From 57998be0673eac1dfdb8becd306b1e2931bd47f7 Mon Sep 17 00:00:00 2001
From: Adam Monsen <haircut@gmail.com>
Date: Mon, 13 Oct 2025 08:12:02 -0700
Subject: [PATCH] document keysigning issue with offline certify key

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 89f4255..65140f5 100644
--- a/README.md
+++ b/README.md
@@ -2231,6 +2231,8 @@ Now connect networking.
 
 1. To use YubiKey on multiple computers, import the corresponding public keys, then confirm YubiKey is visible with `gpg --card-status`. Trust the imported public keys ultimately with `trust` and `5`, then `gpg --list-secret-keys` will show the correct and trusted key.
 
+1. When your Certify key is offline, *caveat emptor*: If you wish to [participate in keysigning parties](https://www.gnupg.org/gph/en/manual/x334.html), you'll find [signing others' imported public keys](https://gist.github.com/F21/b0e8c62c49dfab267ff1d0c6af39ab84) requires first setting up a secure enclave such as the ephemeral environment described above and importing your Certify key into that enclave. [A signing subkey cannot be used to sign others' imported public keys](https://security.stackexchange.com/questions/153057/possible-to-sign-an-imported-key-with-a-subkey-using-gpg).
+
 # Troubleshooting
 
 - Use `man gpg` to understand GnuPG options and command-line flags.