From: shawn wilson <ag4ve.us@gmail.com>
To: Michael J Gruber <git@grubix.eu>
Cc: Git List <git@vger.kernel.org>
Subject: Re: signing commits using gpg2
Date: Tue, 5 Sep 2017 14:34:52 -0400 [thread overview]
Message-ID: <CAH_OBickeYBWE-ygQY=pjh33_mFMXYqcwvVieRTA2cuCwzXcHA@mail.gmail.com> (raw)
In-Reply-To: <0e626914-05b1-651c-9c61-b1ef0b6c190a@grubix.eu>
Apparently you need to set the GPG_TTY for git to work (I also set the
gpg.program so I know it shouldn't /need/ that variable set)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840687#10
I'm not sure if there's anything that has or can be done upstream to
make this easier (I feel this was a bigger PITA than it needed to be),
I'm on git 2.7.5 from Fedira.
On Tue, Sep 5, 2017 at 9:40 AM, Michael J Gruber <git@grubix.eu> wrote:
> shawn wilson venit, vidit, dixit 02.09.2017 23:11:
>> tl;dr - how do I get git to use gpg2 to sign things?
>>
>> I'm using gpg2 (so no agent options are configured but an agent is
>> running) which is configured w/ a Nitrokey (Pro if it matters):
>>
>> % git commit -m "Initial."
>>
>> gits/bash-libs (master ⚡) localhost
>> gpg: detected reader `Nitrokey Nitrokey Pro (000034670000000000000000) 00 00'
>> gpg: pcsc_connect failed: sharing violation (0x8010000b)
>> gpg: apdu_send_simple(0) failed: locking failed
>> Please insert the card and hit return or enter 'c' to cancel:
>> gpg: pcsc_connect failed: sharing violation (0x8010000b)
>> gpg: pcsc_connect failed: sharing violation (0x8010000b)
>> gpg: apdu_send_simple(0) failed: locking failed
>> Please insert the card and hit return or enter 'c' to cancel: c
>> gpg: selecting openpgp failed: general error
>> gpg: signing failed: general error
>> gpg: signing failed: general error
>> error: gpg failed to sign the data
>> fatal: failed to write commit object
>>
>> This works with gpg and ssh:
>
> Not really...
>
>> % touch foo
>>
>> ~ localhost
>> % gpg2 --sign foo
>
> ... because you're using gpg2, not gpg.
>
>>
>> ~ localhost
>> gpg: using "846FF490" as default secret key for signing
>> % cat foo*
>>
>> ~ localhost
>> -----BEGIN PGP MESSAGE-----
>> Version: GnuPG v2
>>
>> owEBuQFG/pANAwAKAYwdY7SEb/SQAcsJYgNmb29ZqxfviQGcBAABCgAGBQJZqxfv
>> AAoJEIwdY7SEb/SQAcEL/jonw+HymnlmfebtEwlvfx2Gl1Sbuw0xWWPpQ2Dtjljz
>> HtpD+LWczjpOSMTHFNK9xPR2kcs1WNY+mO8M45QI7iDgFkKRzaxEqeNUJkoyF/+I
>> 81VMmXDQMXFs4+8jy00b+UxTdvwdXaHMsOtu+6YCtmCR5Bzohg07ADsnXnGGn3Sd
>> WTjVMzV6Dlh8LRF+coGJ8JuErBsRAI6vdNgJRVHYBULGNXci4uF/4a+58uiTL4/U
>> PvC4ruXCNxCKi89nMERhwlnOvglseX3TDR5ldrc4Hzb+pLsj/l6N4sBW0Zmb8UcE
>> 9BG3WjOs4eZvnLmk5XHrwisD2CXuHvyWMl0yH7LTrg+m4Itj0PJ4Px4H9E5t/zfs
>> C1vcB/okcigeIyXnO06um02a5oZAYOKadB+6NRnBjULz5GvP2yxj/AO1VPmZprpt
>> budMuHZcA0zNE3uBmcnQY5+1tdkyTrlTxsL58lQrn/U3wvgah3AXMEvjRGqbYWHj
>> jDikQVJ7ESoevNqlfLPj8Q==
>> =hV6v
>> -----END PGP MESSAGE-----
>>
>> However, if I try this w/ the old gpg:
>>
>> % gpg -ae -o foo.gpg foo
>>
>> ~ localhost
>> % gpg -d foo.gpg
>>
>> ~ localhost
>> gpg: detected reader `Nitrokey Nitrokey Pro (000034670000000000000000) 00 00'
>> gpg: pcsc_connect failed: sharing violation (0x8010000b)
>> gpg: apdu_send_simple(0) failed: locking failed
>> Please insert the card and hit return or enter 'c' to cancel: c
>> gpg: selecting openpgp failed: general error
>> gpg: encrypted with 3072-bit RSA key, ID 41826CFB, created 2017-03-13
>> "Shawn Wilson <ag4ve.us@gmail.com>"
>> gpg: public key decryption failed: general error
>> gpg: decryption failed: secret key not available
>> % gpg2 -d foo.gpg
>>
>> ~ localhost
>> gpg: encrypted with 3072-bit RSA key, ID E27FA0B841826CFB, created 2017-03-13
>> "Shawn Wilson <ag4ve.us@gmail.com>"
>> foo
>>
>> (yeah I added data to the file)
>>
>> And just to prove basic competency checking:
>>
>> % git config --global -l | grep sign
>>
>> ~ localhost
>> user.signingkey=846FF490
>> filter.gitconfig-rmuser.clean=sed -e "s/^\( *email =\).*/\1 <email
>> address>/" -e "s/^\( *name =\).*/\1 <real name>/" -e "s/^\(
>> *signingkey =\).*/\1 <gpg key>/"
>> filter.gitconfig-rmuser.smudge=egrep "^ *(email|name|signingkey) = "
>> commit.gpgsign=true
>>
>
> So, gpg2 works and gpg does not. This is typical for the way in which
> the gpg upgrade path is broken, and your distro installs gpg because it
> still relies on it.
>
> git sees two executables gpg and gpg2 and uses the first, so as to not
> migrate your secrete key store inadvertently.
>
> Short answer: Use
>
> git config --global gpg.program gpg2
>
> to make git use gpg2 which apparantly is your working gnupg setup.
>
> Michael
prev parent reply other threads:[~2017-09-05 18:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-02 21:11 signing commits using gpg2 shawn wilson
2017-09-03 18:20 ` Santiago Torres
2017-09-05 13:40 ` Michael J Gruber
2017-09-05 18:34 ` shawn wilson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAH_OBickeYBWE-ygQY=pjh33_mFMXYqcwvVieRTA2cuCwzXcHA@mail.gmail.com' \
--to=ag4ve.us@gmail.com \
--cc=git@grubix.eu \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).