Git error - gpg failed to sign data

Question

I just started using git and I install git and gpg via homebrew. For some reason, I get this error when i do git commit I looked at so many other stackoverflow questions regarding this topic and none of them worked for me. How can I fix this error so that I can upload successfully.

error: gpg failed to sign the data
fatal: failed to write commit object

Answer 1

I ran into that problem today after updating to PHPStorm 2024.3.1:

error: gpg failed to sign the data
fatal: failed to write commit object

When updating PHPStorm, ~/.gnupg/gpg-agent.conf was renamed to ~/.gnupg/gpg-agent.conf.bak and the line pinentry-program /Users/<MYUSERNAME>/.gnupg/pinentry-ide.sh was added.

After I commented out the line and executed gpgconf --kill gpg-agent, the signing now works again.

Another solution is described in the PHPStorm docs.

Answer 2

Git needs to know which key it is signing with.

After you have setup GPG, gpg-agent, and your gpg.conf files (see this guide), you need to run

git config --global user.signingKey A20AB8EC

Obviously, replace the public key at the end with your own. If you want every commit to be signed by default, use

git config --global commit.gpgsign true

---

$ gpg2 -K --keyid-format SHORT          # <-- Shows your keys, e.g.:
/home/<username>/.gnupg/pubring.kbx
-------------------------------
sec   rsa4096/0754B01E 2019-02-02 [SCA]             <--secret key
      C396BF3771782D7691B0641145E11B080754B01E
uid         [ultimate] John Doe <user@domain.com>
ssb   rsa4096/A20AB8EC 2019-02-02 [E]               <--public key

sec   rsa4096/25C504D5 2019-02-02 [SCA] [revoked: 2020-06-01]
      08BFF49B9E07E4B4B0C4946B645B6C1425C504D5
uid         [ revoked] John Doe <user2@domain.com>
uid         [ revoked] [jpeg image of size 2670]

Where A20AB8EC is the key ID you're looking for from this example.

Answer 3

Refer to @sideshowbarker, and @Xavier Ho solution, I solved my problem via following steps.

Assume gpg2 installed by brew,

git config --global gpg.program gpg2
brew install pinentry
gpgconf --kill gpg-agent
gpg2 -K --keyid-format SHORT
// no key found then generate new one
gpg2 --gen-key

gpg2 -K --keyid-format SHORT 

           

.../.gnupg/pubring.gpg

sec rsa2048/0A61C6FC 2017-06-29 [SC] [expires: 2019-06-29]

git config --global user.signingkey 0A61C6FC

Reminded by my colleague, need to append

export GPG_TTY=$(tty)

to ~/.zshrc if using zsh, else append to ~/.bash_profile

---

For macOS,

the gpg2 is combined with gpg in brew and hence the gpg command is pointed to gpg2

brew install gpg2

brew info gpg

gnupg: stable 2.2.6 (bottled)

git config --global gpg.program gpg
gpg -K --keyid-format SHORT 

and there has pinentry-mac for passphrase entry

brew install pinentry-mac
vim ~/.gnupg/gpg-agent.conf

Add line

pinentry-program /usr/local/bin/pinentry-mac

Beware of the pinentry-mac might change, as in my case, it changes to /opt/homebrew/bin/pinentry-mac which can obtain via which pinentry-mac or you can give $HOMEBREW_PREFIX/bin/pinentry-mac a try.

Reminded by my colleague, need to append

export GPG_TTY=$(tty)

to ~/.zshrc if using zsh, else append to ~/.bash_profile

Answer 4

I solved this issue by adding the line in the ~/.bashrc.

~/.bashrc

export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null

Link: https://wiki.archlinux.org/title/GnuPG#Configure_pinentry_to_use_the_correct_TTY

Answer 5

Check for your key to be expired. Once you fix the expiration date (no need to create a new key unless you want to), git will work as normal.

One way to fix the expired key:

(Note: $ represents command line prompt, type the commands after the prompt; press Enter after each command)

$ gpg2 --list-keys to find the appropriate key id (characters after \ on pub line)

$ gpg2 --edit-key <key id> - this opens the gpg shell, with prompt changed to gpg>

gpg> expire - follow instructions to set new expiration date for primary key

Next, if there are subkeys that are expired (sub shows on the line), reset their expiration dates, too:

gpg> key 1 - selects first subkey
gpg> expire - follow instructions to set new expiration date for subkey

Repeat for each subsequent subkey, as needed.

gpg> save - saves the expiration dates changes

Answer 6

For troubleshooting, two things to first try:

• run gpg --version, and make sure you have GnuPG version 2+ (not version 1) installed
• run echo "test" | gpg --clearsign, to make sure gpg itself is working

If that all looks all right, one next thing to try:

• run brew install pinentry to ensure you have a good tool installed for passphrase entry

If after that install, you re-try git commit and still get a "failed to sign the data" error, do:

• run gpgconf --kill gpg-agent to kill any running agent that might be hung

---

Otherwise, some basic steps to run to check you’ve got a working GnuPG environment:

• run gpg -K --keyid-format SHORT, to check that you have at least one key pair that is not expired

If the output of that shows you have no secret key for GnuPG to use, you need to create one:

• run gpg --gen-key, to have GnuPG walk you through the steps for creating a key pair

---

If you get an error message saying “Inappropriate ioctl for device”, do this:

• run export GPG_TTY=$(tty) and/or add that to your ~/.bashrc or ˜/.bash_profile

Answer 7

If you are using windows powershell(5.1+), I guess this command will work.

1. get gpg program path with this command.

(Get-Command gpg).Path

2. after get path, copy path.
3. use this command

git config gpg.program <your path>

try to commit. Happy coding!!!

Answer 8

Fail-safe option that worked for me: reboot my machine.

It's heavy handed, and it probably won't stop the problem from popping up again eventually. But I had the same problem, tried solutions from just about every answer, no luck.

Adding it here in the hopes that it unblocks someone else in my situation :)

Answer 9

I am using it. It has support for zsh and works on Windows Subsystem for Linux:

export GPG_TTY=$(tty)

Other users have confirmed that above is the only change required for MacOS (e.g. Catalina 10.15.7). For Macs add above to ~/.zshrc.

Proved to work also in Linux containers in Windows with WSL2.

Answer 10

After searching a lot, I found that gpg key was the issue in my case.

You can try running gpg --status-fd=2 -bsau <your GPG key> if your GPG key is correct.

To update your correct key, do the following: check key using: gpg --list-secret-keys --keyid-format=long

It should have the following output:

/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid                          Hubot 
ssb   4096R/42B317FD4BA89E7A 2016-03-10

And then update the key using:

git config --global user.signingkey 3AA5C34371567BD2

Now check the commit again and it should success if key was the issue. You need to set the passphrase to update the key which you can do using GitHub docs.

More details are at: https://gist.github.com/paolocarrasco/18ca8fe6e63490ae1be23e84a7039374

Answer 11

Use GIT_TRACE=1 to see where Git failed then check all custom configurations used by Git and where they are defined then override according to your need with :

GIT_TRACE=1 git commit -S -m "this will tell you wich intern git command failed"

git config --list --show-scope --show-origin

For me I had the error: gpg failed to sign the data and fatal: failed to write commit object because Git was using smimesign by default for some reason, even if I unset gpg.x509.program key, and smimesign couldn't find my key.

So I had to explicitly tell Git to use gpg instead :

git config --local gpg.x509.program gpg

Answer 12

What is gpg: GNU Privacy Guard

usage:

GPG is an excellent method to ensure secure communication between two parties. It allows sensitive information to be easily shared across an insecure network.

Simple solution:

Step1: check if the key is expired please do

gpg -K --keyid-format SHORT

Step2: In case its not expired

git config --global user.signingkey

Answer 13

If it used to work and just stated failing, kill the agent and try again:

gpgconf --kill gpg-agent

Check if the agent is up again:

echo "test" | gpg --clearsign

Answer 14

I had this issue on both linux/windows platforms and in my case I just needed to pay more careful attention to the output. This was mind-boggling because I could use the same setup to sign commits in other repos.

git commit -m "test signing"
gpg: skipped "***63231079***": No secret key
gpg: signing failed: No secret key
error: gpg failed to sign the data
fatal: failed to write commit object

I added emphasis on the "skipped" line. Please note that sometimes when you clone a repo they had a key assigned: this issue had me so befuddled that I nuked the forked repo I had access to and re-forked on github. Then because I was thinking "global config" I never thought to look at the local repo config, and when I did I noticed this:

[user]
    signingkey = 63231079

Well, of course it wouldn't work nimrod, git defaults to local settings first so that's why your key never picked up. I set the pointer via git config and It's worked ever since.

Answer 15

For my Linux system with a GUI and gpg 2.2.19, neither killing gpg-agent (which starts itself again), unsetting $DISPLAY or setting $GPG_TTY worked for me because it was trying to use pinentry-gnome to ask for the password from the console. And my key had not expired.

From a SuperUser answer for a similar question, How to force GPG to use console-mode pinentry to prompt for passwords?, the problem can also occur if your system has a GUI such as GNOME, and your package manager is configured to use a GUI pinentry program, which is the reason why it’s hanging.

I had to switch to pinentry-tty to get GPG to sign messages again. On Ubuntu, this can be done using steps from the link which I will quote here:

sudo apt install pinentry-tty
sudo update-alternatives --config pinentry

The second command will show you a list of pinentry programs and ask you to type a number to select one, so type the one corresponding to pinentry-tty, and then without any additional effort, signing messages (and git commits) should work again.

Answer 16

This worked for me on ubuntu 18.04

Check your gpg key

gpg -K --keyid-format LONG

if you get a blank response ,generate a GPG key

gpg --generate-key

rerun the first command, you should get an output as:

sec   rsa3072/95A854E0593B3214 2019-05-06 [SC] [expires: 2021-05-05]
      AF2F7514568DC26B0EB97B9595A854E0593B74D8
uid                 [ultimate] yourname<your_email>
ssb   rsa3072/EFD326E6C611117C 2019-05-06 [E] [expires: 2021-05-05]

set git signing key

git config --global user.signingkey 95A854E0593B3214

then you are good to go! (--global is optional)

Alternatively if you don't mind signing with your ssh key

git config commit.gpgsign false

note that this is not recommended due to a security issue according to this question here and here

Answer 17

I had this issue just now when VSCode updated. I figured the GPG agent was hanging, as the command took a good few seconds to run before erroring out. Running gpgconf --kill gpg-agent reset that and fixed it for me.

Answer 18

In my case, I had to match the name stored in GitHub settings to the name and comment of the key.

So if gpg --list-keys returns uid [ultimate] Joe Blogs (fancy comment) <email@example.com> your name in .gitconfig should be Joe Blogs (fancy comment).

Initially, I had my name set as Joe Blogs and GPG would not find my key and show the "no secret key" error in strace. Unfortunately, that error didn't appear without strace and one would get the generic

error: gpg failed to sign the data
fatal: failed to write commit object

Answer 19

Solution:

Issue: Disabled loopback pinentry mode

To solve the problem, you need to enable loopback pinentry mode in ~/.gnupg/gpg.conf:

cat <<'EOF' >> ~/.gnupg/gpg.conf

use-agent 
pinentry-mode loopback

EOF

And also in ~/.gnupg/gpg-agent.conf (create the file if it doesn't already exist):

cat <<'EOF' >> ~/.gnupg/gpg-agent.conf

allow-loopback-pinentry

EOF

Then restart the agent with echo RELOADAGENT | gpg-connect-agent and you should be good to go!

Source

Answer 20

In my case, this error occurred when running git commit on a small tmux window that was not able to fit the passphrase prompt.

$ echo "test" | gpg --clearsign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

test
gpg: signing failed: Screen or window too small
gpg: [stdin]: clear-sign failed: Screen or window too small

Answer 21

If you had your pinentry and gpg setup up before, and it stopped working out of nowhere:

Check if your gpg works:

echo "test" | gpg --clearsign

If it says gpg: signing failed: No pinentry, just restart the gpg daemon client, which gets stuck from time to time:

gpgconf --kill gpg-agent

Now it should be working:

echo "test" | gpg --clearsign

Answer 22

In my case, I had mixed gpg configuration and smimesign configuration given in the commit signing documentation here: https://help.github.com/en/github/authenticating-to-github/telling-git-about-your-signing-key

After working on it for hours, I found the best way to correct it was unset everything related to gpg, and reconfiguring gpg.

As mentioned in @Jason Thrasher's answer, find all the git config related to gpg using:

git config -l | grep gpg

Then unset everything golablly as well as locally using:

git config --global --unset <config_name>
git config --local --unset <config_name>

Then reconfigure following the official documentation given above. Hope this helps.

Answer 23

For me a simple brew unintstall gnupg && brew cask reinstall gpg-suite solves the issue.

It uninstalls the (in my case) manually homebrew-istalled gpg and reinstalls the whole GPG Suite.

Answer 24

I had this error on macos - to try and troubleshoot I tried listing keys to see if they had expired using gpg2 --list-keys - I verified that the keys had not expired and that the proper key were set in my config using git config --global user.signingkey.

After I had run those commands I was suddenly able to do signed commits again without problems. I did not change my config files or keys - I did not even create a fresh Terminal instance. It just seemed like the gpg2 was somehow in a weird state on my mac.

Answer 25

If you are using smart card/yubikey to store your GPG key and you set the signkey of git config by the key stored in the card (and all the answer above seem not to resolve your issue), your blocked PIN of the card might be the root cause of this issue.

To check the blocked PIN:

gpg --card-status

If the counter is similar to

Reader ...........: Yubico YubiKey
PIN retry counter : 3 0 3

Then your PIN is blocked (after 3 unsuccessful tries).

To unblock the PIN:

gpg --card-edit
gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. … detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 2
PIN unblocked and new PIN set.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? q

Answer 26

Same error can also be caused when you have expired key in your git config.

Please check the content of cat .git/config and look for signingkey value and check if it is expired. If yes update it with the new one.

Answer 27

What solved it for me was making sure the key's name matched my git user name. I assume the emails have to match too. This might have to do with me using GPG KeyChain on my Mac. Not sure.

I thought I was naming the key when I filled this out, but I guess it was asking for my name (git user name).

Answer 28

I had to fix the gpg.program to the absolute path to gpg:

git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"

I am using Windows with cygwin.

Answer 29

This will help you to get rid of it

git config commit.gpgsign false

Answer 30

I solved the problem installing brew install gpg2 then doing git config --global gpg.program gpg2