Re: Error when verifying tags signed using 1.7.3.1

[Michael J Gruber <git@drmicha.warpmail.net>]

Stephan Hugel venit, vidit, dixit 05.10.2010 17:19:
> On 5 October 2010 16:07, Michael J Gruber <git@drmicha.warpmail.net> wrote:
>> Stephan Hugel venit, vidit, dixit 05.10.2010 15:28:
>>> On 5 October 2010 09:00, Michael J Gruber <git@drmicha.warpmail.net> wrote:
>>>> Stephan Hugel venit, vidit, dixit 05.10.2010 02:17:
>>>>> On 5 October 2010 00:59, Daniel Johnson <computerdruid@gmail.com> wrote:
>>>>>> On Monday 04 October 2010 19:04:51 Stephan Hugel wrote:
>>>>>>> Daniel,
>>>>>>> Those are the exact steps I'm using.
>>>>>>>
>>>>>>> When I run tag -v on existing tags, I don't see the
>>>>>>>
>>>>>>> -----BEGIN PGP MESSAGE-----
>>>>>>> Version: GnuPG v1.4.9 (Darwin)
>>>>>>>
>>>>>>> iD8DBQBMqlpo8Y2TgZsQ1pARAmBQAJ9NV0IX7jlzeB8ogddlutFKAjyWJwCfSI5A
>>>>>>> yZeXw/EddYrfdad/VvOrL1o=
>>>>>>> =/0PJ
>>>>>>> -----END PGP MESSAGE——
>>>>>>>
>>>>>>> block. It's only present on tags created using the current version.
>>>>>>> I've also just upgraded to GnuPG 1.4.10, but the result is the same.
>>>>>>> I'm not sure how else I can determine where the problem arises; I'm
>>>>>>> using the git and GnuPG versions for OS X built by homebrew, and GnuPG
>>>>>>> is happy to use the same key for en/decryption and signing. I've also
>>>>>>> verified that none of the subkeys are expired, and that the trust db
>>>>>>> is OK.
>>>>>>
>>>>>> If you have the tests available, can you try running t7004 to see if it fails
>>>>>> there too?
>>>>>>
>>>>> I rebuilt and installed from source
>>>>> Passed all 105 tests in t7004-tag.sh
>>>>> Problem remains with tags I create
>>>>>
>>>>> This would seem to imply a problem with my key, even though nothing
>>>>> else is complaining about it.
>>>>
>>>> Here's a very basic way to check: If foo is your tag, do
>>>>
>>>> git cat-file tag foo > a
>>>> git cat-file tag foo > a.sig
>>>>
>>>> From the file "a", delete the signature (everything lines between and
>>>> including "-----BEGIN/END PGP SIGNATURE-----"), invoking an editor or
>>>> your favorite sed/awk/perl magic.
>>>>
>>>> a is the data on which git invoked gpg for signing the tag. (I'm not
>>>> sure why gpg can't notice the inline sig directly but that doesn't
>>>> matter; maybe because it is none ;))
>>>>
>>>> Now, gpg --verify a.sig should check the signature a.sig for a. Doing
>>>> that, maybe with --verbose, you may find out whether the tag object is
>>>> bogus or git misunderstands gpg's response. If your key is on a key
>>>> server you can also share the file a.sig with us so that we can check.
>>>>
>>>> Michael
>>>>
>>> Michael,
>>> When I do this, gpg is able to verify the signature. So does this mean
>>> that gnupg is failing to ignore the PGP block (possibly because it
>>> expects "SIGNATURE", not "MESSAGE"?)
>>
>> Do you have "MESSAGE" in there???
>>
>> Can you share the output of "git verify-tag --verbose yourtag" with us?
>> In any case, this command should give the same as the edited "a" above
>> on stdout, and gpg's repsonse on stderr. It should not contain any
>> "----BEGIN/END...".
>>
>> You haven't tinkered with your gpg options lately, have you? ;)
>>
>> Michael
>>
> 
> Michael,
> Yes, it's "MESSAGE".
> Here's the complete process:
> 
> $ git --version
> git version 1.7.3.1
> 
> $ git tag -s test_tag
> 
> [editor opens, I enter message, save, close]
> 
> You need a passphrase to unlock the secret key for
> user: "Stephan Hugel <urschrei@gmail.com>"
> 1024-bit DSA key, ID 9B10D690, created 2008-09-06
> 
> [I enter passphrase]
> 
> [process completes]
> 
> $ git verify-tag --verbose test_tag
> object 791abd4848d86ea98071f35bbce4d4b274ef0788
> type commit
> tag test_tag
> tagger Stephan Hügel <urschrei@gmail.com> 1286291263 +0100
> 
> Test tag
> -----BEGIN PGP MESSAGE-----
> Version: GnuPG v1.4.10 (Darwin)
> 
> iD8DBQBMqz9G8Y2TgZsQ1pARAh2bAJ0WuNWsNa+eJq3aYMlwvOFX5eRUngCfZAcM
> hnt1Aomaz5SY0yofv9BwGWg=
> =+AKs
> -----END PGP MESSAGE-----
> gpg: Signature made Tue  5 Oct 16:07:50 2010 IST using DSA key ID 9B10D690
> gpg: BAD signature from "Stephan Hugel <urschrei@gmail.com>"
> 
> 
> Now, if I manually append the tag contents to a file:
> 
> $ git cat-file tag test_tag > a
> $ git cat-file tag test_tag > a.sig
> $ less a.sig
> 
> object 791abd4848d86ea98071f35bbce4d4b274ef0788
> type commit
> tag test_tag
> tagger Stephan Hügel <urschrei@gmail.com> 1286291263 +0100
> 
> Test tag
> -----BEGIN PGP MESSAGE-----
> Version: GnuPG v1.4.10 (Darwin)
> 
> iD8DBQBMqz9G8Y2TgZsQ1pARAh2bAJ0WuNWsNa+eJq3aYMlwvOFX5eRUngCfZAcM
> hnt1Aomaz5SY0yofv9BwGWg=
> =+AKs
> -----END PGP MESSAGE——
> 
> [remove PGP block (identical to the above block) from a]
> 
> $ gpg --verify a.sig
> gpg: Signature made Tue  5 Oct 16:07:50 2010 IST using DSA key ID 9B10D690
> gpg: Good signature from "Stephan Hugel <urschrei@gmail.com>"
> 
> I've also just had a look at my gnupg.conf: the only options in it are:
> default-key 9B10D690
> charset utf8
> keyserver hkp://keyserver.ubuntu.com
> auto-key-locate hkp://keyserver.ubuntu.com
> utf8-strings
> rfc1991
> 
> Nothing else.

The last one is the trouble maker, and you must have added it around the
time of upgrading git...

Now, git should be able to cope with that, of course.

Michael