git - gpg onto mac osx: error: gpg failed to sign the data

Question

I installed GPG from brew.

brew install gpg

It is gnupg2-2.0.30_2.

When I commit, I do get a error message:

You need a passphrase to unlock the secret key for
user: "Max Mustermann (mycomment) <mm@test.de>"
2048-bit RSA key, ID 1111AAAA, created 2017-01-05 

error: gpg failed to sign the data
fatal: failed to write commit object

I used the command:

gpg --list-secret-keys | grep ^sec

and it gives me back:

sec   2048R/1111AAAA 2017-01-05

Then I used this command:

git config --global user.signingkey 1111AAAA

commit gives me back the same error message.

How can I solve this problem?

Answer 1

I encountered the same problem after upgrading my system to macOS Sonoma (version 14.0). Despite having pinentry-mac installed and correctly configured git and gpg-agent.conf files, I was still facing issues with GPG signing in Git. None of the suggestions above helped.

I decided to upgrade pinentry-mac:

brew upgrade pinentry-mac

This resolved the issue for me. It seems that the previous version of pinentry-mac was not fully compatible with macOS Sonoma. So, if you're experiencing similar problems, make sure you have the latest version of pinentry-mac installed on your system.

Answer 2

As can be seen in many answers here, there may be multiple issues causing this and also multiple solutions for each of those issues.

I recommend you to first know what's the actual issue before trying out a solution

To do so, you can enable GIT_TRACE and run the commit command

GIT_TRACE=1 git commit

Credits go to this awesome gist

Then you'll see the actual command invoked by git to sign:

10:37:22.346480 run-command.c:637       trace: run_command: gpg --status-fd=2 -bsau <your GPG key>

With that only, you can see if the GPG key used by git is the correct one. If not, you know there's something fishy in your git config

Execute that command to see more details about the error

gpg --status-fd=2 -bsau <your GPG key>

In my case it was something about inappropriate ioctl for device. So could start looking out around what was causing this

Actually, didn't find anything out there apart from being something related to pinentry. I don't want to configure any pinentry things as per my experience it's easy to mess it up. Furthermore, I know installing gpg-suite brew's cask works like a charm. It even comes with a script to fix invalid pinentry configs. So started figuring out if something else was installed that was disturbing gpg-suite defaults.

Eventually found out that gpgme & gnupg were installed due to being a dependency of poppler cask that had installed recently. Uninstalled poppler, gpgme & gnupg, reinstalled gpg-suite and everything worked again 🎉

Answer 3

To anybody who is facing this issue on MacOS machines, try this:

1. brew uninstall gpg
2. brew install gpg2
3. brew install pinentry-mac (if needed)
4. gpg --full-generate-key Create a key by using an algorithm.
5. Get generated key by executing: gpg --list-keys
6. Set the key here git config --global user.signingkey <Key from your list>
7. git config --global gpg.program /usr/local/bin/gpg
8. git config --global commit.gpgsign true
9. If you want to export your Key to GitHub then: gpg --armor --export <key> and add this key to GitHub at GPG keys: https://github.com/settings/keys (with START and END line included)

If the issue still exists:

test -r ~/.bash_profile && echo 'export GPG_TTY=$(tty)' >> ~/.bash_profile

echo 'export GPG_TTY=$(tty)' >> ~/.profile

If the issue still exists:

Install https://gpgtools.org and sign the key that you used by pressing Sign from the menu bar: Key->Sign

If the issue still exists:

Go to: ‎⁨your global .gitconfig file which in my case is at: ‎⁨/Users/gent/.gitconfig And modify the .gitconfig file (please make sure Email and Name are the same with the one that you have created while generating the Key):

[user]
    email = gent@youremail.com
    name = Gent
    signingkey = <YOURKEY>
[gpg]
    program = /usr/local/bin/gpg
[commit]
    gpsign = true
    gpgsign = true
[filter "lfs"]
    process = git-lfs filter-process
    required = true
    clean = git-lfs clean -- %f
    smudge = git-lfs smudge -- %f
[credential]
    helper = osxkeychain

p.s I took this answer from my previous answer here: gpg failed to sign the data fatal: failed to write commit object [Git 2.10.0]

Answer 4

To solve this issue without killing gpg-agent on every restart:

Check if you have multiple copies of gpg and gpg-agent:

$ which -a gpg-agent
/opt/homebrew/bin/gpg-agent
/usr/local/MacGPG2/bin/gpg-agent

$ which -a gpg
/opt/homebrew/bin/gpg
/usr/local/bin/gpg
/usr/local/bin/gpg

For me, there were some leftover binaries from old Macbook migrations installed by MacGPG2.

Removing those binaries (and symlinks) and checking again to make sure there is only one copy:

$ which -a gpg
/opt/homebrew/bin/gpg

$ which -a gpg-agent
/opt/homebrew/bin/gpg-agent

Then restart your computer one last time.

gpg should sign correctly without needing to kill anything:

$ echo "test" | gpg --clearsign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

test
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIzBAEBCgAdFiEE1S8n.....
-----END PGP SIGNATURE-----

Answer 5

If this happens to you after installing Xcode, your git binary may have been replaced. (This particular solution assumes you are managing your git install with homebrew.)

Symptoms:

1. You are not prompted for a passphrase
2. Your error message is

   error: gpg failed to sign the data
   fatal: failed to write commit object
   

3. $ git config --global gpg.program throws an error
4. You see a system git instead of one installed by homebrew:

   $ which git
   /usr/bin/git # should be /usr/local/bin/git with homebrew
   $ ls -l $(which git)
   -rwxr-xr-x  1 root  wheel  167072 Feb  6  2022 /usr/bin/git
   # should be a symbolic link with homebrew:
   # lrwxr-xr-x  1 user  admin  28 Aug 16 12:11 /usr/local/bin/git -> ../Cellar/git/2.37.2/bin/git
   $ git --version
   git version 2.32.1 (Apple Git-133)
   

In this case the solution is to install or reinstall git with homebrew.

$ brew install git
# <output>
# then restart your terminal
$ ls -l $(which git)
lrwxr-xr-x  1 user  admin  28 Aug 16 12:11 /usr/local/bin/git -> ../Cellar/git/2.37.2/bin/git
$ git --version
git version 2.37.2

Don't forget to restart your terminal.

Answer 6

If you’re not getting prompted at all for a passphrase, the solution may just be to install a program to facilitate that. The most common is pinentry.

brew install pinentry-mac

So installing that and trying again may get things working. But if not, another thing to do is make sure git it using/finding the right GPG program. These days you really should be using gpg2, so if you don’t already have that installed, do this:

gpg --version

…and make sure it indicates you have GnuPG version 2+ (not version 1) installed.

If you already have GnuPG 2+ and pinentry installed, then try this:

echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf

…or, more robustly:

echo "pinentry-program $(which pinentry-mac)" >> ~/.gnupg/gpg-agent.conf

…and then try again.

And you may also need to stop gpg-agent:

gpgconf --kill gpg-agent

You don’t need to manually restart it — it will get restarted automatically when it’s needed.

Note: Some commenters mention needing to reboot after making changes — but it seems likely the only effect of that is to cause gpg-agent to be restarted. So manually killing gpg-agent as described above should be sufficient.

Answer 7

I ran brew upgrade on macOS and it broke my gpg signing in git, presumably when it updated the gpg package. I assume there's an easier way to force the gpg service to restart correctly (I assume something that was actively running broke when I upgraded the package), but my fix for this was pretty simple: Just restart your computer.

Answer 8

In my case the user.signingkey was setting wrong....Copy the right signingkey the problem solved

Answer 9

If you are still getting problems in macOS, open ~/.gitconfig and change anything below [gpg] to program = /usr/local/bin/gpg

Answer 10

Install GPGSuite instead , it has GUI for generating the key.

You can see more details here

Answer 11

I had the same error message and found that my key was expired. So it might be a good idea to check your key expiration with:

gpg --list-keys

If your key is expired as well you can adjust the expiration date with:

gpg --edit-key <YOUR_KEY>

and then:

gpg> expire
...enter the new expiration date...
gpg> save