git ffs-sign-that-commit-gpg-is-working

2022-09-01

linux

TL;DR: Every couple of months I run into an issue with a random combination of PGP, gpg-agent and Git. This post is simply a note for myself because I can’t seem to remember the solution for more than a week.

Because I personally find PGP much more useful for signing Git-commits than for improving my communication privacy I, by-default, sign all of my commits.

And despite it being something trivial, for some reason I regularly run into the same problem. It’s an ever recurring theme: I create a new Git-repository, add some content to it and when I try to commit my changes I get hit with this:

ari@kmmn ~/g/utilities (master)> git commit -S -m 'Initial commit of README.md'
error: gpg failed to sign the data
fatal: failed to write commit object

Luckily there is the environment variable GIT_TRACE which provides some debugging output.

ari@kmmn ~/g/utilities (master)> GIT_TRACE=1 git commit -S -m 'Initial commit of README.md'
20:50:16.383624 git.c:458               trace: built-in: git commit -S -m 'Initial commit of README.md'
20:50:16.390382 run-command.c:654       trace: run_command: gpg --status-fd=2-bsau 'ari <ari@kmmn.org>'
error: gpg failed to sign the data
fatal: failed to write commit object

Assuming that the keyset has been imported properly, usually the reasons for PGP-issues when signing commits fall into one of these categories:

gpg-agent isn’t running
The shell can’t find the gpg-agent (which can usually be fixed by setting GPG_TTY)
There is an issue with the paths to either gpg or pinentry

But even after I ensured that all of these aren’t the problem I was still hit with the error message. In these cases, manually running the command that is been run by git can provide valuable information:

ari@kmmn ~/g/utilities (master)> gpg --status-fd=2 -bsau 'ari <ari@kmmn.org>'
gpg: skipped "ari <ari@kmmn.org>": No secret key
[GNUPG:] INV_SGNR 9 ari <ari@kmmn.org>
[GNUPG:] FAILURE sign 17
gpg: signing failed: No secret key

I mean, it makes sense, because my PGP-key doesn’t include that address. But alright, let’s remedy that problem:

ari@kmmn ~/g/utilities (master)> git config user.email ari@housingsklave.at

And .. it works:

ari@kmmn ~/g/utilities (master)> GIT_TRACE=1 git commit -S -m 'Initial commit of README.md'
21:10:32.551487 git.c:458               trace: built-in: git commit -S -m 'Initial commit of README.md'
21:10:32.558284 run-command.c:654       trace: run_command: gpg --status-fd=2 -bsau 'ari <ari@housingsklave.at>'
21:10:32.697293 run-command.c:654       trace: run_command: git maintenance run --auto --no-quiet
21:10:32.703832 git.c:458               trace: built-in: git maintenance run --auto --no-quiet
[master (root-commit) 64c96c8] Initial commit of README.md
 1 file changed, 5 insertions(+)
 create mode 100644 README.md

The reason why I did not bother to check for key issues earlier is because my .gitconfig clearly says:

[user]
	name = ari
	email = ari@housingsklave.at
	signingkey = 7DB4163E7F88676D54436049FF5667517B30700B
[gpg]
	program = /usr/local/bin/gpg

If anyone has an idea, please let me know!