nguyenvulong / QA

The Unlicense
0 stars 0 forks source link

[git, gpg] we got an error doing that. gpg key #25

Open nguyenvulong opened 2 years ago

nguyenvulong commented 2 years ago

Update on 2024-08-13

for those who like to try ssh-key for signing instead head over to https://github.com/settings/ssh/new at Key type, choose Signing Key

complete tutorial can be found here make sure to check my summary here as well

Original post

If you are looking for a guide to securely sign a commit (e.g., github) by using a gpg key, then follow THIS tutorial instead.

This post is meant to be a used as a reference to debug the problems you might encounter during working with signing a commit.

Easy mode

(1) as mentioned by @TROISIDesign in the below comment (seems like many people had this problem in the first place), make sure to include these text when pasting your key

-----BEGIN PGP PUBLIC KEY BLOCK----- 

-----END PGP PUBLIC KEY BLOCK-----

(2) if you got that error while executing gpg -a --export your@email then try these commands instead

gpg --armor --export 7E98CBC76F9B33F8 to get pub key OR gpg --export -a  5E0E8CB44844126F (key id)

(3) make sure to export the variable GPG_TTY export GPG_TTY=$(tty)

Hard mode

sometimes the key might have already expired, you have to create a new one first and re-configure your git git config --global user.signingkey 5E0E8CB448441XXX

Some useful commands to debug git config --global --list (link) git config --global gpg.program gpg2 gpg --list-secret-keys --keyid-format=long

Before getting into hell mode below, make sure to read this and especially this comment from NirajanMahara

Hell mode

until this point, it's not about git anymore, it's about gpg and distro-specific issues. Some output of systemctl --user status gpg-agent

6월 12 00:50:55 AISRC gpg-agent[17450]: can't connect to the SCdaemon: IPC connect call failed
6월 12 00:50:55 AISRC gpg-agent[17450]: failed to unprotect the secret key: Operation cancelled
6월 12 00:50:55 AISRC gpg-agent[17450]: failed to read the secret key
6월 12 00:50:55 AISRC gpg-agent[17450]: command 'PKSIGN' failed: Operation cancelled <Pinentry>

FIXED (the root cause is pinentry fucked things up, i don't know why, it's an Ubuntu server anyway) Create gpg-agent.conf if you don't have one under your home dir

❯ cat  ~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-curses

Then you have to restart gpg-agent by issuing systemctl --user restart gpg-agent and you may want to log-in/out. Make sure to export GPG_TTY=$(tty) and test again.

More commands to debug if it's still not working (but i really suggest you to start from the beginning of this post because you've gone too far, the problem may be closer than you think): systemctl --user status gpg-agent gpg-agent --server --debug-level=guru

Good luck

TROISIDesign commented 2 years ago

Super Easy Mode:

Make SURE that you don't just paste the ASCII key, you also paste:

-----BEGIN PGP PUBLIC KEY BLOCK-----

and

-----END PGP PUBLIC KEY BLOCK-----

Because, yes... I'm an idiot.

abroniewski commented 2 years ago

Thank you for this @TROISIDesign! I would have never thought to include those two lines...

Ash-KODES commented 2 years ago

Super Easy Mode:

Make SURE that you don't just paste the ASCII key, you also paste:

-----BEGIN PGP PUBLIC KEY BLOCK-----

and

-----END PGP PUBLIC KEY BLOCK-----

Because, yes... I'm an idiot.

We only had one job....Thankyou @TROISIDesign

JuanPabloSGU commented 1 year ago

Thank you @TROISIDesign, very much appreciated!

IDeletedSystem64 commented 1 year ago

Super Easy Mode:

Make SURE that you don't just paste the ASCII key, you also paste:

-----BEGIN PGP PUBLIC KEY BLOCK-----

and

-----END PGP PUBLIC KEY BLOCK-----

Because, yes... I'm an idiot.

i had one job. and i royally messed it up.

sadityakumar9211 commented 1 year ago

I was facing the same issue but, but none of the above answered my question. Looks like I was using the un-suported public key algorithm by GitHub. I again tried generating the GPG key pair with --full-generate-key option and that key was accepted without any errors.

Supported Algorithms:

Make sure to check out the documentation for latest supported algorithms.

danielAyerra commented 1 year ago

Hello there,

I am having some issues here. Even if I generated the gpg key properly (only for signing, tho), with RSA 3072 algorithm and generated the ASCII public key properly, exporting to a .txt file with gpg --armor --export _mykey, and copying both Begin and End GPG key, I still receive an error.

Any idea why is this happening?

danielAyerra commented 1 year ago

Hello there,

I am having some issues here. Even if I generated the gpg key properly (only for signing, tho), with RSA 3072 algorithm and generated the ASCII public key properly, exporting to a .txt file with gpg --armor --export _mykey, and copying both Begin and End GPG key, I still receive an error.

Any idea why is this happening?

Here an example, after using gpg --list-secret-keys --keyid-format=long

I get 7564225E2D8D...

And use gpg --armor --export 7564225E2D8D... >> gpg.txt Getting this:

-----BEGIN PGP PUBLIC KEY BLOCK----- mQGNBGTkjaoBDADnfVUvcBKl3Qswnu1ruD3IIFeaxsHmsjcLyno/NjgQ4n8XPnOn Blah blah 1tznMr8sRMI484/Ae4g3SddiIBO1lWWyfPg/lewC7vPLAMcE8RNqUbHtZs5w3OZB uVb8X1XtWaC2/rT518+mMRFP =jUBJ -----END PGP PUBLIC KEY BLOCK-----

This Begin-End PGP block is not admitted...

Should I use a complete PGP key instead of Signing-only option? While using RSA, are there RSA byte lengths which are not admitted?

nguyenvulong commented 3 months ago

Should I use a complete PGP key instead of Signing-only option? While using RSA, are there RSA byte lengths which are not admitted?

you can try your proposed solutions, update the error if there's any after making sure the default work well