使用OpenPGP子项签名提交失败 [英] Signing commit with OpenPGP subkey fails

问题描述

我想使用我的GPS(2)子项之一在Git中签署提交/标记 即，我新创建的具有长ID B0 ## ...的RSA4096仅签名密钥...

I would like to use one of my GPS (2) subkeys for signing commits/tags in Git I.e., my freshly created RSA4096 signing-only key with the long ID B0##...

sec#  ed25519/9F############## 2016-01-07 [expires: 2023-01-05]
  Key fingerprint = FC08 HEX HEX HEX 
uid                 [ultimate] MY NAME <MY.NAME@foo bar>
ssb   rsa4096/C9############## 2016-01-07 [expires: 2022-01-05]
ssb   ed25519/C6############## 2016-01-07 [expires: 2022-01-05]
ssb   rsa4096/B0############## 2016-01-13 [expires: 2022-01-11]

在我制作钥匙圈的地方，已将主钥匙作为更好的钥匙政策"删除(备份)

Where I am working on a keyring with the master key removed (backuped away) as 'better key policy'

因此，我尝试为Git设置签名密钥

So, I tried to set up the signing key for Git

[user]
    ...
    signingkey = B0##############

但是，提交&签名失败

However, committing & signing fails with

> git commit -S  -m "test commit"
gpg: skipped "B0##############": secret key not available
gpg: signing failed: secret key not available
error: gpg failed to sign the data
fatal: failed to write commit object

运行gpg代理的地方.

Where a gpg-agent up and running.

我的第一个猜测是，Git无法理解长键符号，而是尝试了短键符号

My first guess was, that Git does not understand the long key notation and tried the short one instead

> gpg2 --list-secret-keys  --keyid-format short
...
ssb   rsa4096/DB###### 2016-01-13 [expires: 2022-01-11]

> ~/.gitconfig
[user]
   ...
   signingkey = DB######

但是也失败了

> git commit -S  -m "test commit short"
gpg: skipped "DB######": secret key not available
gpg: signing failed: secret key not available
error: gpg failed to sign the data
fatal: failed to write commit object

所以，我想知道这里有什么问题，也许Git只能使用主密钥进行签名但不了解子密钥的使用(或者如果我在某个地方搞砸了)?

So, I wonder what breaks here and if maybe Git only would work with a master key for signing but does not understand the use of subkeys (or if I have screwed up myself somewhere)?

推荐答案

Git默认使用gpg，在大多数系统上为GnuPG 1，并且不支持椭圆曲线加密.由于您的主键是椭圆曲线键，因此GnuPG 1完全不能使用该键.尝试将密钥与GnuPG(gpg --default-key key-id --sign)结合使用时，您将观察到同样的情况.

Git uses gpg by default, which is GnuPG 1 on most systems and does not support elliptic curve cryptography. As your primary key is an elliptic curve key, GnuPG 1 cannot use the key at all. You will be able to observe the same when trying to use the key with GnuPG (gpg --default-key key-id --sign).

将Git配置为使用gpg2，它必须至少为GnuPG 2.1(您可以使用椭圆曲线键来获得):

Configure Git to use gpg2 instead, which is required to be at least GnuPG 2.1 (which you have, as you can use the elliptic curves key):

git config --global gpg.program gpg2

这篇关于使用OpenPGP子项签名提交失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！