git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* signing commits using gpg2
@ 2017-09-02 21:11 shawn wilson
  2017-09-03 18:20 ` Santiago Torres
  2017-09-05 13:40 ` Michael J Gruber
  0 siblings, 2 replies; 4+ messages in thread
From: shawn wilson @ 2017-09-02 21:11 UTC (permalink / raw)
  To: Git List

tl;dr - how do I get git to use gpg2 to sign things?

I'm using gpg2 (so no agent options are configured but an agent is
running) which is configured w/ a Nitrokey (Pro if it matters):

 % git commit -m "Initial."

                                 gits/bash-libs (master ⚡) localhost
gpg: detected reader `Nitrokey Nitrokey Pro (000034670000000000000000) 00 00'
gpg: pcsc_connect failed: sharing violation (0x8010000b)
gpg: apdu_send_simple(0) failed: locking failed
Please insert the card and hit return or enter 'c' to cancel:
gpg: pcsc_connect failed: sharing violation (0x8010000b)
gpg: pcsc_connect failed: sharing violation (0x8010000b)
gpg: apdu_send_simple(0) failed: locking failed
Please insert the card and hit return or enter 'c' to cancel: c
gpg: selecting openpgp failed: general error
gpg: signing failed: general error
gpg: signing failed: general error
error: gpg failed to sign the data
fatal: failed to write commit object

This works with gpg and ssh:
 % touch foo

                                                         ~ localhost
 % gpg2 --sign foo

                                                         ~ localhost
gpg: using "846FF490" as default secret key for signing
 % cat foo*

                                                         ~ localhost
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2

owEBuQFG/pANAwAKAYwdY7SEb/SQAcsJYgNmb29ZqxfviQGcBAABCgAGBQJZqxfv
AAoJEIwdY7SEb/SQAcEL/jonw+HymnlmfebtEwlvfx2Gl1Sbuw0xWWPpQ2Dtjljz
HtpD+LWczjpOSMTHFNK9xPR2kcs1WNY+mO8M45QI7iDgFkKRzaxEqeNUJkoyF/+I
81VMmXDQMXFs4+8jy00b+UxTdvwdXaHMsOtu+6YCtmCR5Bzohg07ADsnXnGGn3Sd
WTjVMzV6Dlh8LRF+coGJ8JuErBsRAI6vdNgJRVHYBULGNXci4uF/4a+58uiTL4/U
PvC4ruXCNxCKi89nMERhwlnOvglseX3TDR5ldrc4Hzb+pLsj/l6N4sBW0Zmb8UcE
9BG3WjOs4eZvnLmk5XHrwisD2CXuHvyWMl0yH7LTrg+m4Itj0PJ4Px4H9E5t/zfs
C1vcB/okcigeIyXnO06um02a5oZAYOKadB+6NRnBjULz5GvP2yxj/AO1VPmZprpt
budMuHZcA0zNE3uBmcnQY5+1tdkyTrlTxsL58lQrn/U3wvgah3AXMEvjRGqbYWHj
jDikQVJ7ESoevNqlfLPj8Q==
=hV6v
-----END PGP MESSAGE-----

However, if I try this w/ the old gpg:

 % gpg -ae -o foo.gpg foo

                                                         ~ localhost
 % gpg -d foo.gpg

                                                         ~ localhost
gpg: detected reader `Nitrokey Nitrokey Pro (000034670000000000000000) 00 00'
gpg: pcsc_connect failed: sharing violation (0x8010000b)
gpg: apdu_send_simple(0) failed: locking failed
Please insert the card and hit return or enter 'c' to cancel: c
gpg: selecting openpgp failed: general error
gpg: encrypted with 3072-bit RSA key, ID 41826CFB, created 2017-03-13
      "Shawn Wilson <ag4ve.us@gmail.com>"
gpg: public key decryption failed: general error
gpg: decryption failed: secret key not available
 % gpg2 -d foo.gpg

                                                         ~ localhost
gpg: encrypted with 3072-bit RSA key, ID E27FA0B841826CFB, created 2017-03-13
      "Shawn Wilson <ag4ve.us@gmail.com>"
foo

(yeah I added data to the file)

And just to prove basic competency checking:

 % git config --global -l | grep sign

                                                         ~ localhost
user.signingkey=846FF490
filter.gitconfig-rmuser.clean=sed -e "s/^\( *email =\).*/\1 <email
address>/" -e "s/^\( *name =\).*/\1 <real name>/" -e "s/^\(
*signingkey =\).*/\1 <gpg key>/"
filter.gitconfig-rmuser.smudge=egrep "^ *(email|name|signingkey) = "
commit.gpgsign=true

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: signing commits using gpg2
  2017-09-02 21:11 signing commits using gpg2 shawn wilson
@ 2017-09-03 18:20 ` Santiago Torres
  2017-09-05 13:40 ` Michael J Gruber
  1 sibling, 0 replies; 4+ messages in thread
From: Santiago Torres @ 2017-09-03 18:20 UTC (permalink / raw)
  To: shawn wilson; +Cc: Git List

[-- Attachment #1: Type: text/plain, Size: 2938 bytes --]

On Sat, Sep 02, 2017 at 05:11:50PM -0400, shawn wilson wrote:
> tl;dr - how do I get git to use gpg2 to sign things?
> 
> I'm using gpg2 (so no agent options are configured but an agent is
> running) which is configured w/ a Nitrokey (Pro if it matters):
> 
>  % git commit -m "Initial."
> 
>                                  gits/bash-libs (master ⚡) localhost
> gpg: detected reader `Nitrokey Nitrokey Pro (000034670000000000000000) 00 00'
> gpg: pcsc_connect failed: sharing violation (0x8010000b)
> gpg: apdu_send_simple(0) failed: locking failed
> Please insert the card and hit return or enter 'c' to cancel:
> gpg: pcsc_connect failed: sharing violation (0x8010000b)
> gpg: pcsc_connect failed: sharing violation (0x8010000b)
> gpg: apdu_send_simple(0) failed: locking failed
> Please insert the card and hit return or enter 'c' to cancel: c
> gpg: selecting openpgp failed: general error
> gpg: signing failed: general error
> gpg: signing failed: general error
> error: gpg failed to sign the data
> fatal: failed to write commit object

This seems to be an issue with your gpg agent configuration (even if
there is none). 

I can't seem to reproduce, although I don't have a nitrokey, so this is
most likely an issue with either:

- the PIV/CCID interface of the nitrokey using gpg2. I"m not familiar
  enough with nitrokeys to debug this, but keys are usually super
  paranoid when signing arbitrary buffers.
- the fork call within git on gpg2. 

I think the second one is rather unlikely, but it's worth giving it a
try...

                                                          ~ localhost
> -----BEGIN PGP MESSAGE-----
> Version: GnuPG v2
> [SNIPPED]
> -----END PGP MESSAGE-----
> 

I noticed you didn't try gpg2 -d foo.gpg? Am I missing something?

> However, if I try this w/ the old gpg:
> 
>  % gpg -ae -o foo.gpg foo
> 
>                                                          ~ localhost
>  % gpg -d foo.gpg
> 
>                                                          ~ localhost
> gpg: detected reader `Nitrokey Nitrokey Pro (000034670000000000000000) 00 00'
> gpg: pcsc_connect failed: sharing violation (0x8010000b)
> gpg: apdu_send_simple(0) failed: locking failed
> Please insert the card and hit return or enter 'c' to cancel: c
> gpg: selecting openpgp failed: general error
> gpg: encrypted with 3072-bit RSA key, ID 41826CFB, created 2017-03-13
>       "Shawn Wilson <ag4ve.us@gmail.com>"
> gpg: public key decryption failed: general error
> gpg: decryption failed: secret key not available

This feels like an issue with the interface to the key itself. Can you
start a non-detached agent with --verbose to see exactly where it blows up?

We probably want to continue this offlist as this seems more of a gpg
issue rather than git. We can always come back if we figure out this is
something git related :)

Cheers!
-Santiago.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: signing commits using gpg2
  2017-09-02 21:11 signing commits using gpg2 shawn wilson
  2017-09-03 18:20 ` Santiago Torres
@ 2017-09-05 13:40 ` Michael J Gruber
  2017-09-05 18:34   ` shawn wilson
  1 sibling, 1 reply; 4+ messages in thread
From: Michael J Gruber @ 2017-09-05 13:40 UTC (permalink / raw)
  To: shawn wilson, Git List

shawn wilson venit, vidit, dixit 02.09.2017 23:11:
> tl;dr - how do I get git to use gpg2 to sign things?
> 
> I'm using gpg2 (so no agent options are configured but an agent is
> running) which is configured w/ a Nitrokey (Pro if it matters):
> 
>  % git commit -m "Initial."
> 
>                                  gits/bash-libs (master ⚡) localhost
> gpg: detected reader `Nitrokey Nitrokey Pro (000034670000000000000000) 00 00'
> gpg: pcsc_connect failed: sharing violation (0x8010000b)
> gpg: apdu_send_simple(0) failed: locking failed
> Please insert the card and hit return or enter 'c' to cancel:
> gpg: pcsc_connect failed: sharing violation (0x8010000b)
> gpg: pcsc_connect failed: sharing violation (0x8010000b)
> gpg: apdu_send_simple(0) failed: locking failed
> Please insert the card and hit return or enter 'c' to cancel: c
> gpg: selecting openpgp failed: general error
> gpg: signing failed: general error
> gpg: signing failed: general error
> error: gpg failed to sign the data
> fatal: failed to write commit object
> 
> This works with gpg and ssh:

Not really...

>  % touch foo
> 
>                                                          ~ localhost
>  % gpg2 --sign foo

... because you're using gpg2, not gpg.

> 
>                                                          ~ localhost
> gpg: using "846FF490" as default secret key for signing
>  % cat foo*
> 
>                                                          ~ localhost
> -----BEGIN PGP MESSAGE-----
> Version: GnuPG v2
> 
> owEBuQFG/pANAwAKAYwdY7SEb/SQAcsJYgNmb29ZqxfviQGcBAABCgAGBQJZqxfv
> AAoJEIwdY7SEb/SQAcEL/jonw+HymnlmfebtEwlvfx2Gl1Sbuw0xWWPpQ2Dtjljz
> HtpD+LWczjpOSMTHFNK9xPR2kcs1WNY+mO8M45QI7iDgFkKRzaxEqeNUJkoyF/+I
> 81VMmXDQMXFs4+8jy00b+UxTdvwdXaHMsOtu+6YCtmCR5Bzohg07ADsnXnGGn3Sd
> WTjVMzV6Dlh8LRF+coGJ8JuErBsRAI6vdNgJRVHYBULGNXci4uF/4a+58uiTL4/U
> PvC4ruXCNxCKi89nMERhwlnOvglseX3TDR5ldrc4Hzb+pLsj/l6N4sBW0Zmb8UcE
> 9BG3WjOs4eZvnLmk5XHrwisD2CXuHvyWMl0yH7LTrg+m4Itj0PJ4Px4H9E5t/zfs
> C1vcB/okcigeIyXnO06um02a5oZAYOKadB+6NRnBjULz5GvP2yxj/AO1VPmZprpt
> budMuHZcA0zNE3uBmcnQY5+1tdkyTrlTxsL58lQrn/U3wvgah3AXMEvjRGqbYWHj
> jDikQVJ7ESoevNqlfLPj8Q==
> =hV6v
> -----END PGP MESSAGE-----
> 
> However, if I try this w/ the old gpg:
> 
>  % gpg -ae -o foo.gpg foo
> 
>                                                          ~ localhost
>  % gpg -d foo.gpg
> 
>                                                          ~ localhost
> gpg: detected reader `Nitrokey Nitrokey Pro (000034670000000000000000) 00 00'
> gpg: pcsc_connect failed: sharing violation (0x8010000b)
> gpg: apdu_send_simple(0) failed: locking failed
> Please insert the card and hit return or enter 'c' to cancel: c
> gpg: selecting openpgp failed: general error
> gpg: encrypted with 3072-bit RSA key, ID 41826CFB, created 2017-03-13
>       "Shawn Wilson <ag4ve.us@gmail.com>"
> gpg: public key decryption failed: general error
> gpg: decryption failed: secret key not available
>  % gpg2 -d foo.gpg
> 
>                                                          ~ localhost
> gpg: encrypted with 3072-bit RSA key, ID E27FA0B841826CFB, created 2017-03-13
>       "Shawn Wilson <ag4ve.us@gmail.com>"
> foo
> 
> (yeah I added data to the file)
> 
> And just to prove basic competency checking:
> 
>  % git config --global -l | grep sign
> 
>                                                          ~ localhost
> user.signingkey=846FF490
> filter.gitconfig-rmuser.clean=sed -e "s/^\( *email =\).*/\1 <email
> address>/" -e "s/^\( *name =\).*/\1 <real name>/" -e "s/^\(
> *signingkey =\).*/\1 <gpg key>/"
> filter.gitconfig-rmuser.smudge=egrep "^ *(email|name|signingkey) = "
> commit.gpgsign=true
> 

So, gpg2 works and gpg does not. This is typical for the way in which
the gpg upgrade path is broken, and your distro installs gpg because it
still relies on it.

git sees two executables gpg and gpg2 and uses the first, so as to not
migrate your secrete key store inadvertently.

Short answer: Use

git config --global gpg.program gpg2

to make git use gpg2 which apparantly is your working gnupg setup.

Michael

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: signing commits using gpg2
  2017-09-05 13:40 ` Michael J Gruber
@ 2017-09-05 18:34   ` shawn wilson
  0 siblings, 0 replies; 4+ messages in thread
From: shawn wilson @ 2017-09-05 18:34 UTC (permalink / raw)
  To: Michael J Gruber; +Cc: Git List

Apparently you need to set the GPG_TTY for git to work (I also set the
gpg.program so I know it shouldn't /need/ that variable set)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840687#10

I'm not sure if there's anything that has or can be done upstream to
make this easier (I feel this was a bigger PITA than it needed to be),
I'm on git 2.7.5 from Fedira.

On Tue, Sep 5, 2017 at 9:40 AM, Michael J Gruber <git@grubix.eu> wrote:
> shawn wilson venit, vidit, dixit 02.09.2017 23:11:
>> tl;dr - how do I get git to use gpg2 to sign things?
>>
>> I'm using gpg2 (so no agent options are configured but an agent is
>> running) which is configured w/ a Nitrokey (Pro if it matters):
>>
>>  % git commit -m "Initial."
>>
>>                                  gits/bash-libs (master ⚡) localhost
>> gpg: detected reader `Nitrokey Nitrokey Pro (000034670000000000000000) 00 00'
>> gpg: pcsc_connect failed: sharing violation (0x8010000b)
>> gpg: apdu_send_simple(0) failed: locking failed
>> Please insert the card and hit return or enter 'c' to cancel:
>> gpg: pcsc_connect failed: sharing violation (0x8010000b)
>> gpg: pcsc_connect failed: sharing violation (0x8010000b)
>> gpg: apdu_send_simple(0) failed: locking failed
>> Please insert the card and hit return or enter 'c' to cancel: c
>> gpg: selecting openpgp failed: general error
>> gpg: signing failed: general error
>> gpg: signing failed: general error
>> error: gpg failed to sign the data
>> fatal: failed to write commit object
>>
>> This works with gpg and ssh:
>
> Not really...
>
>>  % touch foo
>>
>>                                                          ~ localhost
>>  % gpg2 --sign foo
>
> ... because you're using gpg2, not gpg.
>
>>
>>                                                          ~ localhost
>> gpg: using "846FF490" as default secret key for signing
>>  % cat foo*
>>
>>                                                          ~ localhost
>> -----BEGIN PGP MESSAGE-----
>> Version: GnuPG v2
>>
>> owEBuQFG/pANAwAKAYwdY7SEb/SQAcsJYgNmb29ZqxfviQGcBAABCgAGBQJZqxfv
>> AAoJEIwdY7SEb/SQAcEL/jonw+HymnlmfebtEwlvfx2Gl1Sbuw0xWWPpQ2Dtjljz
>> HtpD+LWczjpOSMTHFNK9xPR2kcs1WNY+mO8M45QI7iDgFkKRzaxEqeNUJkoyF/+I
>> 81VMmXDQMXFs4+8jy00b+UxTdvwdXaHMsOtu+6YCtmCR5Bzohg07ADsnXnGGn3Sd
>> WTjVMzV6Dlh8LRF+coGJ8JuErBsRAI6vdNgJRVHYBULGNXci4uF/4a+58uiTL4/U
>> PvC4ruXCNxCKi89nMERhwlnOvglseX3TDR5ldrc4Hzb+pLsj/l6N4sBW0Zmb8UcE
>> 9BG3WjOs4eZvnLmk5XHrwisD2CXuHvyWMl0yH7LTrg+m4Itj0PJ4Px4H9E5t/zfs
>> C1vcB/okcigeIyXnO06um02a5oZAYOKadB+6NRnBjULz5GvP2yxj/AO1VPmZprpt
>> budMuHZcA0zNE3uBmcnQY5+1tdkyTrlTxsL58lQrn/U3wvgah3AXMEvjRGqbYWHj
>> jDikQVJ7ESoevNqlfLPj8Q==
>> =hV6v
>> -----END PGP MESSAGE-----
>>
>> However, if I try this w/ the old gpg:
>>
>>  % gpg -ae -o foo.gpg foo
>>
>>                                                          ~ localhost
>>  % gpg -d foo.gpg
>>
>>                                                          ~ localhost
>> gpg: detected reader `Nitrokey Nitrokey Pro (000034670000000000000000) 00 00'
>> gpg: pcsc_connect failed: sharing violation (0x8010000b)
>> gpg: apdu_send_simple(0) failed: locking failed
>> Please insert the card and hit return or enter 'c' to cancel: c
>> gpg: selecting openpgp failed: general error
>> gpg: encrypted with 3072-bit RSA key, ID 41826CFB, created 2017-03-13
>>       "Shawn Wilson <ag4ve.us@gmail.com>"
>> gpg: public key decryption failed: general error
>> gpg: decryption failed: secret key not available
>>  % gpg2 -d foo.gpg
>>
>>                                                          ~ localhost
>> gpg: encrypted with 3072-bit RSA key, ID E27FA0B841826CFB, created 2017-03-13
>>       "Shawn Wilson <ag4ve.us@gmail.com>"
>> foo
>>
>> (yeah I added data to the file)
>>
>> And just to prove basic competency checking:
>>
>>  % git config --global -l | grep sign
>>
>>                                                          ~ localhost
>> user.signingkey=846FF490
>> filter.gitconfig-rmuser.clean=sed -e "s/^\( *email =\).*/\1 <email
>> address>/" -e "s/^\( *name =\).*/\1 <real name>/" -e "s/^\(
>> *signingkey =\).*/\1 <gpg key>/"
>> filter.gitconfig-rmuser.smudge=egrep "^ *(email|name|signingkey) = "
>> commit.gpgsign=true
>>
>
> So, gpg2 works and gpg does not. This is typical for the way in which
> the gpg upgrade path is broken, and your distro installs gpg because it
> still relies on it.
>
> git sees two executables gpg and gpg2 and uses the first, so as to not
> migrate your secrete key store inadvertently.
>
> Short answer: Use
>
> git config --global gpg.program gpg2
>
> to make git use gpg2 which apparantly is your working gnupg setup.
>
> Michael

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-09-05 18:35 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-02 21:11 signing commits using gpg2 shawn wilson
2017-09-03 18:20 ` Santiago Torres
2017-09-05 13:40 ` Michael J Gruber
2017-09-05 18:34   ` shawn wilson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).