Problem signing a tag

Problem signing a tag

[Joshua J. Kugler]

Nobody on the git IRC channel responded to this question, even after 
asking it a few times, so I thought I'd try here.

I'm having trouble signing a tag.  I'm using this command:

git tag -u EAFD344D14EA086E -F .git/TAG_EDITMSG tag_name

I type in my passphrase, and am then told:

error: gpg failed to sign the tag
error: unable to sign the tag

However, if I use this command:

gpg -s -u EAFD344D14EA086E

and use the same passphrase, it works fine. Is there any way to find out 
why a key-signing is failing?

This is git 1.6.5.2 and gpg 1.4.9

Thanks!

j

-- 
Joshua Kugler
Part-Time System Admin/Programmer
http://www.eeinternet.com
PGP Key: http://pgp.mit.edu/  ID 0x14EA086E

Re: Problem signing a tag

[Alex Riesen]

On Tue, Nov 3, 2009 at 01:58, Joshua J. Kugler <joshua@eeinternet.com> wrote:
> Nobody on the git IRC channel responded to this question, even after
> asking it a few times, so I thought I'd try here.
>
> I'm having trouble signing a tag.  I'm using this command:
>
> git tag -u EAFD344D14EA086E -F .git/TAG_EDITMSG tag_name
>
> I type in my passphrase, and am then told:
>
> error: gpg failed to sign the tag
> error: unable to sign the tag
>
> However, if I use this command:
>
> gpg -s -u EAFD344D14EA086E
>
> and use the same passphrase, it works fine. Is there any way to find out
> why a key-signing is failing?

What does "echo $?" after it prints? IOW, maybe plain gpg fails too,
without printing anything special, and you don't pay attention to the
exit code. Git does. And it runs "gpg -bsau <key-id>".

Re: Problem signing a tag

[Joshua J. Kugler]

On Monday 02 November 2009, Alex Riesen said something like:
> On Tue, Nov 3, 2009 at 01:58, Joshua J. Kugler <joshua@eeinternet.com> 
wrote:
> > Nobody on the git IRC channel responded to this question, even
> > after asking it a few times, so I thought I'd try here.
> >
> > I'm having trouble signing a tag.  I'm using this command:
> >
> > git tag -u EAFD344D14EA086E -F .git/TAG_EDITMSG tag_name
> >
> > I type in my passphrase, and am then told:
> >
> > error: gpg failed to sign the tag
> > error: unable to sign the tag
> >
> > However, if I use this command:
> >
> > gpg -s -u EAFD344D14EA086E
> >
> > and use the same passphrase, it works fine. Is there any way to
> > find out why a key-signing is failing?
>
> What does "echo $?" after it prints? IOW, maybe plain gpg fails too,
> without printing anything special, and you don't pay attention to the
> exit code. Git does. And it runs "gpg -bsau <key-id>".

$ git tag -s -F .git/TAG_EDITMSG tag_name

You need a passphrase to unlock the secret key for
user: "Joshua J. Kugler <joshua@azariah.com>"
1024-bit DSA key, ID 14EA086E, created 2009-08-09

gpg: problem with the agent - disabling agent use
error: gpg failed to sign the tag
error: unable to sign the tag
$ echo $?
128

And when I sign at the prompt:

$ gpg -sa

You need a passphrase to unlock the secret key for
user: "Joshua J. Kugler <joshua@azariah.com>"
1024-bit DSA key, ID 14EA086E, created 2009-08-09

gpg: problem with the agent - disabling agent use
Blah blah blah blah
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (GNU/Linux)

owGbwMvMwCT46q+Jr8grjjzG01JJDF4fChqdchIzFJJQCK4ONxYGQSYGNlYmkAoG
Lk4BmLZpyxgW7Jol8mB6kt+Hr1xb9gvUnTs9f/XdVIYFW3VNlx3cmvy4sf/R0/m7
nr9fFpzyFQA=
=Plql
-----END PGP MESSAGE-----
$ echo $?
2

So, it appear that it works (prints the signature) but then exits with 
an error code of 2.

Using --status-log, I get:

[GNUPG:] USERID_HINT EAFD344D14EA086E Joshua J. Kugler 
<joshua@azariah.com>
[GNUPG:] NEED_PASSPHRASE EAFD344D14EA086E EAFD344D14EA086E 17 0
[GNUPG:] GOOD_PASSPHRASE
[GNUPG:] BEGIN_SIGNING
[GNUPG:] SIG_CREATED S 17 2 00 1257271594 
4FE551A1A4AE4DEF7EDD58E1EAFD344D14EA086E

No indication of an error.  The only thing I see that might be an error 
is "gpg: problem with the agent - disabling agent use." But that should 
be a warning, not an error, correct?  I talked with somebody on the 
gnupg IRC channel and they were able to create a signed tag, even 
though they were not using an agent.

Here it is with -bsau:

$ gpg -bsau EAFD344D14EA086E

You need a passphrase to unlock the secret key for
user: "Joshua J. Kugler <joshua@azariah.com>"
1024-bit DSA key, ID 14EA086E, created 2009-08-09

gpg: problem with the agent - disabling agent use
Blah blah blah blah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkrwciEACgkQ6v00TRTqCG7TZwCfSrvb6p0L+ZZqPB8XrVuMpJPj
jicAoJKnfIeTsWylXpklB9Gw/ArdxvxU
=CM2I
-----END PGP SIGNATURE-----
$ echo $?
2


I'm lost. Thanks for the tips.

j

-- 
Joshua Kugler
Part-Time System Admin/Programmer
http://www.eeinternet.com
PGP Key: http://pgp.mit.edu/  ID 0x14EA086E

Re: Problem signing a tag

[Michael J Gruber]

Joshua J. Kugler venit, vidit, dixit 03.11.2009 19:11:
> On Monday 02 November 2009, Alex Riesen said something like:
>> On Tue, Nov 3, 2009 at 01:58, Joshua J. Kugler <joshua@eeinternet.com> 
> wrote:
>>> Nobody on the git IRC channel responded to this question, even
>>> after asking it a few times, so I thought I'd try here.
>>>
>>> I'm having trouble signing a tag.  I'm using this command:
>>>
>>> git tag -u EAFD344D14EA086E -F .git/TAG_EDITMSG tag_name
>>>
>>> I type in my passphrase, and am then told:
>>>
>>> error: gpg failed to sign the tag
>>> error: unable to sign the tag
>>>
>>> However, if I use this command:
>>>
>>> gpg -s -u EAFD344D14EA086E
>>>
>>> and use the same passphrase, it works fine. Is there any way to
>>> find out why a key-signing is failing?
>>
>> What does "echo $?" after it prints? IOW, maybe plain gpg fails too,
>> without printing anything special, and you don't pay attention to the
>> exit code. Git does. And it runs "gpg -bsau <key-id>".
> 
> $ git tag -s -F .git/TAG_EDITMSG tag_name
> 
> You need a passphrase to unlock the secret key for
> user: "Joshua J. Kugler <joshua@azariah.com>"
> 1024-bit DSA key, ID 14EA086E, created 2009-08-09
> 
> gpg: problem with the agent - disabling agent use
> error: gpg failed to sign the tag
> error: unable to sign the tag
> $ echo $?
> 128
> 
> And when I sign at the prompt:
> 
> $ gpg -sa
> 
> You need a passphrase to unlock the secret key for
> user: "Joshua J. Kugler <joshua@azariah.com>"
> 1024-bit DSA key, ID 14EA086E, created 2009-08-09
> 
> gpg: problem with the agent - disabling agent use
> Blah blah blah blah
> Blah blah blah blah
> $ echo $?
> 2

[...]

I assume you don't want to use gpg-agent, that should be the easy way out.

If gpg is trying to contact the agent it means that "use-agent" is set
(from the config) and, probably, also that GPG_AGENT_INFO is set but no
agent responds at that socket. (echo $GPG_AGENT_INFO)

Many distros set up this stuff automatically. Try unsetting both:
unset GPG_AGENT_INFO
gpg --no-use-agent ...

If that helps you can put "--no-use-agent" in your gpg config.

2 is a non-fatal error, 128 a fatal one, btw.

Michael

Re: Problem signing a tag

[Joshua J. Kugler]

On Wednesday 04 November 2009, Michael J Gruber said something like:
> > gpg: problem with the agent - disabling agent use
> > error: gpg failed to sign the tag
> > error: unable to sign the tag
> > $ echo $?
> > 128
> >
> > And when I sign at the prompt:
> >
> > $ gpg -sa
> >
> > You need a passphrase to unlock the secret key for
> > user: "Joshua J. Kugler <joshua@azariah.com>"
> > 1024-bit DSA key, ID 14EA086E, created 2009-08-09
> >
> > gpg: problem with the agent - disabling agent use
> > Blah blah blah blah
> > Blah blah blah blah
> > $ echo $?
> > 2
>
> [...]
>
> I assume you don't want to use gpg-agent, that should be the easy way
> out.

Well, I could, but I just haven't set it up. :)

> If that helps you can put "--no-use-agent" in your gpg config.

I commented out use-agent in the config. That worked. THANKS!

> 2 is a non-fatal error, 128 a fatal one, btw.

Well, the 2 was from running gpg alone, and 128 was from git erroring 
out.  According to the gpg docs:

"The program returns 0 if everything was fine, 1 if at least a signature 
was bad, and other error codes for fatal errors."

So, the docs consider 2 a fatal error, even though it appears it isn't.  
It seems that 
http://github.com/git/git/blob/a6dbf8814f433a7fbfa9cde6333c98019f6db1e4/builtin-tag.c#L202 
needs to be patched to something along the lines of:

rv = finish_command(&gpg)
if ((rv && rv !=2)  || !len || len < 0)

Probably digging in to the gpg source code to figure out what errors are 
and aren't fatal would be in order.

Thanks again for your help! Glad to know what I needed to do to sign my 
tags!

j

-- 
Joshua Kugler
Part-Time System Admin/Programmer
http://www.eeinternet.com
PGP Key: http://pgp.mit.edu/  ID 0x14EA086E

Re: Problem signing a tag

[Michael J Gruber]

Joshua J. Kugler venit, vidit, dixit 04.11.2009 19:47:
> On Wednesday 04 November 2009, Michael J Gruber said something like:
>>> gpg: problem with the agent - disabling agent use
>>> error: gpg failed to sign the tag
>>> error: unable to sign the tag
>>> $ echo $?
>>> 128
>>>
>>> And when I sign at the prompt:
>>>
>>> $ gpg -sa
>>>
>>> You need a passphrase to unlock the secret key for
>>> user: "Joshua J. Kugler <joshua@azariah.com>"
>>> 1024-bit DSA key, ID 14EA086E, created 2009-08-09
>>>
>>> gpg: problem with the agent - disabling agent use
>>> Blah blah blah blah
>>> Blah blah blah blah
>>> $ echo $?
>>> 2
>>
>> [...]
>>
>> I assume you don't want to use gpg-agent, that should be the easy way
>> out.
> 
> Well, I could, but I just haven't set it up. :)
> 
>> If that helps you can put "--no-use-agent" in your gpg config.
> 
> I commented out use-agent in the config. That worked. THANKS!
> 
>> 2 is a non-fatal error, 128 a fatal one, btw.
> 
> Well, the 2 was from running gpg alone, and 128 was from git erroring 
> out.  According to the gpg docs:
> 
> "The program returns 0 if everything was fine, 1 if at least a signature 
> was bad, and other error codes for fatal errors."
> 
> So, the docs consider 2 a fatal error, even though it appears it isn't.  
> It seems that 
> http://github.com/git/git/blob/a6dbf8814f433a7fbfa9cde6333c98019f6db1e4/builtin-tag.c#L202 
> needs to be patched to something along the lines of:
> 
> rv = finish_command(&gpg)
> if ((rv && rv !=2)  || !len || len < 0)
> 
> Probably digging in to the gpg source code to figure out what errors are 
> and aren't fatal would be in order.
> 
> Thanks again for your help! Glad to know what I needed to do to sign my 
> tags!

Dig dig dig... gpg exits with 2 in a lot of cases, one would need to
parse fd-error to find out more. But it also looks as if gpg exits
normally with a good passphrase. So I tried, and at least with gpg 1.4.9
and git 1.6.5.2 I can sign tags with "use-agent" and without a running
agent: I get asked for the passphrase (after reporting the agent MIA),
and everything's fine.

My gpg returns 0 in this case; it returns 2 only if I don't enter the
passphrase. So, this seems to depend on the version of gpg. Or on
entering the correct passphrase ;)

Michael

Re: Problem signing a tag

[Joshua J. Kugler]

On Wednesday 04 November 2009, Michael J Gruber said something like:
> > So, the docs consider 2 a fatal error, even though it appears it
> > isn't. It seems that
> > http://github.com/git/git/blob/a6dbf8814f433a7fbfa9cde6333c98019f6d
> >b1e4/builtin-tag.c#L202 needs to be patched to something along the
> > lines of:
> >
> > rv = finish_command(&gpg)
> > if ((rv && rv !=2)  || !len || len < 0)
> >
> > Probably digging in to the gpg source code to figure out what
> > errors are and aren't fatal would be in order.
> >
> > Thanks again for your help! Glad to know what I needed to do to
> > sign my tags!
>
> Dig dig dig... gpg exits with 2 in a lot of cases, one would need to
> parse fd-error to find out more. But it also looks as if gpg exits
> normally with a good passphrase. So I tried, and at least with gpg
> 1.4.9 and git 1.6.5.2 I can sign tags with "use-agent" and without a
> running agent: I get asked for the passphrase (after reporting the
> agent MIA), and everything's fine.
>
> My gpg returns 0 in this case; it returns 2 only if I don't enter the
> passphrase. So, this seems to depend on the version of gpg. Or on
> entering the correct passphrase ;)
>
> Michael

That is weird.  Because when working from the prompt (with agent MIA), 
gpg 1.4.9, it would accept my pass phrase, and would print the 
signature (either binary or ascii armored), but it will still exit with 
2.  I don't understand it.  I'll pop on #gnupg tomorrow and ask about 
it.

Thanks again for your help with this!

j

-- 
Joshua Kugler
Part-Time System Admin/Programmer
http://www.eeinternet.com
PGP Key: http://pgp.mit.edu/  ID 0x14EA086E

Re: Problem signing a tag

[Junio C Hamano]

Michael J Gruber <git@drmicha.warpmail.net> writes:

> Dig dig dig... gpg exits with 2 in a lot of cases, one would need to
> parse fd-error to find out more. But it also looks as if gpg exits
> normally with a good passphrase. So I tried, and at least with gpg 1.4.9
> and git 1.6.5.2 I can sign tags with "use-agent" and without a running
> agent: I get asked for the passphrase (after reporting the agent MIA),
> and everything's fine.
>
> My gpg returns 0 in this case; it returns 2 only if I don't enter the
> passphrase. So, this seems to depend on the version of gpg. Or on
> entering the correct passphrase ;)

If the problematic gpg that gives 2 is older than yours, the situation
looks to me that "exiting 2 when failed to contact agent but got a good
passphrase some other way and successfully signed" was diagnosed as a bug
and then fixed in gpg.  If that is the case can we find out which version
that fix is in, and add an entry to FAQ to help next person who will be
hit by this when using "tag -s"?

Re: Problem signing a tag

[Michael J Gruber]

Junio C Hamano venit, vidit, dixit 05.11.2009 21:09:
> Michael J Gruber <git@drmicha.warpmail.net> writes:
> 
>> Dig dig dig... gpg exits with 2 in a lot of cases, one would need to
>> parse fd-error to find out more. But it also looks as if gpg exits
>> normally with a good passphrase. So I tried, and at least with gpg 1.4.9
>> and git 1.6.5.2 I can sign tags with "use-agent" and without a running
>> agent: I get asked for the passphrase (after reporting the agent MIA),
>> and everything's fine.
>>
>> My gpg returns 0 in this case; it returns 2 only if I don't enter the
>> passphrase. So, this seems to depend on the version of gpg. Or on
>> entering the correct passphrase ;)
> 
> If the problematic gpg that gives 2 is older than yours, the situation
> looks to me that "exiting 2 when failed to contact agent but got a good
> passphrase some other way and successfully signed" was diagnosed as a bug
> and then fixed in gpg.  If that is the case can we find out which version
> that fix is in, and add an entry to FAQ to help next person who will be
> hit by this when using "tag -s"?

Both of us seem to be using gpg 1.4.9, which is weird. I even checked
Fedora's srpm, they don't apply any patches for this. For the record,
I'm doing

unset GPG_AGENT_INFO
echo a |gpg -bsa

with "use-agent" and a default key signing specified in my gpg conf.
This returns "0" if I enter the correct passphrase (after being warned
about the missing agent) and "2" if I enter a wrong one repeatedly.
Joshua, your reports seem to confirm that you get 2 in both cases from
your gpg 1.4.9, right?

Michael

Re: Problem signing a tag

[Joshua J. Kugler]

On Friday 06 November 2009, Michael J Gruber said something like:
> Junio C Hamano venit, vidit, dixit 05.11.2009 21:09:
> > Michael J Gruber <git@drmicha.warpmail.net> writes:
> >> Dig dig dig... gpg exits with 2 in a lot of cases, one would need
> >> to parse fd-error to find out more. But it also looks as if gpg
> >> exits normally with a good passphrase. So I tried, and at least
> >> with gpg 1.4.9 and git 1.6.5.2 I can sign tags with "use-agent"
> >> and without a running agent: I get asked for the passphrase (after
> >> reporting the agent MIA), and everything's fine.
> >>
> >> My gpg returns 0 in this case; it returns 2 only if I don't enter
> >> the passphrase. So, this seems to depend on the version of gpg. Or
> >> on entering the correct passphrase ;)
> >
> > If the problematic gpg that gives 2 is older than yours, the
> > situation looks to me that "exiting 2 when failed to contact agent
> > but got a good passphrase some other way and successfully signed"
> > was diagnosed as a bug and then fixed in gpg.  If that is the case
> > can we find out which version that fix is in, and add an entry to
> > FAQ to help next person who will be hit by this when using "tag
> > -s"?
>
> Both of us seem to be using gpg 1.4.9, which is weird. I even checked
> Fedora's srpm, they don't apply any patches for this. For the record,
> I'm doing
>
> unset GPG_AGENT_INFO
> echo a |gpg -bsa
>
> with "use-agent" and a default key signing specified in my gpg conf.
> This returns "0" if I enter the correct passphrase (after being
> warned about the missing agent) and "2" if I enter a wrong one
> repeatedly. Joshua, your reports seem to confirm that you get 2 in
> both cases from your gpg 1.4.9, right?

I discovered that there must have been something locked up or wedged.  I 
rebooted (kernel update), and it worked. I looked at the warning again, 
and realized that the warning I got when the exit value was 2 was:

gpg: problem with the agent - disabling agent use

while the warning I got when the exit value was 0 was: 

gpg: gpg-agent is not available in this session

So, two different warnings.

Thanks again for all the troubleshooting help!

j

-- 
Joshua Kugler
Part-Time System Admin/Programmer
http://www.eeinternet.com
PGP Key: http://pgp.mit.edu/  ID 0x14EA086E