git ffs-sign-that-commit-gpg-is-working

TL;DR: Every couple of months I run into an issue with a random combination of PGP, gpg-agent and Git. This post is simply a note for myself because I can’t seem to remember the solution for more than a week.

Because I personally find PGP much more useful for signing Git-commits than for improving my communication privacy I, by-default, sign all of my commits.

And despite it being something trivial, for some reason I regularly run into the same problem. It’s an ever recurring theme: I create a new Git-repository, add some content to it and when I try to commit my changes I get hit with this:

ari@kmmn ~/g/utilities (master)> git commit -S -m 'Initial commit of'
error: gpg failed to sign the data
fatal: failed to write commit object

Luckily there is the environment variable GIT_TRACE which provides some debugging output.

ari@kmmn ~/g/utilities (master)> GIT_TRACE=1 git commit -S -m 'Initial commit of'
20:50:16.383624 git.c:458               trace: built-in: git commit -S -m 'Initial commit of'
20:50:16.390382 run-command.c:654       trace: run_command: gpg --status-fd=2-bsau 'ari <>'
error: gpg failed to sign the data
fatal: failed to write commit object

Assuming that the keyset has been imported properly, usually the reasons for PGP-issues when signing commits fall into one of these categories:

  • gpg-agent isn’t running
  • The shell can’t find the gpg-agent (which can usually be fixed by setting GPG_TTY)
  • There is an issue with the paths to either gpg or pinentry

But even after I ensured that all of these aren’t the problem I was still hit with the error message. In these cases, manually running the command that is been run by git can provide valuable information:

ari@kmmn ~/g/utilities (master)> gpg --status-fd=2 -bsau 'ari <>'
gpg: skipped "ari <>": No secret key
[GNUPG:] INV_SGNR 9 ari <>
[GNUPG:] FAILURE sign 17
gpg: signing failed: No secret key

I mean, it makes sense, because my PGP-key doesn’t include that address. But alright, let’s remedy that problem:

ari@kmmn ~/g/utilities (master)> git config

And .. it works:

ari@kmmn ~/g/utilities (master)> GIT_TRACE=1 git commit -S -m 'Initial commit of'
21:10:32.551487 git.c:458               trace: built-in: git commit -S -m 'Initial commit of'
21:10:32.558284 run-command.c:654       trace: run_command: gpg --status-fd=2 -bsau 'ari <>'
21:10:32.697293 run-command.c:654       trace: run_command: git maintenance run --auto --no-quiet
21:10:32.703832 git.c:458               trace: built-in: git maintenance run --auto --no-quiet
[master (root-commit) 64c96c8] Initial commit of
 1 file changed, 5 insertions(+)
 create mode 100644

The reason why I did not bother to check for key issues earlier is because my .gitconfig clearly says:

	name = ari
	email =
	signingkey = 7DB4163E7F88676D54436049FF5667517B30700B
	program = /usr/local/bin/gpg

If anyone has an idea, please let me know!