I would like to use one of my GPS (2) subkeys for signing commits/tags in Git I.e., my freshly created RSA4096 signing-only key with the long ID B0##...
sec# ed25519/9F############## 2016-01-07 [expires: 2023-01-05]
Key fingerprint = FC08 HEX HEX HEX
uid [ultimate] MY NAME <MY.NAME@foo bar>
ssb rsa4096/C9############## 2016-01-07 [expires: 2022-01-05]
ssb ed25519/C6############## 2016-01-07 [expires: 2022-01-05]
ssb rsa4096/B0############## 2016-01-13 [expires: 2022-01-11]
Where I am working on a keyring with the master key removed (backuped away) as 'better key policy'
So, I tried to set up the signing key for Git
[user]
...
signingkey = B0##############
However, committing & signing fails with
> git commit -S -m "test commit"
gpg: skipped "B0##############": secret key not available
gpg: signing failed: secret key not available
error: gpg failed to sign the data
fatal: failed to write commit object
Where a gpg-agent up and running.
My first guess was, that Git does not understand the long key notation and tried the short one instead
> gpg2 --list-secret-keys --keyid-format short
...
ssb rsa4096/DB###### 2016-01-13 [expires: 2022-01-11]
> ~/.gitconfig
[user]
...
signingkey = DB######
But which also failed
> git commit -S -m "test commit short"
gpg: skipped "DB######": secret key not available
gpg: signing failed: secret key not available
error: gpg failed to sign the data
fatal: failed to write commit object
So, I wonder what breaks here and if maybe Git only would work with a master key for signing but does not understand the use of subkeys (or if I have screwed up myself somewhere)?
Git uses gpg
by default, which is GnuPG 1 on most systems and does not support elliptic curve cryptography. As your primary key is an elliptic curve key, GnuPG 1 cannot use the key at all. You will be able to observe the same when trying to use the key with GnuPG (gpg --default-key key-id --sign
).
Configure Git to use gpg2
instead, which is required to be at least GnuPG 2.1 (which you have, as you can use the elliptic curves key):
git config --global gpg.program gpg2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With