I just started using git and I install git and gpg via homebrew.
For some reason, I get this error when i do git commit
I looked at so many other stackoverflow questions regarding this topic and none of them worked for me.
How can I fix this error so that I can upload successfully.
error: gpg failed to sign the data
fatal: failed to write commit object
For troubleshooting, two things to first try:
gpg --version, and make sure you have GnuPG version 2+ (not version 1) installedecho "test" | gpg --clearsign, to make sure gpg itself is workingIf that all looks all right, one next thing to try:
brew install pinentry to ensure you have a good tool installed for passphrase entryIf after that install, you re-try git commit and still get a "failed to sign the data" error, do:
gpgconf --kill gpg-agent to kill any running agent that might be hungOtherwise, some basic steps to run to check you’ve got a working GnuPG environment:
gpg -K --keyid-format SHORT, to check that you have at least one key pair that is not expiredIf the output of that shows you have no secret key for GnuPG to use, you need to create one:
gpg --gen-key, to have GnuPG walk you through the steps for creating a key pairIf you get an error message saying “Inappropriate ioctl for device”, do this:
export GPG_TTY=$(tty) and/or add that to your ~/.bashrc or ˜/.bash_profile
Git needs to know which key it is signing with.
After you have setup GPG, gpg-agent, and your gpg.conf files (see this guide), you need to run
git config --global user.signingKey EB11C755
Obviously, replace the public key at the end with your own. If you want every commit to be signed by default, use
git config --global commit.gpgsign true
$ gpg2 -K --keyid-format SHORT # <-- Shows your keys, e.g.:
/home/<username>/.gnupg/pubring.kbx
-------------------------------
sec rsa4096/0754B01E 2019-02-02 [SCA] <--secret key
C396BF3771782D7691B0641145E11B080754B01E
uid [ultimate] John Doe <user@domain.com>
ssb rsa4096/A20AB8EC 2019-02-02 [E] <--public key
sec rsa4096/25C504D5 2019-02-02 [SCA] [revoked: 2020-06-01]
08BFF49B9E07E4B4B0C4946B645B6C1425C504D5
uid [ revoked] John Doe <user2@domain.com>
uid [ revoked] [jpeg image of size 2670]
Where A20AB8EC is the key ID you're looking for from this example.
I am using it. It has support for zsh and works on Windows Subsystem for Linux:
export GPG_TTY=$(tty)
Other users have confirmed that above is the only change required for MacOS (e.g. Catalina 10.15.7). For Macs add above to ~/.zshrc.
Proved to work also in Linux containers in Windows with WSL2.
Somehow your git is configured to GPG sign every commit. Signing with GPG isn't required to commit or push using git. It's likely giving the error because your gpg signing mechanism isn't configured yet.
If you're new to git, try to get it working first without GPG signing at first, then add signing in later if you really need it.
You can verify how your git is configured with regards to gpg by doing:
git config -l | grep gpg
Which may produce zero or more lines, including:
commit.gpgsign=true
If "commit.gpgsign" is true, then you have gpg signing enabled. Disable it with:
git config --global --unset commit.gpgsign
Then try to run your commit again. It should now run without gpg signing. After you get the basic git working, then you should try adding gpg signing back to the mix.
Refer to @sideshowbarker, and @Xavier Ho solution, I solved my problem via following steps.
Assume gpg2 installed by brew,
git config --global gpg.program gpg2
brew install pinentry
gpgconf --kill gpg-agent
gpg2 -K --keyid-format SHORT
// no key found then generate new one
gpg2 --gen-key
gpg2 -K --keyid-format SHORT
.../.gnupg/pubring.gpg
sec rsa2048/0A61C6FC 2017-06-29 [SC] [expires: 2019-06-29]
git config --global user.signingkey 0A61C6FC
Reminded by my colleague, need to append
export GPG_TTY=$(tty)
to ~/.zshrc if using zsh, else append to ~/.bash_profile
the gpg2 is combined with gpg in brew and hence the gpg command is pointed to gpg2
brew install gpg2
brew info gpg
gnupg: stable 2.2.6 (bottled)
git config --global gpg.program gpg
gpg -K --keyid-format SHORT
and there has pinentry-mac for passphrase entry
brew install pinentry-mac
vim ~/.gnupg/gpg-agent.conf
Add line
pinentry-program /usr/local/bin/pinentry-mac
Reminded by my colleague, need to append
export GPG_TTY=$(tty)
to ~/.zshrc if using zsh, else append to ~/.bash_profile
Check for your key to be expired. Once you fix the expiration date (no need to create a new key unless you want to), git will work as normal.
One way to fix the expired key:
(Note: $ represents command line prompt, type the commands after the prompt; press Enter after each command)
$ gpg2 --list-keys to find the appropriate key id (characters after \ on pub line)
$ gpg2 --edit-key <key id> - this opens the gpg shell, with prompt changed to gpg>
gpg> expire - follow instructions to set new expiration date for primary key
Next, if there are subkeys that are expired (sub shows on the line), reset their expiration dates, too:
gpg> key 1 - selects first subkey
gpg> expire - follow instructions to set new expiration date for subkey
Repeat for each subsequent subkey, as needed.
gpg> save - saves the expiration dates changes
Issue: Disabled loopback pinentry mode
To solve the problem, you need to enable loopback pinentry mode in ~/.gnupg/gpg.conf:
cat <<'EOF' >> ~/.gnupg/gpg.conf
use-agent
pinentry-mode loopback
EOF
And also in ~/.gnupg/gpg-agent.conf (create the file if it doesn't already exist):
cat <<'EOF' >> ~/.gnupg/gpg-agent.conf
allow-loopback-pinentry
EOF
Then restart the agent with
echo RELOADAGENT | gpg-connect-agentand you should be good to go!
I had to fix the gpg.program to the absolute path to gpg:
git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"
I am using Windows with cygwin.
This worked for me on ubuntu 18.04
Check your gpg key
gpg -K --keyid-format LONG
if you get a blank response ,generate a GPG key
gpg --generate-key
rerun the first command, you should get an output as:
sec rsa3072/95A854E0593B3214 2019-05-06 [SC] [expires: 2021-05-05]
AF2F7514568DC26B0EB97B9595A854E0593B74D8
uid [ultimate] yourname<your_email>
ssb rsa3072/EFD326E6C611117C 2019-05-06 [E] [expires: 2021-05-05]
set git signing key
git config --global user.signingkey 95A854E0593B3214
then you are good to go! (--global is optional)
Alternatively if you don't mind signing with your ssh key
git config commit.gpgsign false
note that this is not recommended due to a security issue according to this question here and here
If it used to work and just stated failing, kill the agent and try again:
gpgconf --kill gpg-agent
Check if the agent is up again:
echo "test" | gpg --clearsign
If you had your pinentry and gpg setup up before, and it stopped working out of nowhere:
Check if your gpg works:
echo "test" | gpg --clearsign
If it says gpg: signing failed: No pinentry,
just restart the gpg daemon client, which gets stuck from time to time:
gpgconf --kill gpg-agent
Now it should be working:
echo "test" | gpg --clearsign
I experienced this problem after upgrading to gnupg 2.x. It would seen that gpg2 is referencing keys differently: I still had signingkey = ABC98F11 (gpg v1 setting) in my ~/.gitconfig. The key identifiers for gpg2 are longer. Look them up with gpg --list-secret-keys
Use GIT_TRACE=1 to see where Git failed then check all custom configurations used by Git and where they are defined then override according to your need with :
GIT_TRACE=1 git commit -S -m "this will tell you wich intern git command failed"
git config --list --show-scope --show-origin
For me I had the error: gpg failed to sign the data and fatal: failed to write commit object because Git was using smimesign by default for some reason, even if I unset gpg.x509.program key, and smimesign couldn't find my key.
So I had to explicitly tell Git to use gpg instead :
git config --local gpg.x509.program gpg
This error can also occur when your GPG key has expired. Generating a new key and adding it to Git should resolve this.
For me this error started to occur with git tag -s on Debian GNU/Linux when I switched from pinentry-gnome3 to pinentry-curses (using update-alternatives --config pinentry) for easier remote access. It only occurred with git tag -s, not with gpg (e.g. gpg --clearsign) itself.
The sole change necessary to get it working again in this case was to add export GPG_TTY=$(tty) to my shell startup files.
I though didn't get the “Inappropriate ioctl for device” error message mentioned as indicator for this fix in another answer to this question.
Note: Since the cause for getting this error was a completely different one than for those who suggested export GPG_TTY=$(tty) before (usually as a side hint) in other answers to this question, I decided this question needs another answer which mentions that export GPG_TTY=$(tty) may be the main fix and sole thing necessary in some cases.
In my case, this error occurred when running git commit on a small tmux window that was not able to fit the passphrase prompt.
$ echo "test" | gpg --clearsign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
test
gpg: signing failed: Screen or window too small
gpg: [stdin]: clear-sign failed: Screen or window too small
I had made a git key with 3 separate keys for certify / sign / encrypt & the key showed as expired in the future (after working fine for a few days):
pub rsa4096/4CD1E9DA 2017-04-26 [C] [expired: 2017-04-28]
Key fingerprint = 4670 59C1 7592 08B8 7FA5 313B 2A42 B6A6 4CD1 E9DA
uid [ expired] Stuart Cardall (GIT Development Keys) <xxxxxx>
sub rsa4096/5195E715 2017-04-26 [E] [expired: 2019-04-26]
sub rsa4096/DB74C297 2017-04-26 [S] [expired: 2019-04-26]
sub rsa2048/A3913A3C 2017-04-28 [] [expired: never ]
made a new key without adding separate subkeys to solve the problem.
What solved it for me was making sure the key's name matched my git user name. I assume the emails have to match too. This might have to do with me using GPG KeyChain on my Mac. Not sure.
I thought I was naming the key when I filled this out, but I guess it was asking for my name (git user name).
I had this error on macos - to try and troubleshoot I tried listing keys to see if they had expired using gpg2 --list-keys - I verified that the keys had not expired and that the proper key were set in my config using git config --global user.signingkey.
After I had run those commands I was suddenly able to do signed commits again without problems. I did not change my config files or keys - I did not even create a fresh Terminal instance. It just seemed like the gpg2 was somehow in a weird state on my mac.
In my case, I had to match the name stored in GitHub settings to the name and comment of the key.
So if gpg --list-keys returns uid [ultimate] Joe Blogs (fancy comment) <email@example.com> your name in .gitconfig should be Joe Blogs (fancy comment).
Initially, I had my name set as Joe Blogs and GPG would not find my key and show the "no secret key" error in strace. Unfortunately, that error didn't appear without strace and one would get the generic
error: gpg failed to sign the data
fatal: failed to write commit object
After searching a lot, I found that gpg key was the issue in my case.
You can try running gpg --status-fd=2 -bsau <your GPG key> if your GPG key is correct.
To update your correct key, do the following:
check key using: gpg --list-secret-keys --keyid-format=long
It should have the following output:
/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid Hubot
ssb 4096R/42B317FD4BA89E7A 2016-03-10
And then update the key using:
git config --global user.signingkey 3AA5C34371567BD2
Now check the commit again and it should success if key was the issue. You need to set the passphrase to update the key which you can do using GitHub docs.
More details are at: https://gist.github.com/paolocarrasco/18ca8fe6e63490ae1be23e84a7039374
May be your Git config was set gpgsign = true. Try to set it to false if you dont want asign your commits. Go to your repository folder and change the file
nano .git/config
From this...
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = git@bitbucket.org:yourrepo/project.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
[user]
signingkey = <GPG-KEY>
[commit]
gpgsign = true
To this...
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = git@bitbucket.org:yourrepo/project.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
[user]
signingkey = <GPG-KEY>
[commit]
gpgsign = false
I solved the problem installing brew install gpg2 then doing git config --global gpg.program gpg2
Same error can also be caused when you have expired key in your git config.
Please check the content of cat .git/config and look for signingkey value and check if it is expired. If yes update it with the new one.
If you are using smart card/yubikey to store your GPG key and you set the signkey of git config by the key stored in the card (and all the answer above seem not to resolve your issue), your blocked PIN of the card might be the root cause of this issue.
To check the blocked PIN:
gpg --card-status
If the counter is similar to
Reader ...........: Yubico YubiKey
PIN retry counter : 3 0 3
Then your PIN is blocked (after 3 unsuccessful tries).
To unblock the PIN:
gpg --card-edit
gpg/card> admin
Admin commands are allowed
gpg/card> passwd
gpg: OpenPGP card no. … detected
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 2
PIN unblocked and new PIN set.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? q
For me a simple brew unintstall gnupg && brew cask reinstall gpg-suite solves the issue.
It uninstalls the (in my case) manually homebrew-istalled gpg and reinstalls the whole GPG Suite.
In my case, I had mixed gpg configuration and smimesign configuration given in the commit signing documentation here: https://help.github.com/en/github/authenticating-to-github/telling-git-about-your-signing-key
After working on it for hours, I found the best way to correct it was unset everything related to gpg, and reconfiguring gpg.
As mentioned in @Jason Thrasher's answer, find all the git config related to gpg using:
git config -l | grep gpg
Then unset everything golablly as well as locally using:
git config --global --unset <config_name>
git config --local --unset <config_name>
Then reconfigure following the official documentation given above. Hope this helps.
For my Linux system with a GUI and gpg 2.2.19, neither killing gpg-agent (which starts itself again), unsetting $DISPLAY or setting $GPG_TTY worked for me because it was trying to use pinentry-gnome to ask for the password from the console. And my key had not expired.
From a SuperUser answer for a similar question, How to force GPG to use console-mode pinentry to prompt for passwords?, the problem can also occur if your system has a GUI such as GNOME, and your package manager is configured to use a GUI pinentry program, which is the reason why it’s hanging.
I had to switch to pinentry-tty to get GPG to sign messages again. On Ubuntu, this can be done using steps from the link which I will quote here:
sudo apt install pinentry-tty
sudo update-alternatives --config pinentry
The second command will show you a list of pinentry programs and ask you to type a number to select one, so type the one corresponding to pinentry-tty, and then without any additional effort, signing messages (and git commits) should work again.
I had this issue on both linux/windows platforms and in my case I just needed to pay more careful attention to the output. This was mind-boggling because I could use the same setup to sign commits in other repos.
git commit -m "test signing"
gpg: skipped "***63231079***": No secret key
gpg: signing failed: No secret key
error: gpg failed to sign the data
fatal: failed to write commit object
I added emphasis on the "skipped" line. Please note that sometimes when you clone a repo they had a key assigned: this issue had me so befuddled that I nuked the forked repo I had access to and re-forked on github. Then because I was thinking "global config" I never thought to look at the local repo config, and when I did I noticed this:
[user]
signingkey = 63231079
Well, of course it wouldn't work nimrod, git defaults to local settings first so that's why your key never picked up. I set the pointer via git config and It's worked ever since.
What is gpg: GNU Privacy Guard
usage:
GPG is an excellent method to ensure secure communication between two parties. It allows sensitive information to be easily shared across an insecure network.
Simple solution:
Step1: check if the key is expired please do
gpg -K --keyid-format SHORT
Step2: In case its not expired
git config --global user.signingkey
If you are using windows powershell(5.1+), I guess this command will work.
(Get-Command gpg).Path
git config gpg.program <your path>
try to commit. Happy coding!!!
I had this issue just now when VSCode updated. I figured the GPG agent was hanging, as the command took a good few seconds to run before erroring out. Running gpgconf --kill gpg-agent reset that and fixed it for me.
Fail-safe option that worked for me: reboot my machine.
It's heavy handed, and it probably won't stop the problem from popping up again eventually. But I had the same problem, tried solutions from just about every answer, no luck.
Adding it here in the hopes that it unblocks someone else in my situation :)
This will help you to get rid of it
git config commit.gpgsign false
