEY -e file then decrypting it with: $ gpg -d file.gpg works as expected. I am prompted for the passphrase and file contents are listed afterward. Now I am confused and unsure what the issue is. If anyone has any suggs or advice I would sure appreciate it. Thks.

Hoping the answer https://unix.stackexchange.com/a/613772/320598 will help, I found out that it did not After asking this question, I found a very similar question at https://stackoverflow.com/q/67001320/6607497) . I have basically the same problem that the answer should fix, but it does not: I created GPG keys locally, transferred them to the card, then deleted the local keys from the keyring and re-imported the public key (from an export made before). I thought everything is fine (following OpenPGP Keys on a YubiKey , I thought), until I tried to sign a key: > gpg: signing failed: No secret key So I tried the --card-status thing before: ~~~lang-text Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 Application ID ...: D2760001240103040006234727620000 Application type .: OpenPGP Version ..........: 3.4 Manufacturer .....: Yubico Serial number ....: 234XXXXX Name of cardholder: UXXXXX WXXXX Language prefs ...: de Salutation .......: Mr. URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: rsa4096 rsa4096 rsa4096 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 4 KDF setting ......: off Signature key ....: AC... created ....: 2023-01-26 21:05:14 Encryption key....: 6E... created ....: 2023-01-26 21:07:30 Authentication key: 61... created ....: 2023-01-26 21:11:18 General key info..: sub rsa4096/B5XXXXXXXXXXXXXX 2023-01-26 UXXXXX WXXXX (XXX) sec# rsa4096/A5XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 ssb> rsa4096/B5XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 card-no: 0006 234XXXXX ssb> rsa4096/A1XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 card-no: 0006 234XXXXX ssb> rsa4096/11XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 card-no: 0006 234XXXXX ~~~ When I use --edit-key to check my key, I get (some details redacted with X): ~~~lang-text gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret subkeys are available. pub rsa4096/A5XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 usage: C trust: ultimate validity: ultimate ssb rsa4096/B5XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 usage: S card-no: 0006 234XXXXX ssb rsa4096/A1XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 usage: E card-no: 0006 234XXXXX ssb rsa4096/11XXXXXXXXXXXXXX created: 2023-01-26 expires: 2025-01-25 usage: A card-no: 0006 234XXXXX [ultimate] (1). UXXXXX WXXXX (XXX) ~~~ So I thought this looks good. However when trying to sign a key I get this: ~~~lang-text sec rsa3072/1CXXXXXXXXXXXXXX created: 2023-01-28 expires: 2025-01-27 usage: C trust: ultimate validity: ultimate ssb rsa3072/C1XXXXXXXXXXXXXX created: 2023-01-28 expires: 2025-01-27 usage: S ssb rsa3072/99XXXXXXXXXXXXXX created: 2023-01-28 expires: 2025-01-27 usage: E ssb rsa3072/DEXXXXXXXXXXXXXX created: 2023-01-28 expires: 2025-01-27 usage: A [ultimate] (1). UXXXXX WXXXX [ultimate] (2) UXXXXX WXXXX (Work) Really sign all user IDs? (y/N) y sec rsa3072/1CXXXXXXXXXXXXXX created: 2023-01-28 expires: 2025-01-27 usage: C trust: ultimate validity: ultimate Primary key fingerprint: E1... UXXXXX WXXXX UXXXXX WXXXX (Work) This key is due to expire on 2025-01-27. Are you sure that you want to sign this key with your key "UXXXXX WXXXX (XXX)" (A5XXXXXXXXXXXXXX) Really sign? (y/N) y gpg: signing failed: No secret key gpg: signing failed: No secret key Key not changed so no update needed. ~~~ How can I recover from this, and what was my mistake setting up the keys on the card most likely? It seems https://unix.stackexchange.com/a/393166/320598 gives the reason why it does not work, but what created that situation?