search

AGWA / git-crypt

Transparent file encryption in git
https://www.agwa.name/projects/git-crypt/
GNU General Public License v3.0
8.4k stars 476 forks source link

Error: "Unusable Public Key" #191

Open ChristopherA opened 4 years ago

ChristopherA commented 4 years ago

I am using macOS Catalina and the brew version of git-crypt (there is no -v option so I am not sure which version of git-crypt, but it is the todays brew install git-crypt).

I have a repo without git-crypt (my .dotfiles) and I have just initialized it with git-crypt init and git-crypt answers Generating key...

However, when I git-crypt add-gpg-user ChristopherA@LifeWithAlacrity.com I get:

gpg: 0xFDFE14A54ECB30FC5D2274EFF8D36C91357405ED: skipped: Unusable public key
gpg: [stdin]: encryption failed: Unusable public key
git-crypt: GPG error: Failed to encrypt

git-crypt is finding my key (thus the fingerprint in response), but says it is "unusable".

gpg --list-keys looks good as well:

# gpg --list-keys                                  (master) [~/.dotfiles]
/Users/christophera/.gnupg/pubring.kbx
--------------------------------------
pub   rsa4096 2015-04-16 [SC] [expires: 2020-04-16]
      FDFE14A54ECB30FC5D2274EFF8D36C91357405ED
uid           [ unknown] Christopher Allen <ChristopherA@LifeWithAlacrity.com>
uid           [ unknown] [jpeg image of size 9272]

A few points: that GPG key is properly signed --lsign-key, and has ultimate trust "5", and I am able to use that commit to my dotfiles repo using my GPG key and it shows as verified.

So in all other ways my GPG key works. But I can't add myself as the first git-crypt user.

Ideas?

tbenst commented 4 years ago

Solution is here: https://github.com/AGWA/git-crypt/issues/23#issuecomment-90617402

git-crypt add-gpg-user --trusted ChristopherA@LifeWithAlacrity.com

xunholy commented 4 years ago

This solution has not worked for me, my GPG key is signed and set up correctly, and even using --trusted it still gives me the error you were facing.

Mi-Q commented 3 years ago

Did you generate the key with gpg version >= 2.1.17? Then you would need to use gpg --full-generate-key to get a key with a sub. This worked for me instead of generating a key with gpg --default-new-key-algo rsa4096 --gen-key

t3hmrman commented 3 years ago

Note that this is not necessarily related to whether the key you're using is trusted or not, it can often be due to the usage of subkeys that is configured. See this question on StackExchange.

If you have a key that is qualified to sign (S) but not encrypt (E) you won't be able to use git-crypt.

Here's what the output of gpg -K looks like:

$ gpg -K
/home/user/.gnupg/pubring.kbx
------------------------------
sec   rsa2048 2019-09-27 [SC] [expires: 2023-11-23]
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
uid           [ultimate] User Name <user@domain.tld>
ssb   rsa4096 2021-06-01 [S] [expires: 2024-11-22]

Note that the subkey (the ssb line) listed only has [S] -- this means it can be used to sign, but not encrypt. To fix this, you need to edit the key (gpg --edit-key AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA), turns out there is a key edit command called change-usage.