Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Signing commit with OpenPGP subkey fails

Tags:

git

gnupg

I would like to use one of my GPS (2) subkeys for signing commits/tags in Git I.e., my freshly created RSA4096 signing-only key with the long ID B0##...

sec#  ed25519/9F############## 2016-01-07 [expires: 2023-01-05]
  Key fingerprint = FC08 HEX HEX HEX 
uid                 [ultimate] MY NAME <MY.NAME@foo bar>
ssb   rsa4096/C9############## 2016-01-07 [expires: 2022-01-05]
ssb   ed25519/C6############## 2016-01-07 [expires: 2022-01-05]
ssb   rsa4096/B0############## 2016-01-13 [expires: 2022-01-11]

Where I am working on a keyring with the master key removed (backuped away) as 'better key policy'

So, I tried to set up the signing key for Git

[user]
    ...
    signingkey = B0##############

However, committing & signing fails with

> git commit -S  -m "test commit"
gpg: skipped "B0##############": secret key not available
gpg: signing failed: secret key not available
error: gpg failed to sign the data
fatal: failed to write commit object

Where a gpg-agent up and running.

My first guess was, that Git does not understand the long key notation and tried the short one instead

> gpg2 --list-secret-keys  --keyid-format short
...
ssb   rsa4096/DB###### 2016-01-13 [expires: 2022-01-11]

> ~/.gitconfig
[user]
   ...
   signingkey = DB######

But which also failed

> git commit -S  -m "test commit short"
gpg: skipped "DB######": secret key not available
gpg: signing failed: secret key not available
error: gpg failed to sign the data
fatal: failed to write commit object

So, I wonder what breaks here and if maybe Git only would work with a master key for signing but does not understand the use of subkeys (or if I have screwed up myself somewhere)?

like image 376
THX Avatar asked Jan 13 '16 11:01

THX


1 Answers

Git uses gpg by default, which is GnuPG 1 on most systems and does not support elliptic curve cryptography. As your primary key is an elliptic curve key, GnuPG 1 cannot use the key at all. You will be able to observe the same when trying to use the key with GnuPG (gpg --default-key key-id --sign).

Configure Git to use gpg2 instead, which is required to be at least GnuPG 2.1 (which you have, as you can use the elliptic curves key):

git config --global gpg.program gpg2
like image 85
Jens Erat Avatar answered Dec 25 '22 03:12

Jens Erat