Re: Error when verifying tags signed using 1.7.3.1

[Stephan Hugel <urschrei@gmail.com>]

On 5 October 2010 16:07, Michael J Gruber <git@drmicha.warpmail.net> wrote:
> Stephan Hugel venit, vidit, dixit 05.10.2010 15:28:
>> On 5 October 2010 09:00, Michael J Gruber <git@drmicha.warpmail.net> wrote:
>>> Stephan Hugel venit, vidit, dixit 05.10.2010 02:17:
>>>> On 5 October 2010 00:59, Daniel Johnson <computerdruid@gmail.com> wrote:
>>>>> On Monday 04 October 2010 19:04:51 Stephan Hugel wrote:
>>>>>> Daniel,
>>>>>> Those are the exact steps I'm using.
>>>>>>
>>>>>> When I run tag -v on existing tags, I don't see the
>>>>>>
>>>>>> -----BEGIN PGP MESSAGE-----
>>>>>> Version: GnuPG v1.4.9 (Darwin)
>>>>>>
>>>>>> iD8DBQBMqlpo8Y2TgZsQ1pARAmBQAJ9NV0IX7jlzeB8ogddlutFKAjyWJwCfSI5A
>>>>>> yZeXw/EddYrfdad/VvOrL1o=
>>>>>> =/0PJ
>>>>>> -----END PGP MESSAGE——
>>>>>>
>>>>>> block. It's only present on tags created using the current version.
>>>>>> I've also just upgraded to GnuPG 1.4.10, but the result is the same.
>>>>>> I'm not sure how else I can determine where the problem arises; I'm
>>>>>> using the git and GnuPG versions for OS X built by homebrew, and GnuPG
>>>>>> is happy to use the same key for en/decryption and signing. I've also
>>>>>> verified that none of the subkeys are expired, and that the trust db
>>>>>> is OK.
>>>>>
>>>>> If you have the tests available, can you try running t7004 to see if it fails
>>>>> there too?
>>>>>
>>>> I rebuilt and installed from source
>>>> Passed all 105 tests in t7004-tag.sh
>>>> Problem remains with tags I create
>>>>
>>>> This would seem to imply a problem with my key, even though nothing
>>>> else is complaining about it.
>>>
>>> Here's a very basic way to check: If foo is your tag, do
>>>
>>> git cat-file tag foo > a
>>> git cat-file tag foo > a.sig
>>>
>>> From the file "a", delete the signature (everything lines between and
>>> including "-----BEGIN/END PGP SIGNATURE-----"), invoking an editor or
>>> your favorite sed/awk/perl magic.
>>>
>>> a is the data on which git invoked gpg for signing the tag. (I'm not
>>> sure why gpg can't notice the inline sig directly but that doesn't
>>> matter; maybe because it is none ;))
>>>
>>> Now, gpg --verify a.sig should check the signature a.sig for a. Doing
>>> that, maybe with --verbose, you may find out whether the tag object is
>>> bogus or git misunderstands gpg's response. If your key is on a key
>>> server you can also share the file a.sig with us so that we can check.
>>>
>>> Michael
>>>
>> Michael,
>> When I do this, gpg is able to verify the signature. So does this mean
>> that gnupg is failing to ignore the PGP block (possibly because it
>> expects "SIGNATURE", not "MESSAGE"?)
>
> Do you have "MESSAGE" in there???
>
> Can you share the output of "git verify-tag --verbose yourtag" with us?
> In any case, this command should give the same as the edited "a" above
> on stdout, and gpg's repsonse on stderr. It should not contain any
> "----BEGIN/END...".
>
> You haven't tinkered with your gpg options lately, have you? ;)
>
> Michael
>

Michael,
Yes, it's "MESSAGE".
Here's the complete process:

$ git --version
git version 1.7.3.1

$ git tag -s test_tag

[editor opens, I enter message, save, close]

You need a passphrase to unlock the secret key for
user: "Stephan Hugel <urschrei@gmail.com>"
1024-bit DSA key, ID 9B10D690, created 2008-09-06

[I enter passphrase]

[process completes]

$ git verify-tag --verbose test_tag
object 791abd4848d86ea98071f35bbce4d4b274ef0788
type commit
tag test_tag
tagger Stephan Hügel <urschrei@gmail.com> 1286291263 +0100

Test tag
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.10 (Darwin)

iD8DBQBMqz9G8Y2TgZsQ1pARAh2bAJ0WuNWsNa+eJq3aYMlwvOFX5eRUngCfZAcM
hnt1Aomaz5SY0yofv9BwGWg=
=+AKs
-----END PGP MESSAGE-----
gpg: Signature made Tue  5 Oct 16:07:50 2010 IST using DSA key ID 9B10D690
gpg: BAD signature from "Stephan Hugel <urschrei@gmail.com>"


Now, if I manually append the tag contents to a file:

$ git cat-file tag test_tag > a
$ git cat-file tag test_tag > a.sig
$ less a.sig

object 791abd4848d86ea98071f35bbce4d4b274ef0788
type commit
tag test_tag
tagger Stephan Hügel <urschrei@gmail.com> 1286291263 +0100

Test tag
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.10 (Darwin)

iD8DBQBMqz9G8Y2TgZsQ1pARAh2bAJ0WuNWsNa+eJq3aYMlwvOFX5eRUngCfZAcM
hnt1Aomaz5SY0yofv9BwGWg=
=+AKs
-----END PGP MESSAGE——

[remove PGP block (identical to the above block) from a]

$ gpg --verify a.sig
gpg: Signature made Tue  5 Oct 16:07:50 2010 IST using DSA key ID 9B10D690
gpg: Good signature from "Stephan Hugel <urschrei@gmail.com>"

I've also just had a look at my gnupg.conf: the only options in it are:
default-key 9B10D690
charset utf8
keyserver hkp://keyserver.ubuntu.com
auto-key-locate hkp://keyserver.ubuntu.com
utf8-strings
rfc1991

Nothing else.
-- 

steph