git@vger.kernel.org mailing list mirror (one of many)
 help / Atom feed
* Git uses wrong subkey for signing commits with GPG key
@ 2018-01-13  0:09 Andrzej Ośmiałowski
  2018-01-13  0:22 ` Todd Zullinger
  0 siblings, 1 reply; 5+ messages in thread
From: Andrzej Ośmiałowski @ 2018-01-13  0:09 UTC (permalink / raw)
  To: git

I have an issue with git and signing commits with GPG subkey.

My setup:
- master key used for certification only
- subkey for my main workstation
- subkey for my mobile workstation (a notebook).

Both subkeys are used for signing only.

I've configured git to use my specific subkey however it does not
work: git config --global user.signingkey = KEYID. Every commit is
being signed using the newest subkey. I've verified the same behavior
on three systems (although with the same setup). I've tried to use
--gpg-sign=KEYID flag, but it does not work either.

Environment:
OS: Archlinux
Shell: ZSH
GPG: 2.2.4
Git: 2.15.1.

Is there any other info I shall provide?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Git uses wrong subkey for signing commits with GPG key
  2018-01-13  0:09 Git uses wrong subkey for signing commits with GPG key Andrzej Ośmiałowski
@ 2018-01-13  0:22 ` Todd Zullinger
  2018-01-13 12:40   ` Andrzej Ośmiałowski
  0 siblings, 1 reply; 5+ messages in thread
From: Todd Zullinger @ 2018-01-13  0:22 UTC (permalink / raw)
  To: Andrzej Ośmiałowski; +Cc: git

Hi Andrzej,

Andrzej Ośmiałowski wrote:
> I have an issue with git and signing commits with GPG subkey.
> 
> My setup:
> - master key used for certification only
> - subkey for my main workstation
> - subkey for my mobile workstation (a notebook).
> 
> Both subkeys are used for signing only.
> 
> I've configured git to use my specific subkey however it does not
> work: git config --global user.signingkey = KEYID. Every commit is
> being signed using the newest subkey. I've verified the same behavior
> on three systems (although with the same setup). I've tried to use
> --gpg-sign=KEYID flag, but it does not work either.

I could be wrong, but I think you need to append '!' to
KEYID to force gpg to use that specific signing subkey.

-- 
Todd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A vacuum is a hell of a lot better than some of the stuff that nature
replaces it with.
    -- Tennessee Williams


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Git uses wrong subkey for signing commits with GPG key
  2018-01-13  0:22 ` Todd Zullinger
@ 2018-01-13 12:40   ` Andrzej Ośmiałowski
  2018-01-13 17:25     ` Todd Zullinger
  0 siblings, 1 reply; 5+ messages in thread
From: Andrzej Ośmiałowski @ 2018-01-13 12:40 UTC (permalink / raw)
  To: Todd Zullinger; +Cc: git

Hi Todd,

On Sat, Jan 13, 2018 at 1:22 AM, Todd Zullinger <tmz@pobox.com> wrote:
> Hi Andrzej,
>
> Andrzej Ośmiałowski wrote:
>> I have an issue with git and signing commits with GPG subkey.
>>
>> My setup:
>> - master key used for certification only
>> - subkey for my main workstation
>> - subkey for my mobile workstation (a notebook).
>>
>> Both subkeys are used for signing only.
>>
>> I've configured git to use my specific subkey however it does not
>> work: git config --global user.signingkey = KEYID. Every commit is
>> being signed using the newest subkey. I've verified the same behavior
>> on three systems (although with the same setup). I've tried to use
>> --gpg-sign=KEYID flag, but it does not work either.
>
> I could be wrong, but I think you need to append '!' to
> KEYID to force gpg to use that specific signing subkey.
>
> --
> Todd
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> A vacuum is a hell of a lot better than some of the stuff that nature
> replaces it with.
>     -- Tennessee Williams
>

thanks for reply. You just solved my issue. I will prepare a PR to the
docs to add relevant information.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Git uses wrong subkey for signing commits with GPG key
  2018-01-13 12:40   ` Andrzej Ośmiałowski
@ 2018-01-13 17:25     ` Todd Zullinger
  2018-01-16 18:23       ` Junio C Hamano
  0 siblings, 1 reply; 5+ messages in thread
From: Todd Zullinger @ 2018-01-13 17:25 UTC (permalink / raw)
  To: Andrzej Ośmiałowski; +Cc: git

Andrzej Ośmiałowski wrote:
> On Sat, Jan 13, 2018 at 1:22 AM, Todd Zullinger <tmz@pobox.com> wrote:
>> I could be wrong, but I think you need to append '!' to
>> KEYID to force gpg to use that specific signing subkey.
[...]
> thanks for reply. You just solved my issue. I will prepare a PR to the
> docs to add relevant information.

Glad it helped.  The git-tag documentation points to
git-config and the user.signingKey variable in the
CONFIGURATION section.  The git-config documentation for
that variable currently says:

    If linkgit:git-tag[1] or linkgit:git-commit[1] is not selecting the
    key you want it to automatically when creating a signed tag or
    commit, you can override the default selection with this variable.
    This option is passed unchanged to gpg's --local-user parameter,
    so you may specify a key using any method that gpg supports.

Whether that can be improved without being too verbose (or
duplicating too much of the gpg documentation), I don't
know.

Maybe it could point to the gpg documentation, though that
can be in gpg(1), gpg1(1), or gpg2(1), depending on how
their system installs gpg.

The online link covering the many formats that gpg accepts
for the --local-user (-u) option is:

    https://www.gnupg.org/documentation/manuals/gnupg/Specify-a-User-ID.html

-- 
Todd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It is impossible to enjoy idling thoroughly unless one has plenty of
work to do.
    -- Jerome K. Jerome


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Git uses wrong subkey for signing commits with GPG key
  2018-01-13 17:25     ` Todd Zullinger
@ 2018-01-16 18:23       ` Junio C Hamano
  0 siblings, 0 replies; 5+ messages in thread
From: Junio C Hamano @ 2018-01-16 18:23 UTC (permalink / raw)
  To: Todd Zullinger; +Cc: Andrzej Ośmiałowski, git

Todd Zullinger <tmz@pobox.com> writes:

> Glad it helped.  The git-tag documentation points to
> git-config and the user.signingKey variable in the
> CONFIGURATION section.  The git-config documentation for
> that variable currently says:
> ...
>     so you may specify a key using any method that gpg supports.
>
> Whether that can be improved without being too verbose (or
> duplicating too much of the gpg documentation), I don't
> know.

Yeah, I personally do not want to see Git's documentation sound more
autoritative than it actually is wrt how to use software from other
people, especially given that we do not have volunteers who will
closely be keeping track of their changes in order to update our
documentation.  So "any method that gpg supports" is a good place to
stop from that point of view.  "See documentation for the version of
PGP software you use for details." is not a bad thing to add without
risking to go stale, though.


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-13  0:09 Git uses wrong subkey for signing commits with GPG key Andrzej Ośmiałowski
2018-01-13  0:22 ` Todd Zullinger
2018-01-13 12:40   ` Andrzej Ośmiałowski
2018-01-13 17:25     ` Todd Zullinger
2018-01-16 18:23       ` Junio C Hamano

git@vger.kernel.org mailing list mirror (one of many)

Archives are clonable:
	git clone --mirror https://public-inbox.org/git
	git clone --mirror http://ou63pmih66umazou.onion/git
	git clone --mirror http://czquwvybam4bgbro.onion/git
	git clone --mirror http://hjrcffqmbrq6wope.onion/git

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.version-control.git
	nntp://ou63pmih66umazou.onion/inbox.comp.version-control.git
	nntp://czquwvybam4bgbro.onion/inbox.comp.version-control.git
	nntp://hjrcffqmbrq6wope.onion/inbox.comp.version-control.git
	nntp://news.gmane.org/gmane.comp.version-control.git

 note: .onion URLs require Tor: https://www.torproject.org/
       or Tor2web: https://www.tor2web.org/

AGPL code for this site: git clone https://public-inbox.org/ public-inbox