14

I'm trying to enable commit signing on OS X Mojave.

git commit -S -am "Test"

The error is:

error: gpg failed to sign the data
fatal: failed to write commit object

What I tried:

  • gpg works fine (see below), did not install gpg1 or gpg2
  • Installed GPG KeyChain and added a new key (even added a separate sign-only subkey whithin)
  • Installed pinentry
  • gpg2 --clearsign works fine (generates a new .asc file for files, outputs text for plain text)

Questions I looked into and tried every option:

What am I doing wrong?

Alex Buznik
  • 686
  • 1
  • 6
  • 26
  • if you are looking to get added to a repo instead of init git-crypt in your repo, youll need to let someone who already has access to the encrypted files to add your public key to the `/.git-crypt/...` part of the repo – mewc May 06 '20 at 03:22
  • Thanks @mewc, but that was not the case, see my own answer below – Alex Buznik May 06 '20 at 10:20
  • Cool, more of an fyi for the next person. Didnt feel it deserved its own answer. – mewc May 07 '20 at 00:59

6 Answers6

59

I also had this problem. I found a good solution. Just try to sign a file before you commit. 

$ touch a.txt
$ gpg --sign a.txt

Then, the OS will let you input the password. If this step is OK, now you can commit by signing correctly.

Wasi
  • 1,473
  • 3
  • 16
  • 32
mkckr0
  • 591
  • 4
  • 4
21

I just added the key ID to the global config

list all keys:

gpg --list-keys

Select the one you added to github and set it.

git config --global user.signingkey [public key ID]
MewX
  • 4,232
  • 1
  • 29
  • 38
Zacbe Gonzalez
  • 311
  • 2
  • 8
3

Heh, of course, right after I posted this question, I found the solution.

So my problem was that I followed this doc: https://help.github.com/en/articles/telling-git-about-your-signing-key

And set up both GPG and smimesign, when I have Git < 2.19 and no proper X.509 keys.

So I just removed the part with smimesign from global ~/.gitconfig

Alex Buznik
  • 686
  • 1
  • 6
  • 26
2

Try with echo "foobar" | gpg --clearsign. It should ask for your key's passphrase and return the signature. If instead you see the following error message:

error: gpg failed to sign the data
fatal: failed to write commit object

You might want to try running export GPG_TTY=$(tty). If after testing again you're prompted for the password and it works, run this everytime on startup, adding it to ~/.bashrc, which is actually required according to gpg-agent's documentation, as mentioned in this dev.gnupg thread and which you can verify with man gpg-agent.

I also found this gitHub gist very useful.

LucasFA
  • 33
  • 4
2

To prompt you to enter a PIN or passphrase when required, install pinentry-mac

$ brew install pinentry-mac
$ echo "pinentry-program $(which pinentry-mac)" >> ~/.gnupg/gpg-agent.conf
$ killall gpg-agent
Rohit
  • 657
  • 6
  • 25
1

At least, that error message will be clearer:

Error messages given upon a signature verification failure used to discard the errors from underlying gpg program, which has been corrected with Git 2.40 (Q1 2023).

See commit ad6b320, commit 8300d15 (15 Feb 2023) by Johannes Schindelin (dscho).
(Merged by Junio C Hamano -- gitster -- in commit 38a227b, 24 Feb 2023)

gpg: do show gpg's error message upon failure

Signed-off-by: Johannes Schindelin

There are few things more frustrating when signing a commit fails than reading a terse "error: gpg failed to sign the data" message followed by the unsurprising "fatal: failed to write commit object" message.

In many cases where signing a commit or tag fails, gpg actually said something helpful, on its stderr, and Git even consumed that, but then keeps mum about it.

Teach Git to stop withholding that rather important information.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250