4

I've been attempting to get git working with a gpg key and after lots of searching and reading of posts, the only thing that works for me is this:

sudo rm /usr/local/bin/gpgsm
ln -s /usr/local/bin/gpg /usr/local/bin/gpgsm

This tricks git into running a gpg command instead of a gpgsm command as seen here:

GIT_TRACE=1 git commit -S -m"test"
21:24:25.489158 git.c:418               trace: built-in: git commit -S -mtest
21:24:25.493338 run-command.c:643       trace: run_command: gpgsm --status-fd=2 -bsau myKey
error: gpg failed to sign the data
fatal: failed to write commit object

I can't find any additional information on why git is running a gpgsm command, as running the command by itself yields:

gpgsm --status-fd=2 -bsau myKey
gpgsm: can't sign using 'myKey': No public key
[GNUPG:] INV_SGNR 1 myKey
[GNUPG:] INV_RECP 1 myKey

Which seems to make sense as I read gpg and gpgsm's DBs are seperate.

gpgsm keys don't appear to be what git wants to use either, based on their need for CN and DNS entries. Happy to be shown wrong here as I'd rather not use my symlink hack.

Environment details:

  • gpg install via homebrew, version 2.2.11
  • Adding no-tty to ~/.gnupg/gpg.conf actually made things worse for me.
  • I've restarted after changes to ensure gpg agents die.
  • The contents of ~/.gnupg/gpg-agent.conf is: pinentry-program /usr/local/bin/pinentry
Richard Geniesse
  • 41
  • 2
  • Is it your goal to use OpenPGP (the default `gpg` binary) or CMS (the `gpgsm` binary)? Also, which Git version are you using? – bk2204 Dec 14 '18 at 23:35
  • I'd like to use `gpg` as that appears to be what github supports, although I may be incorrect in assuming it doesn't support `gpgsm`. I am open to working with whatever gets to me to a spot where I don't need the symlink hack. My git version is `2.20.0`. – Richard Geniesse Dec 16 '18 at 04:19
  • If you use the plain `gpg` binary (without the symlink hack), what output do you get? Also, what output do you get with the real gpg if you run `touch /tmp/foo && gpg --status-fd=2 -bsa /tmp/foo` to sign an empty file? – bk2204 Dec 17 '18 at 12:09
  • Apologies for the bad formatting. Output: `gpg gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: Go ahead and type your message ...` Second command: `touch /tmp/foo && gpg --status-fd=2 -bsa /tmp/foo [GNUPG:] KEY_CONSIDERED FC660649664B0D5D12EE7B63B209F8077D754B33 0 [GNUPG:] KEY_CONSIDERED FC660649664B0D5D12EE7B63B209F8077D754B33 2 [GNUPG:] BEGIN_SIGNING H8 [GNUPG:] PINENTRY_LAUNCHED 2111 curses 1.1.0 /dev/ttys006 xterm- 256color - [GNUPG:] SIG_CREATED D 1 8 00 1545082985 FC660649664B0D5D12EE7B63B209F8077D754B33` – Richard Geniesse Dec 17 '18 at 22:09

2 Answers2

3

I was able to find the problem when I stumbled upon this explanation of git's gpg.format config. Apparently it supports both "opengpg" which runs gpg and "x509" which runs gpgsm. Running the following command resulted in git commit -S using gpg instead of gpgsm.

git config --global gpg.format openpgp

you can confirm the format is what you expect by looking at the full config via

git config -l --show-origin | grep gpg.format
Stephen Williams
  • 31
  • 2
0

Since Git's trying to use gpgsm, it's likely that you have some sort of configuration that's set to use gpgsm as the program to sign things. You probably want to run git config -l --show-origin and see if there's an option set to make Git use gpgsm. You can search for gpg, as all of the options are set under that top-level section.

bk2204
  • 64,793
  • 6
  • 84
  • 100
  • That's my thinking as well, but I just can't find where it is set. Running the provided command shows `gpg` as my program both globally and within my test repo, while that `git` debug command continues to try and run `gpgsm`. I also get no `grep` hits for `gpgsm` when running the `git` global config showing. Very strange. I am going to see about comparing to some colleague setups. Thank you for the assistance though; this is going to be something odd and I'll be sure to update if/when I find it. – Richard Geniesse Dec 21 '18 at 19:50