[SOLVED] gnupg updates: cannot sign git commits: "signing failed: No secret key"

murdo · 03-07-2024, 05:37 AM

After yesterday's gnupg updates, I can no longer sign my git commits. When I try to make a commit, I get the following output:

Code:

error: gpg failed to sign the data:
gpg: skipped " [ removed in case of sensitivity ] ": No secret key
[GNUPG:] INV_SGNR 9 [ removed in case of sensitivity ]
[GNUPG:] FAILURE sign 17
gpg: signing failed: No secret key

fatal: failed to write commit object

And the commit doesn't go through. Trying gpg --list-keys and gpg2 --list-keys suggests I now have no keys. Did the update erase them?

chrisretusn · 03-07-2024, 07:04 AM

All keys under both my user and root accounts are still present.

murdo · 03-07-2024, 07:18 AM

I didn't think about checking root keys. They all seem to be there, although I think they're all the keys for my slackpkgplus repositories. Looking in ~/.gnupg for my user, pubring.gpg and secring.gpg both still exist, last modified in late 2022, but for some reason gpg doesn't seem to find them?

paolo27957 · 03-07-2024, 07:53 AM

I had a problem with gpg during the update which stopped generating an error. Looking at the ChangeLog.txt I saw that gpg has been renamed to gpg1 and that /usr/bin/gpg is now a link to the new /usr/bin/gpg2. It was enough for me to manually create this link for everything to work again

murdo · 03-07-2024, 08:00 AM

Ah, I solved it. If I run gpg1 --list-keys it finds the keys. Does anyone know if there's a way I can set up gpg2 to find them? /usr/bin/gpg is already a link to /usr/bin/gpg2 on my system; running either finds none of the keys that gpg1 finds.

In the meantime, I was able to solve the git commit issue by setting:

Code:

git config --global gpg.program "/usr/bin/gpg1"

GazL · 03-07-2024, 08:32 AM

Both gpg1 and gpg2 share the same public keyring (~/.gnupg/pubring.gpg). Both gpg1 --list-keys and gpg2 --list-keys should show the same public keys.

However, from gnupg 2.1 onwards, storage of private keys were moved to individual files in ~/.gnupg/private-keys-v1.d/ rather than ~/.gnupg/secring.gpg.

if you run gpg1 --list-secret-keys or gpg2 --list-secret-keys you'll possibly get different results.

Now, the first time you run gpg2 it'll check for the existence of a file ~/.gnupg/.gpg-v21-migrated, if that file doesn't exist it will copy all the secret keys in secring.gpg into the private-keys-v1.d/ directory and create that file. gpg2 will use this new directory from now on. Now, the awkward bit is that gpg1 will continue to use the old copy in secring.gpg and as this 'migration' is a one time only event, any key changes you make with one version or the other will cause them to diverge.

This is why I suggest using one version or the other and never both.

Theoretically removing the .gnupg-v21-migrated checkfile should allow one to force a re-migration, but you'll likely lose any changes made with gpgv2 and it might be better just exporting and reimporting your keys manually.

murdo · 03-07-2024, 08:43 AM

Looks like that was the problem; the .gpg-v21-migrated file existed but nothing had been migrated into private-keys-v1.d. I hadn't made any changes with gpg2, so I removed that file and the re-migration worked. Thanks for the help!

jayjwa · 03-07-2024, 12:13 PM

Is there any real reason to have both gpg2 and gpg1 around? I only use gpg2 and am thinking of uninstalling gpg1.

dr.s · 03-07-2024, 12:27 PM

Quote:

Originally Posted by paolo27957

I had a problem with gpg during the update which stopped generating an error. Looking at the ChangeLog.txt I saw that gpg has been renamed to gpg1 and that /usr/bin/gpg is now a link to the new /usr/bin/gpg2. It was enough for me to manually create this link for everything to work again

Update doesn't seem to create the symlink.

Quote:

Wed Mar 6 21:30:27 UTC 2024
...
n/gnupg-1.4.23-x86_64-6.txz: Rebuilt.
Renamed binaries and manpages to end in 1, and renamed internally to gnupg1.
Thanks to Lockywolf.
n/gnupg2-2.4.4-x86_64-2.txz: Rebuilt.
Make a gpg -> gpg2 symlink if it doesn't exist. Thanks to Lockywolf.

GazL · 03-07-2024, 01:32 PM

Quote:

Originally Posted by jayjwa

Is there any real reason to have both gpg2 and gpg1 around? I only use gpg2 and am thinking of uninstalling gpg1.

Not really no.

gouttegd · 03-07-2024, 02:44 PM

Quote:

Originally Posted by jayjwa

Is there any real reason to have both gpg2 and gpg1 around? I only use gpg2 and am thinking of uninstalling gpg1.

About the only reason I can think of is if you still need to decrypt (very) old files or emails, that were encrypted to (very) old keys that GnuPG2 does not support anymore.

When I say “(very) old keys”, I mean the kind of keys produced by PGP 2.x, in the middle of the 90s.

If you do have such files or emails around, the best thing to do would be to use gpg1 once to decrypt them, and then re-encrypt them with a modern key.

SkyeDixon · 04-08-2024, 04:14 AM

I am facing some problems. Can I ask a question? Is there anyone who can help me complete my thesis? But I have found the answer to this; it is a website called Academicized. They are a writing help https://academized.com/pay-for-thesis website. They help us with our writing work. I have used them to write my thesis; they helped me so well, and the price was also very affordable. If you also need someone whom you can pay for your thesis, you can get their help.

murdo · 04-08-2024, 02:32 PM

Quote:

Originally Posted by SkyeDixon

I am facing some problems, can I ask a question?

There's never anything wrong with asking a question, it's one of the things forums are for. :-)

If your issue isn't exactly the same as this one, though, you might find more interaction by starting a new thread; I imagine people are less inclined to click on one marked 'solved'.