Cannot generate GPG keys

[gasull]

First I try to set derivedkeymode 1. With both the OnlyKey app and onlykey-cli I am reminder to enter config mode pressing 6 for 5 seconds. After I press 6 for 5 seconds the light turns off, and I need to enter my PIN again. After entering the PIN the light is blinking red.

Then I can change the derived key mode to 1 ("button press required"). I've tried this with both the OnlyKey app and onlykey-cli.

I read that the way to exit config mode is to remove the OnlyKey and insert it again. But I've found repeatedly that if I do so then derivedkeymode is again set to 0 (Challenge Code Required).

So with the light still blinking red, I try to generate the GPG key pair:

$ onlykey-gpg init "example@example.com" --verbose 
2021-06-03 06:00:51,336 WARNING      This GPG tool is still in EXPERIMENTAL mode, so please note that the API and features may change without backwards compatibility! [__init__.py:128]
2021-06-03 06:00:51,366 INFO         device name: onlykey                                                                                 [__init__.py:136]
2021-06-03 06:00:51,367 INFO         GPG home directory: /home/user/.gnupg/onlykey                                                        [__init__.py:141]
2021-06-03 06:00:51,381 WARNING      NOTE: in order to re-generate the exact same GPG key later, run this command with "--time=0" commandline flag (to set the timestamp of the GPG key manually). [__init__.py:41]
2021-06-03 06:00:51,923 INFO         Requesting public key from key slot =132                                                             [onlykey.py:111]
2021-06-03 06:00:51,924 INFO         Identity to hash =b'gpg://example@example.com'                                                       [onlykey.py:125]
2021-06-03 06:00:51,924 INFO         Identity hash =9cd6f7bc1a8fd7d10742b6539e59967752512e67f85279d33e2d683122f12616                      [onlykey.py:129]
2021-06-03 06:00:51,927 INFO         curve name= 'ed25519'                                                                                [onlykey.py:145]
2021-06-03 06:00:53,433 INFO         received= []                                                                                         [onlykey.py:156]
2021-06-03 06:00:53,434 INFO         disconnected from OnlyKey                                                                            [onlykey.py:94]
2021-06-03 06:00:53,972 INFO         Requesting public key from key slot =132                                                             [onlykey.py:111]
2021-06-03 06:00:53,973 INFO         Identity to hash =b'gpg://example@example.com'                                                       [onlykey.py:125]
2021-06-03 06:00:53,974 INFO         Identity hash =9cd6f7bc1a8fd7d10742b6539e59967752512e67f85279d33e2d683122f12616                      [onlykey.py:129]
2021-06-03 06:00:53,977 INFO         curve name= 'curve25519'                                                                             [onlykey.py:145]
2021-06-03 06:00:54,454 INFO         disconnected from OnlyKey                                                                            [onlykey.py:94]
Traceback (most recent call last):
  File "/home/user/.local/lib/python3.7/site-packages/libagent/device/onlykey.py", line 150, in pubkey
    ok_pubkey = self.ok.read_bytes(timeout_ms=100)
  File "/home/user/.local/lib/python3.7/site-packages/onlykey/client.py", line 336, in read_bytes
    out = self._hid.read(n, timeout_ms=timeout_ms)
  File "hid.pyx", line 122, in hid.device.read
OSError: read error

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/.local/bin/onlykey-gpg", line 10, in <module>
    sys.exit(gpg_tool())
  File "/home/user/.local/bin/onlykey_agent.py", line 6, in <lambda>
    gpg_tool = lambda: libagent.gpg.main(DeviceType)
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 375, in main
    return args.func(device_type=device_type, args=args)
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 207, in run_init
    export_public_key(device_type, args))
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 50, in export_public_key
    decryption_key = c.pubkey(identity=identity, ecdh=True)
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/client.py", line 29, in pubkey
    pubkey = self.device.pubkey(ecdh=ecdh, identity=identity)
  File "/home/user/.local/lib/python3.7/site-packages/libagent/device/onlykey.py", line 154, in pubkey
    raise interface.DeviceError(e)
libagent.device.interface.DeviceError: read error

There doesn't seem to be a workaround because, as said, if I remove the OnlyKey and insert it again, then I'm asked to enter a challenge code, and this will fail too:

$ onlykey-gpg init "example@example.com" --verbose 
2021-06-03 06:17:41,339 WARNING      This GPG tool is still in EXPERIMENTAL mode, so please note that the API and features may change without backwards compatibility! [__init__.py:128]
2021-06-03 06:17:41,345 INFO         device name: onlykey                                                                                 [__init__.py:136]
2021-06-03 06:17:41,346 INFO         GPG home directory: /home/user/.gnupg/onlykey                                                        [__init__.py:141]
2021-06-03 06:17:41,359 WARNING      NOTE: in order to re-generate the exact same GPG key later, run this command with "--time=0" commandline flag (to set the timestamp of the GPG key manually). [__init__.py:41]
2021-06-03 06:17:41,439 INFO         Requesting public key from key slot =132                                                             [onlykey.py:111]
2021-06-03 06:17:41,440 INFO         Identity to hash =b'gpg://example@example.com'                                                       [onlykey.py:125]
2021-06-03 06:17:41,441 INFO         Identity hash =9cd6f7bc1a8fd7d10742b6539e59967752512e67f85279d33e2d683122f12616                      [onlykey.py:129]
2021-06-03 06:17:41,444 INFO         curve name= 'ed25519'                                                                                [onlykey.py:145]
2021-06-03 06:17:41,761 INFO         received= [200, 199, 61, 114, 163, 35, 19, 53, 56, 210, 183, 48, 218, 126, 254, 140, 27, 197, 236, 239, 130, 233, 192, 58, 128, 82, 254, 225, 38, 53, 255, 84, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] [onlykey.py:156]
2021-06-03 06:17:41,761 INFO         Received Public Key generated by OnlyKey= 'c8c73d72a323133538d2b730da7efe8c1bc5ecef82e9c03a8052fee12635ff54' [onlykey.py:161]
2021-06-03 06:17:41,761 INFO         vk= <nacl.signing.VerifyKey object at 0x76ce5947d860>                                                [onlykey.py:164]
2021-06-03 06:17:41,762 INFO         disconnected from OnlyKey                                                                            [onlykey.py:94]
2021-06-03 06:17:41,827 INFO         Requesting public key from key slot =132                                                             [onlykey.py:111]
2021-06-03 06:17:41,828 INFO         Identity to hash =b'gpg://example@example.com'                                                       [onlykey.py:125]
2021-06-03 06:17:41,828 INFO         Identity hash =9cd6f7bc1a8fd7d10742b6539e59967752512e67f85279d33e2d683122f12616                      [onlykey.py:129]
2021-06-03 06:17:41,832 INFO         curve name= 'curve25519'                                                                             [onlykey.py:145]
2021-06-03 06:17:43,338 INFO         received= []                                                                                         [onlykey.py:156]
2021-06-03 06:17:43,339 INFO         disconnected from OnlyKey                                                                            [onlykey.py:94]
2021-06-03 06:17:43,343 INFO         creating new ed25519 GPG primary key for "example@example.com"                                       [__init__.py:73]
2021-06-03 06:17:43,345 INFO         please confirm GPG signature on OnlyKey for "<gpg://example@example.com|ed25519>"...                 [client.py:40]
2021-06-03 06:17:43,372 INFO         Identity to hash =b'gpg://example@example.com'                                                       [onlykey.py:243]
2021-06-03 06:17:43,372 INFO         Identity hash =b'\x9c\xd6\xf7\xbc\x1a\x8f\xd7\xd1\x07B\xb6S\x9eY\x96wRQ.g\xf8Ry\xd3>-h1"\xf1&\x16'   [onlykey.py:244]
2021-06-03 06:17:43,372 INFO         Key type ed25519                                                                                     [onlykey.py:251]
2021-06-03 06:17:43,372 INFO         Key Slot =201                                                                                        [onlykey.py:275]
Enter the 3 digit challenge code on OnlyKey to authorize <gpg://example@example.com|ed25519>
2 1 4

2021-06-03 06:17:46,213 INFO         received= [92, 164, 40, 87, 37, 126, 64, 146, 177, 95, 244, 44, 242, 75, 23, 127, 237, 239, 211, 158, 25, 40, 147, 157, 198, 226, 101, 18, 70, 66, 150, 90, 188, 21, 238, 198, 202, 167, 224, 222, 4, 130, 142, 110, 54, 183, 65, 73, 233, 18, 157, 159, 101, 112, 202, 126, 145, 68, 217, 63, 125, 110, 172, 9] [onlykey.py:291]
2021-06-03 06:17:46,213 INFO         disconnected from OnlyKey                                                                            [onlykey.py:294]
2021-06-03 06:17:46,216 INFO         disconnected from OnlyKey                                                                            [onlykey.py:94]
Traceback (most recent call last):
  File "/home/user/.local/bin/onlykey-gpg", line 10, in <module>
    sys.exit(gpg_tool())
  File "/home/user/.local/bin/onlykey_agent.py", line 6, in <lambda>
    gpg_tool = lambda: libagent.gpg.main(DeviceType)
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 375, in main
    return args.func(device_type=device_type, args=args)
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 207, in run_init
    export_public_key(device_type, args))
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 88, in export_public_key
    signer_func=signer_func)
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/encode.py", line 54, in create_subkey
    blob=(subkey.data() + secret_bytes))
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/protocol.py", line 221, in data
    blob = self.curve_info['serialize'](self.verifying_key)
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/protocol.py", line 96, in _serialize_ed25519
    util.bytes2num(vk.encode(encoder=nacl.encoding.RawEncoder)))
AttributeError: 'NoneType' object has no attribute 'encode'

My main reason for buying an OnlyKey was generating GPG keys in a trusted way :-(

[gasull]

I'm using Debian 10 in Qubes. I attach the device to the virtual machine.

[gasull]

$ onlykey-cli fwversion
v0.2-beta.8c

[onlykey]

I would recommend upgrading firmware to 2.1.1 - https://github.com/trustcrypto/OnlyKey-Firmware/releases/tag/v2.1.1-prod

https://docs.crp.to/upgradeguide.html

I think the trouble might be the old firmware as your error messages do not indicate that an incorrect challenge was entered, which is what would be expected if the challenge mode was not correctly set.

[gasull]

Not sure if I was able to generate the keys correctly. I get not error generating the keys. However, following the command line example to use the generated key produces an error:

$ echo 123 | gpg2 --sign
gpg: Warning: not using 'Daniel Gonzalez Gasull <***@*****.***>' as default key: No secret key
gpg: all values passed to '--default-key' ignored
gpg: no default secret key: No secret key
gpg: signing failed: No secret key

(Masked my email address above to prevent spam).

~/.gnupg/onlykey/ was generated and contains my public key, that I can see with gpa (but it shows only the public key, not the private one).

[gasull]

The previous error is because I did't call onlykey-agent. However, now I can only encrypt, not sign or decrypt:

$ onlykey-agent myemail@example.com -- gpg --sign hi.txt
gpg: using "Daniel Gonzalez Gasull <myemail@example.com>" as default secret key for signing
gpg: signing failed: End of file
gpg: signing failed: End of file

Same problem with gpg2:

$ onlykey-agent myemail@example.com -- gpg2 --sign hi.txt
gpg: using "Daniel Gonzalez Gasull <myemail@example.com>" as default secret key for signing
gpg: signing failed: End of file
gpg: signing failed: End of file

And even with gpa. After running onlykey-agent myemail@example.com -- gpa, and going to Windows -> Clipboard, writing some text and clicking on "Sign" I get a popup window with this error:

The GPGME library returned an unexpected
error at gpafilesignop.c:532. The error was:

End of file

This is either an installation problem or a bug in GPA.
GPA will now try to recover from this error.

Clicking on the button "Details" shows this text:

[GPA 0.10.0, GPGME 1.12.0, GnuPG 2.2.12]
gpg: signing failed: End of file
gpg: -&11: clear-sign failed: End of file

Encrypting works fine, both in the command line and with gpa, but when trying to decrypt I have the same problem again.

$ onlykey-agent myemail@example.com -- gpg --decrypt hi.txt.asc 
gpg: encrypted with 256-bit ECDH key, ID 106C443E4D4B34A2, created 1970-01-01
      "Daniel Gonzalez Gasull <myemail@example.com>"
gpg: public key decryption failed: End of file
gpg: decryption failed: No secret key
$ onlykey-agent myemail@example.com -- gpg2 --decrypt hi.txt.asc 
gpg: encrypted with 256-bit ECDH key, ID 106C443E4D4B34A2, created 1970-01-01
      "Daniel Gonzalez Gasull <myemail@example.com>"
gpg: public key decryption failed: End of file
gpg: decryption failed: No secret key
$ onlykey-agent myemail@example.com -- gpg2 -k
/home/user/.gnupg/onlykey/pubring.kbx
-------------------------------------
pub   ed25519 1970-01-01 [SCA]
      7D140CA52C820093EE26F85CFF771D2301D17F90
uid           [ultimate] Daniel Gonzalez Gasull <myemail@example.com>
sub   cv25519 1970-01-01 [E]
$ onlykey-agent myemail@example.com -- gpa

And then in the gpa clipboard, I copy paste the file hi.txt.asc and click on "Decrypt", obtaining a popup window with this error:

The GPGME library returned an unexpected
error at gpafiledecryptop.c:538. The error was:

End of file

This is either an installation problem or a bug in GPA.
GPA will now try to recover from this error.

And clicking on the "Details" buton of such popup window I get this text:

[GPA 0.10.0, GPGME 1.12.0, GnuPG 2.2.12]
gpg: encrypted with 256-bit ECDH key, ID 106C443E4D4B34A2, created 1970-01-01
"Daniel Gonzalez Gasull myemail@example.com"
gpg: public key decryption failed: End of file
gpg: decryption failed: No secret key

Is onlykey-gpg encrypting with a different key than the one I generated? I only seem to one one public key in my keyring:

onlykey-agent myemail@example.com -- gpg2 --list-public-keys
/home/user/.gnupg/onlykey/pubring.kbx
-------------------------------------
pub   ed25519 1970-01-01 [SCA]
      7D140CA52C820093EE26F85CFF771D2301D17F90
uid           [ultimate] Daniel Gonzalez Gasull <myemail@example.com>
sub   cv25519 1970-01-01 [E]

(Still posting on this GitHub issue because I don't know if the problem means the keypair was not generated properly).

[onlykey]

Since only public key operations are working it sounds like it was not initialized correctly. What onlykey-gpg init command did you run and what was the output?

[gasull]

I deleted ~/.gnupg/onlykey and started over with a test keypair:

$ onlykey-gpg init "Example <example@example.com>" --verbose
2021-06-19 04:59:33,774 WARNING      This GPG tool is still in EXPERIMENTAL mode, so please note that the API and features may change without backwards compatibility! [__init__.py:128]
2021-06-19 04:59:33,780 INFO         device name: onlykey                                                                                 [__init__.py:136]
2021-06-19 04:59:33,781 INFO         GPG home directory: /home/user/.gnupg/onlykey                                                        [__init__.py:144]
2021-06-19 04:59:33,793 WARNING      NOTE: in order to re-generate the exact same GPG key later, run this command with "--time=0" commandline flag (to set the timestamp of the GPG key manually). [__init__.py:41]
2021-06-19 04:59:33,868 INFO         Requesting public key from key slot =132                                                             [onlykey.py:109]
2021-06-19 04:59:33,869 INFO         Identity to hash =b'gpg://Example <example@example.com>'                                             [onlykey.py:123]
2021-06-19 04:59:33,869 INFO         Identity hash =ab8ed69c52728f13d35c8fde9f7e3ebc3709f2bb907acd53d4507d59bc86af11                      [onlykey.py:127]
2021-06-19 04:59:33,871 INFO         curve name= 'ed25519'                                                                                [onlykey.py:143]
2021-06-19 04:59:34,196 INFO         received= [53, 97, 242, 181, 161, 159, 99, 176, 169, 247, 211, 44, 61, 180, 170, 137, 140, 146, 150, 202, 182, 172, 222, 161, 246, 188, 155, 138, 246, 254, 251, 53, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] [onlykey.py:154]
2021-06-19 04:59:34,197 INFO         Received Public Key generated by OnlyKey= '3561f2b5a19f63b0a9f7d32c3db4aa898c9296cab6acdea1f6bc9b8af6fefb35' [onlykey.py:159]
2021-06-19 04:59:34,197 INFO         vk= <nacl.signing.VerifyKey object at 0x77f560c18400>                                                [onlykey.py:162]
2021-06-19 04:59:34,197 INFO         disconnected from OnlyKey                                                                            [onlykey.py:92]
2021-06-19 04:59:34,255 INFO         Requesting public key from key slot =132                                                             [onlykey.py:109]
2021-06-19 04:59:34,256 INFO         Identity to hash =b'gpg://Example <example@example.com>'                                             [onlykey.py:123]
2021-06-19 04:59:34,256 INFO         Identity hash =ab8ed69c52728f13d35c8fde9f7e3ebc3709f2bb907acd53d4507d59bc86af11                      [onlykey.py:127]
2021-06-19 04:59:34,260 INFO         curve name= 'curve25519'                                                                             [onlykey.py:143]
2021-06-19 04:59:34,521 INFO         received= [238, 198, 88, 118, 9, 249, 14, 165, 26, 79, 188, 251, 37, 150, 142, 61, 112, 37, 202, 76, 220, 87, 6, 11, 138, 107, 100, 9, 142, 65, 152, 51, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] [onlykey.py:154]
2021-06-19 04:59:34,522 INFO         Received Public Key generated by OnlyKey= 'eec6587609f90ea51a4fbcfb25968e3d7025ca4cdc57060b8a6b64098e419833' [onlykey.py:159]
2021-06-19 04:59:34,522 INFO         vk= <nacl.signing.VerifyKey object at 0x77f560c181d0>                                                [onlykey.py:162]
2021-06-19 04:59:34,522 INFO         disconnected from OnlyKey                                                                            [onlykey.py:92]
2021-06-19 04:59:34,528 INFO         creating new ed25519 GPG primary key for "Example <example@example.com>"                             [__init__.py:73]
2021-06-19 04:59:34,529 INFO         please confirm GPG signature on OnlyKey for "<gpg://Example <example@example.com>|ed25519>"...       [client.py:40]
2021-06-19 04:59:34,580 INFO         Identity to hash =b'gpg://Example <example@example.com>'                                             [onlykey.py:241]
2021-06-19 04:59:34,580 INFO         Identity hash =b'\xab\x8e\xd6\x9cRr\x8f\x13\xd3\\\x8f\xde\x9f~>\xbc7\t\xf2\xbb\x90z\xcdS\xd4P}Y\xbc\x86\xaf\x11' [onlykey.py:242]
2021-06-19 04:59:34,580 INFO         Key type ed25519                                                                                     [onlykey.py:249]
2021-06-19 04:59:34,580 INFO         Key Slot =201                                                                                        [onlykey.py:273]
Enter the 3 digit challenge code on OnlyKey to authorize <gpg://Example <example@example.com>|ed25519>
5 3 5
2021-06-19 04:59:42,004 INFO         received= [249, 156, 181, 130, 89, 134, 212, 1, 198, 22, 5, 225, 177, 18, 251, 25, 165, 123, 42, 183, 236, 183, 193, 140, 154, 149, 87, 105, 243, 175, 107, 158, 73, 17, 106, 200, 128, 213, 115, 50, 37, 45, 124, 112, 51, 234, 17, 191, 1, 252, 240, 66, 137, 161, 17, 151, 154, 53, 106, 52, 188, 103, 118, 2] [onlykey.py:289]
2021-06-19 04:59:42,005 INFO         disconnected from OnlyKey                                                                            [onlykey.py:292]
2021-06-19 04:59:42,008 INFO         disconnected from OnlyKey                                                                            [onlykey.py:92]
2021-06-19 04:59:42,010 INFO         please confirm GPG signature on OnlyKey for "<gpg://Example <example@example.com>|ed25519>"...       [client.py:40]
2021-06-19 04:59:42,055 INFO         Identity to hash =b'gpg://Example <example@example.com>'                                             [onlykey.py:241]
2021-06-19 04:59:42,055 INFO         Identity hash =b'\xab\x8e\xd6\x9cRr\x8f\x13\xd3\\\x8f\xde\x9f~>\xbc7\t\xf2\xbb\x90z\xcdS\xd4P}Y\xbc\x86\xaf\x11' [onlykey.py:242]
2021-06-19 04:59:42,055 INFO         Key type ed25519                                                                                     [onlykey.py:249]
2021-06-19 04:59:42,055 INFO         Key Slot =201                                                                                        [onlykey.py:273]
Enter the 3 digit challenge code on OnlyKey to authorize <gpg://Example <example@example.com>|ed25519>
6 2 3
2021-06-19 04:59:47,334 INFO         received= [224, 51, 144, 25, 106, 247, 77, 240, 23, 178, 219, 182, 76, 151, 110, 24, 163, 106, 148, 35, 225, 137, 216, 39, 173, 176, 14, 7, 74, 219, 137, 181, 190, 59, 3, 59, 78, 229, 96, 95, 162, 165, 171, 144, 227, 143, 4, 241, 64, 20, 251, 181, 63, 98, 198, 130, 74, 29, 74, 155, 138, 81, 28, 4] [onlykey.py:289]
2021-06-19 04:59:47,334 INFO         disconnected from OnlyKey                                                                            [onlykey.py:292]
2021-06-19 04:59:47,338 INFO         disconnected from OnlyKey                                                                            [onlykey.py:92]
gpg: keybox '/home/user/.gnupg/onlykey/pubring.kbx' created
gpg: armor header: Version: GnuPG v2
gpg: pub  ed25519/4AB5CB4FDB7469B3 1970-01-01  Example <example@example.com>
gpg: /home/user/.gnupg/onlykey/trustdb.gpg: trustdb created
gpg: using pgp trust model
gpg: key 4AB5CB4FDB7469B3: public key "Example <example@example.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: inserting ownertrust of 6
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
sec   ed25519 1970-01-01 [SCA]
      4580C116CCFF13E0C22B946C4AB5CB4FDB7469B3
uid           [ultimate] Example <example@example.com>
ssb   cv25519 1970-01-01 [E]

And I'm getting the same error with the gpa clipboard:

$ onlykey-agent example@example.com -- gpa

Error window signing:

The GPGME library returned an unexpected
error at gpafilesignop.c:532. The error was:

End of file

This is either an installation problem or a bug in GPA.
GPA will now try to recover from this error.

Encrypting works fine.

Error window decrypting:

The GPGME library returned an unexpected
error at gpafiledecryptop.c:538. The error was:

End of file

This is either an installation problem or a bug in GPA.
GPA will now try to recover from this error.

More information:

GPA 0.10.0
(GPGME 1.12.0)
(GnuPG 2.2.12)

$ onlykey-agent --version
onlykey-agent=1.1.11 lib-agent=1.0.2

$ onlykey-cli fwversion
v2.1.1-prodc

[onlykey]

$ echo 123 | gpg2 --sign
gpg: Warning: not using 'Daniel Gonzalez Gasull <@.*>' as default key: No secret key
gpg: all values passed to '--default-key' ignored
gpg: no default secret key: No secret key
gpg: signing failed: No secret key

You are seeing this because GPG does not know where your key is. Try this instead:
echo 123 | gpg2 --sign --homedir ~/.gnupg/onlykey | gpg2 --verify --homedir ~/.gnupg/onlykey

You have to add export GNUPGHOME=~/.gnupg/onlykey to your .bashrc or other environment file.
$ export GNUPGHOME=${HOME}/.gnupg/onlykey

Next, you don't need to use onlykey-agent "Bob Smith bob@protonmail.com" -- gpa. Per the docs this method is if you were using SSH not GPG.

Note: This method can also be used for git push, scp, or other mechanisms that are using SSH as their communication protocol:

$ onlykey-agent identity@myhost -- COMMAND --WITH --ARGUMENTS

[gasull]

For some reason I couldn't generate a keypair with Derived Key User Input Mode set to "Button Press Required", so I had to generate the keypair with Derived Key User Input Mode set to "Challenge Code Required". But of course once the keypair is generated, GPG won't ask for the challenge code. So I set back Derived Key User Input Mode to Button Press Required, and it works now for encrypting, decrypting, etc.