Re: Error when verifying tags signed using 1.7.3.1

[Michael J Gruber <git@drmicha.warpmail.net>]

Stephan Hugel venit, vidit, dixit 05.10.2010 15:28:
> On 5 October 2010 09:00, Michael J Gruber <git@drmicha.warpmail.net> wrote:
>> Stephan Hugel venit, vidit, dixit 05.10.2010 02:17:
>>> On 5 October 2010 00:59, Daniel Johnson <computerdruid@gmail.com> wrote:
>>>> On Monday 04 October 2010 19:04:51 Stephan Hugel wrote:
>>>>> Daniel,
>>>>> Those are the exact steps I'm using.
>>>>>
>>>>> When I run tag -v on existing tags, I don't see the
>>>>>
>>>>> -----BEGIN PGP MESSAGE-----
>>>>> Version: GnuPG v1.4.9 (Darwin)
>>>>>
>>>>> iD8DBQBMqlpo8Y2TgZsQ1pARAmBQAJ9NV0IX7jlzeB8ogddlutFKAjyWJwCfSI5A
>>>>> yZeXw/EddYrfdad/VvOrL1o=
>>>>> =/0PJ
>>>>> -----END PGP MESSAGE——
>>>>>
>>>>> block. It's only present on tags created using the current version.
>>>>> I've also just upgraded to GnuPG 1.4.10, but the result is the same.
>>>>> I'm not sure how else I can determine where the problem arises; I'm
>>>>> using the git and GnuPG versions for OS X built by homebrew, and GnuPG
>>>>> is happy to use the same key for en/decryption and signing. I've also
>>>>> verified that none of the subkeys are expired, and that the trust db
>>>>> is OK.
>>>>
>>>> If you have the tests available, can you try running t7004 to see if it fails
>>>> there too?
>>>>
>>> I rebuilt and installed from source
>>> Passed all 105 tests in t7004-tag.sh
>>> Problem remains with tags I create
>>>
>>> This would seem to imply a problem with my key, even though nothing
>>> else is complaining about it.
>>
>> Here's a very basic way to check: If foo is your tag, do
>>
>> git cat-file tag foo > a
>> git cat-file tag foo > a.sig
>>
>> From the file "a", delete the signature (everything lines between and
>> including "-----BEGIN/END PGP SIGNATURE-----"), invoking an editor or
>> your favorite sed/awk/perl magic.
>>
>> a is the data on which git invoked gpg for signing the tag. (I'm not
>> sure why gpg can't notice the inline sig directly but that doesn't
>> matter; maybe because it is none ;))
>>
>> Now, gpg --verify a.sig should check the signature a.sig for a. Doing
>> that, maybe with --verbose, you may find out whether the tag object is
>> bogus or git misunderstands gpg's response. If your key is on a key
>> server you can also share the file a.sig with us so that we can check.
>>
>> Michael
>>
> Michael,
> When I do this, gpg is able to verify the signature. So does this mean
> that gnupg is failing to ignore the PGP block (possibly because it
> expects "SIGNATURE", not "MESSAGE"?)

Do you have "MESSAGE" in there???

Can you share the output of "git verify-tag --verbose yourtag" with us?
In any case, this command should give the same as the edited "a" above
on stdout, and gpg's repsonse on stderr. It should not contain any
"----BEGIN/END...".

You haven't tinkered with your gpg options lately, have you? ;)

Michael