gpg claiming "No secret key" while it is available

Question

I am trying to sign another public key using gpg --sign-key which then errors with signing failed: No secret key

Full output:

❯ gpg --ask-cert-level --sign-with tinoheuberger@protonmail.com  --sign-key 0x9303B33A305224CB

pub  rsa4096/0x9303B33A305224CB
     created: 2017-10-05  expires: never       usage: C   
     trust: unknown       validity: unknown
sub  rsa4096/0x9B79B45691DB4173
     created: 2017-10-05  expires: 2021-07-27  usage: S   
sub  rsa4096/0xDAB71C6FBCD75257
     created: 2017-10-05  expires: 2021-07-27  usage: E   
sub  rsa4096/0x7651CCCB55BC4D56
     created: 2017-10-05  expires: 2021-07-27  usage: A   
[ unknown] (1). --------------) <----------------->


pub  rsa4096/0x9303B33A305224CB
     created: 2017-10-05  expires: never       usage: C   
     trust: unknown       validity: unknown
 Primary key fingerprint: A8FC 55F3 B04B A314 6F34  92E7 9303 B33A 3052 24CB

     ----- (-----) <-------->

How carefully have you verified the key you are about to sign actually belongs
to the person named above?  If you don't know what to answer, enter "0".

   (0) I will not answer. (default)
   (1) I have not checked at all.
   (2) I have done casual checking.
   (3) I have done very careful checking.

Your selection? (enter '?' for more information): 3
Are you sure that you want to sign this key with your
key "Tino Heuberger (Personal MasterKey) <tinoheuberger@protonmail.com>" (0xB4B88025927E502D)

I have checked this key very carefully.

Really sign? (y/N) y
gpg: signing failed: No secret key
gpg: signing failed: No secret key

Key not changed so no update needed.

This command work without issues though:

echo "test message string" | gpg --armor --clearsign > signed.txt

Output of gpg -K

/home/cobra/.gnupg/pubring.kbx
------------------------------
sec#  rsa4096/0xB4B88025927E502D 2021-04-05 [C]
      Key fingerprint = 90BD 307D 847F 7524 EA22  2F27 B4B8 8025 927E 502D
uid                   [ultimate] Tino Heuberger (Personal MasterKey) <tinoheuberger@protonmail.com>
ssb>  rsa4096/0x4AE34056E26AE417 2021-04-05 [S] [expires: 2022-04-05]
ssb>  rsa4096/0x1F0B2D0F39B5549D 2021-04-05 [E] [expires: 2022-04-05]
ssb>  rsa4096/0x3659102D72DF0E6C 2021-04-05 [A] [expires: 2022-04-05]

and output of gpg --card-status ( I am using a yubikey):

❯ gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240103040006111828330000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 11182833
Name of cardholder: Tino Heuberger
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: tinoheuberger@protonmail.com
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 28
KDF setting ......: off
Signature key ....: 7C2C E04B 91AE 02D5 1935  F438 4AE3 4056 E26A E417
      created ....: 2021-04-05 16:31:24
Encryption key....: 6408 7413 4AEC F845 E176  D6C9 1F0B 2D0F 39B5 549D
      created ....: 2021-04-05 16:32:46
Authentication key: 45E1 05AD 16FA F864 16BB  CC75 3659 102D 72DF 0E6C
      created ....: 2021-04-05 16:33:35
General key info..: sub  rsa4096/0x4AE34056E26AE417 2021-04-05 Tino Heuberger (Personal MasterKey) <tinoheuberger@protonmail.com>
sec#  rsa4096/0xB4B88025927E502D  created: 2021-04-05  expires: never     
ssb>  rsa4096/0x4AE34056E26AE417  created: 2021-04-05  expires: 2022-04-05
                                  card-no: 0006 11182833
ssb>  rsa4096/0x1F0B2D0F39B5549D  created: 2021-04-05  expires: 2022-04-05
                                  card-no: 0006 11182833
ssb>  rsa4096/0x3659102D72DF0E6C  created: 2021-04-05  expires: 2022-04-05
                                  card-no: 0006 11182833

I can't figure out with I cannot use gpg --sign-key while all other gpg commands work without issues

Answer 1

After some time I was able to figure it out.

gpg --sign-key only work if you have the private key of the masterkey, meaning I had to sign the public key on my offline machine with the master private key. Subkeys don't work with gpg --sign-key