github: PGP key usage flags do not allow signing

Question

I've used my OpenPGP key to sign a git commit, but it shows up as "Unverified" on github: https://github.com/cweiske/jsonmapper/commits/master

The usage flags for the key that signed this don't allow signing.

GPG key ID: 14C85A0824EAF823

The github gpg signature docs say nothing about that error.

So my questions:

1. How do I read those flags?
2. How can I change my key to allow code signing?

Answer 1

You can look at your signing capabilities by either looking at the output of --edit-key or GnuPG's colon-separated output.

Looking at your key, I see that you have a bunch of expired subkeys (some with signing capability), and a primary key that has signing and certification capabilities set. The primary key's expiry period was extended twice (also consider reading "Does OpenPGP key expiration add to security?" on this subject).

I see two possible issues here:

• GitHub does not have the newest copy of your public key yet. Because of this, the key that issued the signature is not considered as a signing key as it seems expired to GitHub. Still, the error message is a bad one, and GitHub should tell you about an expired key instead. Uploading a newer copy of the key should resolve the issue.
• There is a bug in the GitHub software that makes it ignore the primary key when signing subkeys exist (no matter whether they're expired or not).