使用OpenPGP子项签名提交失败 [英] Signing commit with OpenPGP subkey fails
问题描述
我想使用我的GPS(2)子项之一在Git中签署提交/标记 即,我新创建的具有长ID B0 ## ...的RSA4096仅签名密钥...
I would like to use one of my GPS (2) subkeys for signing commits/tags in Git I.e., my freshly created RSA4096 signing-only key with the long ID B0##...
sec# ed25519/9F############## 2016-01-07 [expires: 2023-01-05]
Key fingerprint = FC08 HEX HEX HEX
uid [ultimate] MY NAME <MY.NAME@foo bar>
ssb rsa4096/C9############## 2016-01-07 [expires: 2022-01-05]
ssb ed25519/C6############## 2016-01-07 [expires: 2022-01-05]
ssb rsa4096/B0############## 2016-01-13 [expires: 2022-01-11]
在我制作钥匙圈的地方,已将主钥匙作为更好的钥匙政策"删除(备份)
Where I am working on a keyring with the master key removed (backuped away) as 'better key policy'
因此,我尝试为Git设置签名密钥
So, I tried to set up the signing key for Git
[user]
...
signingkey = B0##############
但是,提交&签名失败
However, committing & signing fails with
> git commit -S -m "test commit"
gpg: skipped "B0##############": secret key not available
gpg: signing failed: secret key not available
error: gpg failed to sign the data
fatal: failed to write commit object
运行gpg代理的地方.
Where a gpg-agent up and running.
我的第一个猜测是,Git无法理解长键符号,而是尝试了短键符号
My first guess was, that Git does not understand the long key notation and tried the short one instead
> gpg2 --list-secret-keys --keyid-format short
...
ssb rsa4096/DB###### 2016-01-13 [expires: 2022-01-11]
> ~/.gitconfig
[user]
...
signingkey = DB######
但是也失败了
> git commit -S -m "test commit short"
gpg: skipped "DB######": secret key not available
gpg: signing failed: secret key not available
error: gpg failed to sign the data
fatal: failed to write commit object
所以,我想知道这里有什么问题,也许Git只能使用主密钥进行签名但不了解子密钥的使用(或者如果我在某个地方搞砸了)?
So, I wonder what breaks here and if maybe Git only would work with a master key for signing but does not understand the use of subkeys (or if I have screwed up myself somewhere)?
推荐答案
Git默认使用gpg
,在大多数系统上为GnuPG 1,并且不支持椭圆曲线加密.由于您的主键是椭圆曲线键,因此GnuPG 1完全不能使用该键.尝试将密钥与GnuPG(gpg --default-key key-id --sign
)结合使用时,您将观察到同样的情况.
Git uses gpg
by default, which is GnuPG 1 on most systems and does not support elliptic curve cryptography. As your primary key is an elliptic curve key, GnuPG 1 cannot use the key at all. You will be able to observe the same when trying to use the key with GnuPG (gpg --default-key key-id --sign
).
将Git配置为使用gpg2
,它必须至少为GnuPG 2.1(您可以使用椭圆曲线键来获得):
Configure Git to use gpg2
instead, which is required to be at least GnuPG 2.1 (which you have, as you can use the elliptic curves key):
git config --global gpg.program gpg2
这篇关于使用OpenPGP子项签名提交失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!