签名中具有key-id的密钥未对此提交进行签名 [英] The key whose key-id is in the signature did not sign this commit

查看:241
本文介绍了签名中具有key-id的密钥未对此提交进行签名的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试对git commit进行签名,但是当我将其提交到GitHub时,它们具有Unverified徽章和

I'm trying to sign my git commits, but when I push them to GitHub they have the Unverified badge and

其密钥ID位于签名中的密钥未签署此提交.可能有人试图欺骗您. GPG密钥ID:mykeyid

The key whose key-id is in the signature did not sign this commit. Someone may be trying to trick you. GPG key ID: mykeyid

我发现这很神秘,在我的世界中,签名所用的ID将显示在签名中,因为具有该ID的密钥对提交进行了签名!

I find this quite cryptic, in my world the id with which a commit is signed will appear in the signature, as the key with that id signed the commit!

问题这怎么可能?我该如何解决?

Question How is this possible, and how do I solve it?

我特别希望能够从IDE内部自动签署提交,而无需每次都输入密码.

I especially want to be able to sign commits automatically from within my IDE, without needing to enter my passphrase every time.

如果有兴趣,这里总结了我所做的相关步骤.前几个与GitHub的提交提交指南一致.

If interested, here is a summary of the relevant steps I did. The first few coincide with GitHub's guide for signing commits.

  1. 生成密钥对,将--armor --export给定的GPG密钥添加到GitHub帐户
  2. 使用user.signingkey更新git配置.
  3. 将提交设置为默认使用git config --global commit.gpgsign true签名.
  4. git附带的gpg版本太旧了,我安装了gpg 2,用gpg --version检查,我更新了GNUPGHOME以防万一.
  5. 制作脚本C:\Users\username\gpg-no-tty.sh并将其放入echo mypassphrase | gpg --passphrase-fd 0 --batch --no-tty --yes "$@".没有什么比plaintex密码更好的了.
  6. 使用git config --global gpg.program C:\\Users\\username\\gpg-no-tty.sh将git指向此脚本.
  1. Generate key pair, add GPG key given by --armor --export to GitHub account
  2. Update git config with user.signingkey.
  3. Set commits to be signed by default with git config --global commit.gpgsign true.
  4. The gpg version that comes with git is too old, I installed gpg 2, checked with gpg --version, I updated GNUPGHOME just in case.
  5. Made a script C:\Users\username\gpg-no-tty.sh and put into it echo mypassphrase | gpg --passphrase-fd 0 --batch --no-tty --yes "$@". Couldn't find anything better than a plaintex password.
  6. Point git to this script with git config --global gpg.program C:\\Users\\username\\gpg-no-tty.sh.

验证

  1. 重要提示:我验证了git verify-commit HEAD在我的git config中显示的与signingkey相同的ID,这与我的GitHub GPG密钥在设置中显示的ID相同. (它还会输出警告gpg: WARNING: unsafe permissions on homedir)
  2. 同样重要的是,正如Ferrybig在评论中提到的那样,我检查了我的gitconfig中的电子邮件与我的gpg密钥所使用的电子邮件是否相同,以及与GitHub中的主要(已验证)电子邮件所使用的电子邮件相同.
  3. 正如Jens Erat在评论中提到的那样,您也可以使用指纹(40个字符串)代替gpg --list-secret-keys --keyid-format LONG输出的长ID(16个字符),我在gitconfig中尝试了此操作,但无济于事
  1. Important: I verified that git verify-commit HEAD shows the same ID as the signingkey in my git config which is the same as my GitHub GPG key shows in settings. (It also outputs a warning gpg: WARNING: unsafe permissions on homedir)
  2. Also important, as Ferrybig mentioned in a comment I checked that my email in my gitconfig is the same as used for my gpg key is the same as used as primary (verified) email in GitHub.
  3. As Jens Erat mentioned in a comment, you can also use the fingerprint (40 character string) instead of the long id (16 characters) as outputted by gpg --list-secret-keys --keyid-format LONG, I tried this in my gitconfig but it didn't help.

gpg-agent

正如Daniel H在评论中建议的那样,类似gpg-agent的东西应该记住您的密码,这就是我尝试过的:

gpg-agent

As Daniel H suggested in the comments there is something like gpg-agent which should remember your passphrase, and this is what I tried:

  1. use-agentno-tty(与我的IDE无关,不希望控制台界面要求输入密码)添加到C:\Users\username\.gnupg\gpg.conf,将我的.gitconfig中的gpg.program更改为gpg
  2. 添加到C:/Users/username/.gnupg/gpg-agent.conf的生存时间:default-cache-ttl 34560000max-cache-ttl 34560000
  3. 我得到了gpg: gpg-agent is not available in this session,但尚未找到解决方法. gpg-agentgpg均为2.2.1版,所以这不是问题.
  4. 根据某些来源,对于gpg版本> 2.1,环境变量GPG_AGENT_INFO需要指向C:\Users\username\.gnupg\S.gpg-agent.我这样做并重新启动.现在我得到gpg: gpg-agent protocol version 0 is not supported.
  5. 我将:1添加到了该路径,现在我得到了gpg: can't connect to 'C': invalid value.这对我来说没有任何意义. C是什么,它是从哪里来的?是我的驱动器号,所以gpg尝试将路径作为对象执行?
  1. Add use-agent and no-tty (had something to do with my IDE not expecting a console interface asking for password) to C:\Users\username\.gnupg\gpg.conf, change gpg.program in my .gitconfig to gpg
  2. Add to C:/Users/username/.gnupg/gpg-agent.conf the time to live: default-cache-ttl 34560000 and max-cache-ttl 34560000
  3. I get gpg: gpg-agent is not available in this session, and didn't find yet how to solve it. Both gpg-agent and gpg are version 2.2.1 so that's not the problem.
  4. According to some sources, for gpg version > 2.1 the environment variable GPG_AGENT_INFO needs to point to C:\Users\username\.gnupg\S.gpg-agent. I did this and rebooted. Now I get gpg: gpg-agent protocol version 0 is not supported.
  5. I added :1 to that path and now I get gpg: can't connect to 'C': invalid value. This doesn't make any sense to me. What is C and where does it come from? Is the my drive letter, so gpg tries to execute the path as an object?

推荐答案

创建密钥时,可以只在密钥上不加密码,也可以尝试使用gpg-agent.对我来说,这行不通,我仍然必须提供密码,但是值得一试:

You can either just put no passphrase on your key when you create it, or you can try gpg-agent. For me it didn't work, I still had to provide a passphrase but it's worth a try:

将git更新到至少2.19.1,因为它现在包含gpg2,请确保您使用git的gpg,然后尝试再次使用gpg-agent-它应该可以正常工作了.仅'gpg-agent'步骤的第2步就足够了.

Update git to at least 2.19.1 because it includes gpg2 now, make sure you use git's gpg and try to use gpg-agent again - it should work now. Only step 2 of your 'gpg-agent' steps should be enough.

如果遇到迁移问题,可能需要删除包含密钥的~\.gnupg目录(请注意,错误消息可能会引起误解),因此您可以使用git的gpg重新生成所有内容(包括密钥).

You might need to remove your ~\.gnupg directory including keys if you run into migration problems (beware the error messages can be very misleading), so you can regenerate everything (including keys) using git's gpg.

我已经在此答案中写了完整的说明.

I have written the complete instructions in this answer.

这篇关于签名中具有key-id的密钥未对此提交进行签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆