gpg failed to sign the data fatal: failed to write commit object [Git 2.10.0]
GitGithubGpg SignatureGit Problem Overview
I followed few articles over the pretty attributes on Git 2.10 release note. Going through which upgraded the git to 2.10.0 and made changes to global .gitconfig
resulting as follows -
[filter "lfs"]
clean = git-lfs clean %f
smudge = git-lfs smudge %f
required = true
[user]
name = xyz
email = [email protected]
signingkey = AAAAAAA
[core]
excludesfile = /Users/xyz/.gitignore_global
editor = 'subl' --wait
[difftool "sourcetree"]
cmd = opendiff \"$LOCAL\" \"$REMOTE\"
path =
[mergetool "sourcetree"]
cmd = /Applications/SourceTree.app/Contents/Resources/opendiff-w.sh \"$LOCAL\" \"$REMOTE\" -ancestor \"$BASE\" -merge \"$MERGED\"
trustExitCode = true
[alias]
lg = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit --date=relative
[color "diff"]
old = red strike
new = green italic
But now that I try to sign my commits using
git commit -a -S -m "message"
I get to see the following error -
> You need a passphrase to unlock the secret key for
> user: "XYZ (Digitally Signed) <[email protected]>"
> 2048-bit RSA key, ID AAAAAAAA, created 2016-07-01 > > error: gpg failed to sign the data fatal: failed to write commit > object
Note - I can still commit changes using git commit -a -m "message"
Is there a way to overcome the same? Or any change required in gpg
configs to get along with the upgradation of git?
Update 1
Also seeking further usefulness, following https://stackoverflow.com/questions/10161198/is-there-a-way-to-autosign-commits-in-git-with-a-gpg-key. I've already configured the key using
git config --global user.signingkey ED5CDE14(with my key)
git config --global commit.gpgsign true
and quite obviously getting the same error anyway.
Git Solutions
Solution 1 - Git
I ran into this issue with OSX.
Original answer:
It seems like a gpg update (of brew) changed to location of gpg
to gpg1
, you can change the binary where git looks up the gpg:
git config --global gpg.program gpg1
If you don't have gpg1: brew install gpg1
.
Updated answer:
It looks like gpg1 is being deprecated/"gently nudged out of usage", so you probably should actually update to gpg2, unfortunately this involves quite a few more steps/a bit of time:
brew upgrade gnupg # This has a make step which takes a while
brew link --overwrite gnupg
brew install pinentry-mac
on old homebrew:
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
killall gpg-agent
On more recent systems like M1 macs:
echo "pinentry-program /opt/homebrew/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
killall gpg-agent
The first part installs gpg2, and latter is a hack required to use it. For troubleshooting, see this answer (though that is about linux not brew), it suggests a good test:
echo "test" | gpg --clearsign # on linux it's gpg2 but brew stays as gpg
If this test is successful (no error/output includes PGP signature), you have successfully updated to the latest gpg version.
You should now be able to use git signing again!
It's worth noting you'll need to have:
git config --global gpg.program gpg # perhaps you had this already? On linux maybe gpg2
git config --global commit.gpgsign true # if you want to sign every commit
Note: After you've run a signed commit, you can verify it signed with:
git log --show-signature -1
which will include gpg info for the last commit.
Solution 2 - Git
If gnupg2 and gpg-agent 2.x are used, be sure to set the environment variable GPG_TTY
.
export GPG_TTY=$(tty)
Solution 3 - Git
If everything fails, use GIT_TRACE=1
to try and see what git is actually doing:
$ GIT_TRACE=1 git commit -m "Add page that always requires a logged-in user"
20:52:58.902766 git.c:328 trace: built-in: git 'commit' '-vvv' '-m' 'Add page that always requires a logged-in user'
20:52:58.918467 run-command.c:626 trace: run_command: 'gpg' '--status-fd=2' '-bsau' '23810377252EF4C2'
error: gpg failed to sign the data
fatal: failed to write commit object
Now run the failing command manually:
$ gpg -bsau 23810377252EF4C2
gpg: skipped "23810377252EF4C2": Unusable secret key
gpg: signing failed: Unusable secret key
Turns out, my key was expired, git
was not to blame.
Solution 4 - Git
Follow the below url to setup signed commit https://help.github.com/en/articles/telling-git-about-your-signing-key
if still getting gpg failed to sign the data fatal: failed to write commit object
this is not issue with git ,this is with GPG follow below steps
gpg --version
echo "test" | gpg --clearsign
if it is showing:
gpg: signing failed: Inappropriate ioctl for device
gpg: [stdin]: clear-sign failed: Inappropriate ioctl for device
-
then use
export GPG_TTY=$(tty)
-
then again try
echo "test" | gpg --clearsign
in which PGP signature is got. -
git config -l | grep gpg
gpg.program=gpg
commit.gpgsign=true
- apply
git commit -S -m "commitMsz"
Solution 5 - Git
I've DONE it through this short and easy recipe:
Auto-sign commits on macOS (Globally and with different IDEs):
Get your signingkey
in this way.
brew install gnupg gnupg2 pinentry-mac
git config --global user.signingkey <YOUR_SIGNING_KEY>
git config --global commit.gpgsign true
git config --global gpg.program gpg
Put the following in gpg.conf
file (edit file with nano ~/.gnupg/gpg.conf
command):
no-tty
Put the following in gpg-agent.conf
file (edit file with nano ~/.gnupg/gpg-agent.conf
command):
pinentry-program /usr/local/bin/pinentry-mac
Update:
As suggested in the comments, you might need to execute killall gpg-agent
command after editing the configurations file, gpg.conf
, according to the comments. needless to say that this command will terminate the GPG (Gnu Privacy Guard) agent.
Solution 6 - Git
May help killing process gpg-agent
that might stuck with old data. So new gpg-agent
started would ask for password.
Solution 7 - Git
My two cents here:
When you create and add a key to gpg-agent you define something called passphrase
. Now that passphrase
at some point expires, and gpg
needs you to enter it again to unlock your key so that you can start signing again.
When you use any other program that interfaces with gpg
, gpg
's prompt to you to enter your passphrase does not appear (basically gpg-agent
when daemonized cannot possibly show you the input dialog in stdin
).
One of the solutions is gpg --sign a_file.txt
then enter the passphrase that you have entered when you created your key and then everything should be fine (gpg-agent
should automatically sign)
See this answer on how to set longer timeouts for your passphrase so that you do not have to do this all the time.
Or you can completely remove the passphrase with ssh-keygen -p
Edit: Do a man gpg-agent
to read some stuff on how to have the above happen automatically and add the lines:
GPG_TTY=$(tty)
export GPG_TTY
on your .bashrc if you are using bash(this is the correct answer but I am keeping my train of thought above as well) then source your .bashrc
file or relogin.
Solution 8 - Git
To anybody who is facing this issue on MacOS machines, try this:
brew uninstall gpg
brew install gpg2
brew install pinentry-mac
(if needed)gpg --full-generate-key
Create a key by using an algorithm.- Get generated key by executing:
gpg --list-keys
- Set the key here
git config --global user.signingkey <Key from your list>
git config --global gpg.program /usr/local/bin/gpg
git config --global commit.gpgsign true
- If you want to export your Key to GitHub then:
gpg --armor --export <key>
and add this key to GitHub at GPG keys: https://github.com/settings/keys (with START and END line included)
If the issue still exists:
test -r ~/.bash_profile && echo 'export GPG_TTY=$(tty)' >> ~/.bash_profile
echo 'export GPG_TTY=$(tty)' >> ~/.profile
If the issue still exists:
Install https://gpgtools.org and sign the key that you used by pressing Sign from the menu bar: Key->Sign
If the issue still exists:
Go to: your global .gitconfig
file which in my case is at: /Users/gent/.gitconfig
And modify the .gitconfig file (please make sure Email and Name are the same with the one that you have created while generating the Key):
[user]
email = [email protected]
name = Gent
signingkey = <YOURKEY>
[gpg]
program = /usr/local/bin/gpg
[commit]
gpsign = true
gpgsign = true
[filter "lfs"]
process = git-lfs filter-process
required = true
clean = git-lfs clean -- %f
smudge = git-lfs smudge -- %f
[credential]
helper = osxkeychain
Solution 9 - Git
I've seen similar answers, but nothing exactly like what worked for me. On Linux, I had to kill and restart my gpg-agent
with:
$ pkill gpg-agent
$ gpg-agent --daemon
$ git commit ...
This did the trick for me. It looks like you do need to have user.signingkey
set to your private key as well from what some other comments are saying.
$ git config --global user.signingkey [your_key_hash]
Solution 10 - Git
On OS X, using gnupg2
via brew I just had to kill the gpg agent, happens sometimes:
pkill -9 gpg-agent
And set the env
variable if needed:
export GPG_TTY=$(tty)
See Common GPG problems also and this answer here too.
Solution 11 - Git
I get that error every time I logout then login again on my macOS. The solution is just a simple single command:
killall gpg-agent
I think it's just an error from gpg agent, kill it then working again.
Solution 12 - Git
The git trace was very revealing for my situation...
GIT_TRACE=1 git commit -m "a commit message"
13:45:39.940081 git.c:344 trace: built-in: git commit -m 'a commit message'
13:45:39.977999 run-command.c:640 trace: run_command: gpg --status-fd=2 -bsau 'full name <[email protected]>'
error: gpg failed to sign the data
fatal: failed to write commit object
I needed to generate an initial key per the format that git
was checking against. It's best to copy the value passed to -bsau
above in the logs as is and use below.
So it becomes,
gpg --quick-generate-key "full name <your-email@domain.com>"
Then it worked.
Solution 13 - Git
Update Oct. 2016: issue 871 did mention "Signing stopped working in Git 2.9.3"
Git for Windows 2.10.1 released two days ago (Oct. 4th, 2016) has fixed Interactive GPG signing of commits and tag.
> the recent gpg-sign change in git (which introduces no problem on Linux) exposes a problem in the way in which, on Windows, non-MSYS2-git interacts with MSYS2-gpg.
Original answer:
Reading "7.4 Git Tools - Signing Your Work", I assume you have your "user.signingkey
" configuration set.
The last big refactoring (before Git 2.10) around gpg was in commit 2f47eae2a, here that error message was moved to gpg-interface.c
A log on that file reveals the recent change in commit af2b21e (Git 2.10)
> gpg2 already uses the long format by default, but most distributions seem to still have "gpg" be the older 1.x version due to compatibility reasons. And older versions of gpg only show the 32-bit short ID, which is quite insecure.
> This doesn't actually matter for the verification itself: if the
verification passes, the pgp signature is good.
But if you don't
actually have the key yet, and want to fetch it, or you want to check
exactly which key was used for verification and want to check it, we
should specify the key with more precision.
So check how you specified your user.signingkey
configuration, and the version of gpg you are using (gpg1 or gpg2), to see if those have any effect on the error message.
There is also commit 0581b54 which changes the condition for the gpg failed to sign the data
error message (in complement to commit 0d2b664):
> We don't read from stderr at all currently. However, we will want to in a future patch, so this also prepares us there (and in that case gpg does write before reading all of the input, though again, it is unlikely that a key uid will fill up a pipe buffer).
Commit 4322353 shows gpg now uses a temporary file, so there could be right issues around that.
> Let's convert to using a tempfile object, which handles the hard cases for us, and add the missing cleanup call.
Solution 14 - Git
Using cygwin, I recently switched to gpg2
. Then I had the same problem for signing with git after setting git config gpg.program gpg2
.
Try echo "test" | gpg2 --clearsign
to see whether gpg2 is working. I found it the easiest solution to just set git config gpg.program gpg
, because that works. But you will also get a better error this way - e.g. that you need to install pinentry.
Solution 15 - Git
Might be a hanging gpg-agent.
Try gpgconf --kill gpg-agent
as discussed here
Solution 16 - Git
I got this error on Ubuntu 18.04 and it turned out that my key was expired.
To see this, I ran this and it confirmed that my keys were expired:
gpg --list-keys
To correct this, I ran (using the ID displayed in the previous command):
gpg --edit-key <ID>
From there, I extended the expiration of key 0
and key 1
following these instructions which boiled down to typing key 0
then expire
and following the prompts. Then repeating for key 1
.
Afterward, to test this, I ran:
echo test | gpg --clearsign
And before the fix, it failed with the error:
>gpg: no default secret key: No secret key
> gpg: [stdin]: clear-sign failed: No secret key
But after the fix, the same command successfully signed the message so I knew things were working again!
Solution 17 - Git
If you use homebrew on a M1 chip without Rosetta, you need to specify a different location of the pinentry-program binary because it's installed at a different place.
Andy Hayden's updated answer should be modified as follow:
brew upgrade gnupg # This has a make step which takes a while
arch -arm64 brew link --overwrite gnupg
arch -arm64 brew install pinentry-mac
echo "pinentry-program /opt/homebrew/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
killall gpg-agent
Solution 18 - Git
I ran into the same problem. I'm happy to report that the issue lies not with git 2.10.0
but with gnupg 1.4.21
.
Temporarily downgrading gnupg to 1.4.20 fixed the issue for me.
If you're using homebrew and you upgraded your packages like I did, you can probably just run brew switch gnupg 1.4.20
to revert back.
Solution 19 - Git
I must have accidentally updated gpg somehow because I got this after trying to test if gpg works:
gpg: WARNING: server 'gpg-agent' is older than us (2.1.21 < 2.2.10)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
Running gpgconf --kill all
fixed it for me.
Solution 20 - Git
Make sure you have your email set properly.
git config --global user.email "[email protected]"
Solution 21 - Git
This started happening all of a sudden for me on Ubuntu, not sure if some recent update did it, but none of the existing issues were applicable for me (I had GPG_TTY
set, tried killing the agent etc.). The standalone gpg
command was failing with this error:
$ echo "test" | gpg --clearsign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
test
gpg: signing failed: Operation cancelled
gpg: [stdin]: clear-sign failed: Operation cancelled
I tried running gpg
with --debug-all
option and noticed the below output:
gpg: DBG: chan_3 <- INQUIRE PINENTRY_LAUNCHED 27472 gnome3 1.1.0 /dev/pts/6 screen-256color -
gpg: DBG: chan_3 -> END
gpg: DBG: chan_3 <- ERR 83886179 Operation cancelled <Pinentry>
gpg: signing failed: Operation cancelled
The above indicates that there is some issue with the pinentry
program. Gpg normally runs pinentry-curses
for me, so I changed it to pinentry-tty
(I had to aptitude install
it first) and the error went away (though I no longer get the fullscreen password entry, but I don't like that anyway). To make this change, I had to add the line pinentry-program /usr/bin/pinentry-tty
to ~/.gnupg/gpg-agent.conf
and kill the agent with gpgconf --kill gpg-agent
(it gets restarted the next time).
Solution 22 - Git
If the email assoicated to your GPG key's uid is different to the email you are using in git, you'll need to add another user id to your key OR use a key which email matches exactly.
You can add another UID by using:
> $ gpg --edit-key
See for mo https://superuser.com/questions/293184/one-gnupg-pgp-key-pair-two-emails
Solution 23 - Git
I stumbled upon this error not because of any configuration issue, but because my key was expired. The easiest way to extend its validity on OSX is to open the GPG Keychain app (if you have it installed) and it will automatically prompt you to extend it. Two clicks, and you're done.
Solution 24 - Git
Apart from not having setup your gpg key with git correctly, another possible problem:
Trying to commit from inside an ssh session with X forwarding.
In this case it could try to invoke a GUI which will fail if the env var DISPLAY
isn’t set.
You can force gpg-agent to use a tty-only tool by editing your ~/.gnupg/gpg-agent.conf
:
pinentry-program /usr/bin/pinentry-tty
Then reload the conf:
gpg-connect-agent reloadagent /bye
(of course install pinentry-tty first)
Solution 25 - Git
After searching a lot, I found that gpg key was the issue in my case.
To check if gpg key is an issue for you, first check output of the following:
GIT_TRACE=1 git commit -m 'message'
If something is wrong then you will see something like:
10:37:22.346480 run-command.c:637 trace: run_command: gpg --status-fd=2 -bsau <your GPG key>
It was showing my name and email in GPG key here but this should have the key. You can try running gpg --status-fd=2 -bsau <your GPG key>
To update your correct key, do the following:
check key using: gpg --list-secret-keys --keyid-format=long
It should have the following output:
/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid Hubot
ssb 4096R/42B317FD4BA89E7A 2016-03-10
And then update the key using:
git config --global user.signingkey 3AA5C34371567BD2
Now check the commit again and it should success if key was the issue. You need to set the passphrase to update the key which you can do using GitHub docs.
More details are at: https://gist.github.com/paolocarrasco/18ca8fe6e63490ae1be23e84a7039374
Solution 26 - Git
I had a similar issue with the latest Git sources (2.12.2) built along with the latest sources of all its dependencies (Zlib, Bzip, cURL, PCRE, ReadLine, IDN2, iConv, Unistring, etc).
It turns out libreadline
was giving GnuPG problems:
$ gpg --version
gpg: symbol lookup error: /usr/local/lib/libreadline.so.7: undefined symbol: UP
And of course, trying to get useful information from Git with -vvv
failed, so the failure was a mystery.
To resolve the PGP failure due to ReadLine, follow the instructions at Can't update or use package manager -- gpg error:
> In terminal: > > ls /usr/local/lib > > there was a bunch of readline libs in there (libreadline.so.BLAH-BLAH) > so i: > > su > mkdir temp > mv /usr/local/lib/libreadline* temp > ldconfig
Solution 27 - Git
The answers above are great but they did not work for me. What solved my issue was exporting both the public and secret keys.
list the keys from machine where we are exporting from
$ gpg --list-keys
/home/user/.gnupg/pubring.gpg
--------------------------------
pub 1024D/ABCDFE01 2008-04-13
uid firstname lastname (description) <email@example.com>
sub 2048g/DEFABC01 2008-04-13
export the keys
$ gpg --output mygpgkey_pub.gpg --armor --export ABCDFE01
$ gpg --output mygpgkey_sec.gpg --armor --export-secret-key ABCDFE01
go to machine we are importing to and import
$ gpg --import ~/mygpgkey_pub.gpg
$ gpg --allow-secret-key-import --import ~/mygpgkey_sec.gpg
bingo bongo, you're done!
reference: https://www.debuntu.org/how-to-importexport-gpg-key-pair/
ps. My keys were originally made on bootcamp windows 7 and I exported them onto my mac air (same physical machine, different virtually)
Solution 28 - Git
Very much like @birchlabs, after a lot of digging/searching I found that it wasn't GPG, but rather GPG Suite. I did cask reinstall gpg-suite
and it solved it for me.
Solution 29 - Git
I am on Ubuntu 18.04 and got the same error, was worried for weeks too. Finally realized that gpg2 is not pointing towards anything. So simply run
git config --global gpg.program gpg
And tada, it works like charm.
Your commits will now have verified tag with them.
Solution 30 - Git
None of the above worked for me, I usually use my IDE terminal.
I got this error every now and then, in most cases it worked just fine. I found out the issue after running
echo "test" | gpg --clearsign
gpg: signing failed: Screen or window too small
gpg: [stdin]: clear-sign failed: Screen or window too small
The solution: just increase terminal window size.
Solution 31 - Git
If you're like me and using WSL
along with your IDE, you might've faced this problem since the passphrase 'window' never shows up when committing using the IDE's commit interface (WSL doesn't support GUI apps yet)
The fix was to simply use the command line git as that has its own cli window for you to enter your passphrase. You also need to make sure that the terminal is 'big' enough for it to popup (surprising I know)
Solution 32 - Git
If your issue is with Visual Studio Code not allowing to commit, but you have already set up your GPG signature the one line answer with bash
is:
git config --global gpg.program `which gpg2`
If you have gpg
in PATH
but not gpg2
then just use it instead.
Solution 33 - Git
In my case, the problem was with the relative name of gpg
inside ~/.gitconfig
. I changed it to this and the problem disappeared (Monterey, Macbook M1):
[gpg]
program = /opt/homebrew/bin/gpg
The explanation is simple: when git
is trying to run gpg
it does it in a new shell, without running ~/.profile
where I configure PATH
for homebrew. So, it simply can't find gpg
at all.
Solution 34 - Git
I am using M1 Mac, where I have tried above most common of the solutions and didn't work, my problem was that GPG binary missing here => usr/local/bin
Originally, I installed GPG via brew
and I tried re-installing it but couldn't find the binary where it stored, later I installed GPG Suite GUI from here => GPG Suite Tools and it worked.
Finally, I can sign-in commit and get verify badge on Github.
Solution 35 - Git
None of the above answers seemed to match my problem. My gpg
binary (/usr/local/bin/gpg -> /usr/local/MacGPG2/bin/gpg2
) was installed as part of GPG Suite, rather than by brew.
Nevertheless, I felt that the advice boiled down to: "use whichever gpg
binary is the latest available on brew". So I tried:
brew update
brew upgrade git
brew install gpg
# the following are suggestions from brew's Caveats, to make `/usr/local/bin/gpg`
# point to the brew binary:
rm '/usr/local/bin/gpg'
brew link --overwrite gnupg2
I verified that I had correctly changed the gpg
upon my $PATH
to point to the new executable from brew:
🍔 which gpg
/usr/local/bin/gpg
🍔 ls -l /usr/local/bin/gpg
lrwxr-xr-x 1 burger admin 33 Feb 13 13:22 /usr/local/bin/gpg -> ../Cellar/gnupg2/2.0.30_3/bin/gpg
And I also explicitly told git which gpg
binary to use:
git config --global gpg.program gpg
Well, maybe that's not completely watertight, as it's sensitive to path. I didn't actually go as far as confirming beyond doubt that git had switched to invoking the brew gpg
.
In any case: none of this was sufficient to make git commit
successfully sign my commits again.
The thing that worked for me ultimately was to update GPG Suite. I was running version 2016.7, and I found that updating to 2016.10 fixed the problem for me.
I opened GPG Keychain.app
, and hit "Check for updates…". With the new version: signed commits worked correctly again.
Solution 36 - Git
If this just happened randomly and has been working perfectly in the past, as is my case, try logging out (cmd+shift+q
) and logging back in. Worked for me
Solution 37 - Git
got it setup by simply :
brew uninstall gpg
brew install gpg2
Solution 38 - Git
Kind of a weird one, but make sure your terminal is big enough! You can tell if it's too small by running echo test | gpg --clearsign
-- it'll give you a pretty obvious error message letting you know. If it's not big enough, your GPG agent can't display its little ncurses box.
This one won't apply if you use a GUI agent or something that doesn't use ncurses.
Solution 39 - Git
For me, brew
had updated the gnupg
or gpg
so all I had to do to fix this is.
brew link --overwrite gnupg
That linked the gpg
to the right place, as I can confirm via which gpg
and everything worked after that.
Solution 40 - Git
In my case, none of the solutions were working because I did not manually go into my ~/.gitconfig
and remove the following as I created a new key that was no longer my older X.509 key so I removed the following and then my new key began to work.
[gpg]
program = gpg
format = x509
[gpg "x509"]
program = smimesign
Solution 41 - Git
In my case, none of the solutions mentioned in other answer worked. I found out that the problem was specific to one repository. Deleting and cloning the repo again solved the issue.
Solution 42 - Git
Ran into this in prezto
another zsh
variant. There the issue was my git
repo was new and did not have the node_modules
added to .gitignore
. As soon as I added the node_modules
to .gitignore
the issue was no more to be seen. So my assumption is git-info
was taking time due to these large node_modules
.
Solution 43 - Git
If you don't want to deal with brew to install gpg, which seems to run into problems from time to time, just download gpg tools from GPG Tools.
As you go through the wizard, click on customize install and deselect the mail plugin (unless you want to use it). These tools seem to work without running into any problems, plus it remembers your passphrase after the first time you sign you commit. No extra configuration needed, other then telling git about which key to use.
At least that has been my experience.
Solution 44 - Git
Check if gpg is enabled using below command
git config -l | grep gpg
if it returns true, Run the below command to disable it
git config --global --unset commit.gpgsign
After successfully running above command, You should be able to run git commit command.