1

I am trying to enable gpg commit signing on my mac. I have successfully signed one commit and then tried to do it again and ever since I can't get it to work properly again. Every time it says Bad Signature even though the KEY ID is the same.

I can normally sign regular text files etc. without problems - git is the only one making such weird exceptions.

Any help is appreciated - Thanks!

commit 2cce84252649442b2b1700986f969fd70d8d7dbc (HEAD -> move-to-docker)
gpg: Signatur vom Di 14 Jun 07:30:19 2022 CEST
gpg:                mittels EDDSA-Schlüssel C84C8DAA9C25D70F553262EE4584796C0B3C2855
gpg: FALSCHE Signatur von "Nick Wassermann (Root SSH User) <nick.wassermann@mail.at>" [unbekannt]
Author: Nick Wassermann <nick.wassermann@mail.at>
Date:   Tue Jun 14 07:30:19 2022 +0200

    tte

commit 3ad84f737e7d1f42907cb55b11482c7d5558adaf
gpg: Signatur vom Mo 13 Jun 09:23:06 2022 CEST
gpg:                mittels EDDSA-Schlüssel C84C8DAA9C25D70F553262EE4584796C0B3C2855
gpg: Korrekte Signatur von "Nick Wassermann (Root SSH User) <nick.wassermann@mail.at>" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = 90C6 F702 31A1 7582 98B3  C94C 1779 A12E 703B D538
Unter-Fingerabdruck  = C84C 8DAA 9C25 D70F 5532  62EE 4584 796C 0B3C 2855
Author: Nick Wassermann <nick.wassermann@mail.at>
Date:   Mon Jun 13 09:23:06 2022 +0200

    added comment
Nick Wassermann
  • 182
  • 10

2 Answers2

0

Double-check the GitLab sign commit (with GPG) process:

To sign commits, you must configure both your local machine and your GitLab account:

  • Create a GPG key.
  • Add a GPG key to your account.
  • Associate your GPG key with Git.
  • Sign your Git commits.

Note the email must match a verified email address in your GitLab account.
And check your keyID (git config --global user.signingkey)

As an alternative, you can also consider signing your commits with X.509 certificates.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • I did and the first commit got correctly signed by git but the second one gets signed but git always complaints bad signature (`FALSCHE Signatur` its german..) – Nick Wassermann Jun 14 '22 at 08:39
  • @NickWassermann OK. Maybe this is because you have [not trusted your key yet](https://security.stackexchange.com/q/147447)? – VonC Jun 14 '22 at 08:41
  • when I run `gpg --export-ownertrust` I get the Fingerprint with the trust level of 6. The part that drives me crazy is that the EDSA-Key values are the same. – Nick Wassermann Jun 14 '22 at 08:43
  • @NickWassermann Try and [edit your key](https://www.gnupg.org/gph/en/manual/x334.html), just to double-check its trust level. – VonC Jun 14 '22 at 08:45
  • I did but unfortunately it didn't change the outcome of trying to sing a commit – Nick Wassermann Jun 14 '22 at 09:10
  • @NickWassermann What version of Git are you using? – VonC Jun 14 '22 at 09:12
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/245586/discussion-between-vonc-and-nick-wassermann). – VonC Jun 14 '22 at 09:12
0

See GitLab 15.7 (December 2022) proposes an alternative approach, simpler than GPG:

Sign commits with your SSH key

Signing commits just got a lot simpler. Use SSH keys to sign commits, and provide others with confidence that a Verified commit was authored by you.

Previous methods for signing commits required a GPG key or an X.509 certificate, neither of which can be used to sign in to GitLab. Adding support for commit signing with SSH keys now makes it possible to reuse your authentication key pair to also sign your commits. If you already authenticate into GitLab with an SSH key, add three lines of code to your local Git configuration and all your future commits will be signed.

By default, all SSH keys currently in your profile can be used for both authentication and signing commits. To use a key for only one of the purposes, upload a new key.

sign

See Documentation and Issue.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250