Git error - gpg failed to sign data

For troubleshooting, two things to first try:

• run git config --global gpg.program gpg2, to make sure git uses gpg2 and not gpg
• run echo "test" | gpg2 --clearsign, to make sure gpg2 itself is working

If that all looks all right, one next thing to try:

• run brew install pinentry to ensure you have a good tool installed for passphrase entry

If after that install and you re-try git commit and still get the "failed to sign the data" error:

• run gpgconf --kill gpg-agent to kill any running agent that might be hung

If that says gpgconf isn’t installed or doesn’t have a --kill option, you might try this:

1. cp ~/.gnupg ~/.gnupg-GOOD to save a copy of your ~/.gnupg to revert to later if needed
2. brew install gnupg21 to install GnuPG 2.1

The reason for saving a copy of your ~/.gnupg dir is that GnuPG 2.1 potentially creates/changes some key data in way that isn’t backward-compatible with GnuPG 2.0 and earlier, so if you want to go back later, you can do mv ~/.gnupg ~/.gnupg21 && mv ~/.gnupg-GOOD ~/.gnupg.

Otherwise there are some basic steps to run to check you’ve got a working GnuPG environment:

• run gpg2 -K --keyid-format SHORT, to check that you have at least one key pair

If the output of that shows you have no secret key for GnuPG to use, then you need to create one:

• run gpg2 --gen-key, to have GnuPG walk you through the steps for creating a key pair

If you get an error message saying “Inappropriate ioctl for device”, do this:

• run export GPG_TTY=$(tty) and/or add that to your ~/.bashrc or ˜/.bash_profile

Git needs to know which key it is signing with.

After you have setup GPG, gpg-agent, and your gpg.conf files (see this guide), you need to run

git config --global user.signingKey EB11C755

Obviously, replace the public key at the end with your own. If you want every commit to be signed by default, use

git config --global commit.gpgsign true

$ gpg2 -K --keyid-format SHORT          # <-- Shows your keys, e.g.:
/home/<username>/.gnupg/pubring.kbx
-------------------------------
sec   rsa4096/0754B01E 2019-02-02 [SCA]             <--secret key
      C396BF3771782D7691B0641145E11B080754B01E
uid         [ultimate] John Doe <[email protected]>
ssb   rsa4096/A20AB8EC 2019-02-02 [E]               <--public key

sec   rsa4096/25C504D5 2019-02-02 [SCA] [revoked: 2020-06-01]
      08BFF49B9E07E4B4B0C4946B645B6C1425C504D5
uid         [ revoked] John Doe <[email protected]>
uid         [ revoked] [jpeg image of size 2670]

Where A20AB8EC is the key ID you're looking for from this example.

Somehow your git is configured to GPG sign every commit. Signing with GPG isn't required to commit or push using git. It's likely giving the error because your gpg signing mechanism isn't configured yet.

If you're new to git, try to get it working first without GPG signing at first, then add signing in later if you really need it.

You can verify how your git is configured with regards to gpg by doing:

git config -l | grep gpg

Which may produce zero or more lines, including:

commit.gpgsign=true

If "commit.gpgsign" is true, then you have gpg signing enabled. Disable it with:

git config --global --unset commit.gpgsign

Then try to run your commit again. It should now run without gpg signing. After you get the basic git working, then you should try adding gpg signing back to the mix.

Refer to @sideshowbarker, and @Xavier Ho solution, I solved my problem via following steps.

Assume gpg2 installed by brew,

git config --global gpg.program gpg2
brew install pinentry
gpgconf --kill gpg-agent
gpg2 -K --keyid-format SHORT
// no key found then generate new one
gpg2 --gen-key

gpg2 -K --keyid-format SHORT 

           

.../.gnupg/pubring.gpg

sec rsa2048/0A61C6FC 2017-06-29 [SC] [expires: 2019-06-29]

git config --global user.signingkey 0A61C6FC

Reminded by my colleague, need to append

export GPG_TTY=$(tty)

to ~/.zshrc if using zsh, else append to ~/.bash_profile

For macOS,

the gpg2 is combined with gpg in brew and hence the gpg command is pointed to gpg2

brew install gpg2

brew info gpg

gnupg: stable 2.2.6 (bottled)

git config --global gpg.program gpg
gpg -K --keyid-format SHORT 

and there has pinentry-mac for passphrase entry

brew install pinentry-mac
vim ~/.gnupg/gpg-agent.conf

Add line

pinentry-program /usr/local/bin/pinentry-mac

Reminded by my colleague, need to append

export GPG_TTY=$(tty)

to ~/.zshrc if using zsh, else append to ~/.bash_profile

I am using it. It has support for zsh and works on Windows Subsystem for Linux:

export GPG_TTY=$(tty)

Other users have confirmed that above is the only change required for MacOS (e.g. Catalina 10.15.7). For Macs add above to ~/.zshrc.

Check for your key to be expired. Once you fix the expiration date (no need to create a new key unless you want to), git will work as normal.

One way to fix the expired key:

(Note: $ represents command line prompt, type the commands after the prompt; press Enter after each command)

$ gpg2 --list-keys to find the appropriate key id (characters after \ on pub line)

$ gpg2 --edit-key <key id> - this opens the gpg shell, with prompt changed to gpg>

gpg> expire - follow instructions to set new expiration date for primary key

Next, if there are subkeys that are expired (sub shows on the line), reset their expiration dates, too:

gpg> key 1 - selects first subkey
gpg> expire - follow instructions to set new expiration date for subkey

Repeat for each subsequent subkey, as needed.

Solution:

Issue: Disabled loopback pinentry mode

To solve the problem, you need to enable loopback pinentry mode in ~/.gnupg/gpg.conf:

cat <<'EOF' >> ~/.gnupg/gpg.conf

use-agent 
pinentry-mode loopback

EOF

And also in ~/.gnupg/gpg-agent.conf (create the file if it doesn't already exist):

cat <<'EOF' >> ~/.gnupg/gpg-agent.conf

allow-loopback-pinentry

EOF

Then restart the agent with echo RELOADAGENT | gpg-connect-agent and you should be good to go!

Source

I had to fix the gpg.program to the absolute path to gpg:

git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"

I am using Windows with cygwin.

This worked for me on ubuntu 18.04

Check your gpg key

gpg -K --keyid-format LONG

if you get a blank response ,generate a GPG key

gpg --generate-key

rerun the first command, you should get an output as:

sec   rsa3072/95A854E0593B3214 2019-05-06 [SC] [expires: 2021-05-05]
      AF2F7514568DC26B0EB97B9595A854E0593B74D8
uid                 [ultimate] yourname<your_email>
ssb   rsa3072/EFD326E6C611117C 2019-05-06 [E] [expires: 2021-05-05]

set git signing key

git config --global user.signingkey 95A854E0593B3214

then you are good to go! (--global is optional)

Alternatively if you don't mind signing with your ssh key

git config commit.gpgsign false

note that this is not recommended due to a security issue according to this question here and here

I experienced this problem after upgrading to gnupg 2.x. It would seen that gpg2 is referencing keys differently: I still had signingkey = ABC98F11 (gpg v1 setting) in my ~/.gitconfig. The key identifiers for gpg2 are longer. Look them up with gpg --list-secret-keys

This error can also occur when your GPG key has expired. Generating a new key and adding it to Git should resolve this.

If you had your pinentry and gpg setup up before, and it stopped working out of nowhere:

Check if your gpg works:

echo "test" | gpg --clearsign

If it says gpg: signing failed: No pinentry, just restart the gpg daemon client, which gets stuck from time to time:

gpgconf --kill gpg-agent

Now it should be working:

echo "test" | gpg --clearsign

If it used to work and just stated failing, kill the agent and try again:

gpgconf --kill gpg-agent

Check if the agent is up again:

echo "test" | gpg --clearsign

For me this error started to occur with git tag -s on Debian GNU/Linux when I switched from pinentry-gnome3 to pinentry-curses (using update-alternatives --config pinentry) for easier remote access. It only occurred with git tag -s, not with gpg (e.g. gpg --clearsign) itself.

The sole change necessary to get it working again in this case was to add export GPG_TTY=$(tty) to my shell startup files.

I though didn't get the “Inappropriate ioctl for device” error message mentioned as indicator for this fix in another answer to this question.

Note: Since the cause for getting this error was a completely different one than for those who suggested export GPG_TTY=$(tty) before (usually as a side hint) in other answers to this question, I decided this question needs another answer which mentions that export GPG_TTY=$(tty) may be the main fix and sole thing necessary in some cases.

In my case, this error occurred when running git commit on a small tmux window that was not able to fit the passphrase prompt.

$ echo "test" | gpg --clearsign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

test
gpg: signing failed: Screen or window too small
gpg: [stdin]: clear-sign failed: Screen or window too small

I had made a git key with 3 separate keys for certify / sign / encrypt & the key showed as expired in the future (after working fine for a few days):

pub   rsa4096/4CD1E9DA 2017-04-26 [C] [expired: 2017-04-28]
      Key fingerprint = 4670 59C1 7592 08B8 7FA5  313B 2A42 B6A6 4CD1 E9DA
uid         [ expired] Stuart Cardall (GIT Development Keys) <xxxxxx>
sub   rsa4096/5195E715 2017-04-26 [E] [expired: 2019-04-26]
sub   rsa4096/DB74C297 2017-04-26 [S] [expired: 2019-04-26]
sub   rsa2048/A3913A3C 2017-04-28 [] [expired: never     ]

made a new key without adding separate subkeys to solve the problem.

What solved it for me was making sure the key's name matched my git user name. I assume the emails have to match too. This might have to do with me using GPG KeyChain on my Mac. Not sure.

I thought I was naming the key when I filled this out, but I guess it was asking for my name (git user name).

I had this error on macos - to try and troubleshoot I tried listing keys to see if they had expired using gpg2 --list-keys - I verified that the keys had not expired and that the proper key were set in my config using git config --global user.signingkey.

After I had run those commands I was suddenly able to do signed commits again without problems. I did not change my config files or keys - I did not even create a fresh Terminal instance. It just seemed like the gpg2 was somehow in a weird state on my mac.

May be your Git config was set gpgsign = true. Try to set it to false if you dont want asign your commits. Go to your repository folder and change the file

nano .git/config

From this...

[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
[remote "origin"]
    url = [email protected]:yourrepo/project.git
    fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
    remote = origin
    merge = refs/heads/master
[user]
    signingkey = <GPG-KEY>
[commit]
    gpgsign = true

To this...

[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
[remote "origin"]
    url = [email protected]:yourrepo/project.git
    fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
    remote = origin
    merge = refs/heads/master
[user]
    signingkey = <GPG-KEY>
[commit]
    gpgsign = false

I solved the problem installing brew install gpg2 then doing git config --global gpg.program gpg2

Same error can also be caused when you have expired key in your git config.

Please check the content of cat .git/config and look for signingkey value and check if it is expired. If yes update it with the new one.

If you are using smart card/yubikey to store your GPG key and you set the signkey of git config by the key stored in the card (and all the answer above seem not to resolve your issue), your blocked PIN of the card might be the root cause of this issue.

To check the blocked PIN:

gpg --card-status

If the counter is similar to

Reader ...........: Yubico YubiKey
PIN retry counter : 3 0 3

Then your PIN is blocked (after 3 unsuccessful tries).

To unblock the PIN:

gpg --card-edit
gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. … detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 2
PIN unblocked and new PIN set.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? q

For me a simple brew unintstall gnupg && brew cask reinstall gpg-suite solves the issue.

It uninstalls the (in my case) manually homebrew-istalled gpg and reinstalls the whole GPG Suite.

In my case, I had mixed gpg configuration and smimesign configuration given in the commit signing documentation here: https://help.github.com/en/github/authenticating-to-github/telling-git-about-your-signing-key

After working on it for hours, I found the best way to correct it was unset everything related to gpg, and reconfiguring gpg.

As mentioned in @Jason Thrasher's answer, find all the git config related to gpg using:

git config -l | grep gpg

Then unset everything golablly as well as locally using:

git config --global --unset <config_name>
git config --local --unset <config_name>

Then reconfigure following the official documentation given above. Hope this helps.

In my case, I had to match the name stored in GitHub settings to the name and comment of the key.

So if gpg --list-keys returns uid [ultimate] Joe Blogs (fancy comment) <[email protected]> your name in .gitconfig should be Joe Blogs (fancy comment).

Initially, I had my name set as Joe Blogs and GPG would not find my key and show the "no secret key" error in strace. Unfortunately, that error didn't appear without strace and one would get the generic

error: gpg failed to sign the data
fatal: failed to write commit object

For my Linux system with a GUI and gpg 2.2.19, neither killing gpg-agent (which starts itself again), unsetting $DISPLAY or setting $GPG_TTY worked for me because it was trying to use pinentry-gnome to ask for the password from the console. And my key had not expired.

From a SuperUser answer for a similar question, How to force GPG to use console-mode pinentry to prompt for passwords?, the problem can also occur if your system has a GUI such as GNOME, and your package manager is configured to use a GUI pinentry program, which is the reason why it’s hanging.

I had to switch to pinentry-tty to get GPG to sign messages again. On Ubuntu, this can be done using steps from the link which I will quote here:

sudo apt install pinentry-tty
sudo update-alternatives --config pinentry

The second command will show you a list of pinentry programs and ask you to type a number to select one, so type the one corresponding to pinentry-tty, and then without any additional effort, signing messages (and git commits) should work again.

I had this issue on both linux/windows platforms and in my case I just needed to pay more careful attention to the output. This was mind-boggling because I could use the same setup to sign commits in other repos.

git commit -m "test signing"
gpg: skipped "***63231079***": No secret key
gpg: signing failed: No secret key
error: gpg failed to sign the data
fatal: failed to write commit object

I added emphasis on the "skipped" line. Please note that sometimes when you clone a repo they had a key assigned: this issue had me so befuddled that I nuked the forked repo I had access to and re-forked on github. Then because I was thinking "global config" I never thought to look at the local repo config, and when I did I noticed this:

[user]
    signingkey = 63231079

Well, of course it wouldn't work nimrod, git defaults to local settings first so that's why your key never picked up. I set the pointer via git config and It's worked ever since.

What is gpg: GNU Privacy Guard

usage:

GPG is an excellent method to ensure secure communication between two parties. It allows sensitive information to be easily shared across an insecure network.

Simple solution:

Step1: check if the key is expired please do

gpg -K --keyid-format SHORT

Step2: In case its not expired

git config --global user.signingkey

Use GIT_TRACE=1 to see where Git failed then check all custom configurations used by Git and where they are defined then override according to your need with :

GIT_TRACE=1 git commit -S -m "this will tell you wich intern git command failed"

git config --list --show-scope --show-origin

For me I had the error: gpg failed to sign the data and fatal: failed to write commit object because Git was using smimesign by default for some reason, even if I unset gpg.x509.program key, and smimesign couldn't find my key.

So I had to explicitly tell Git to use gpg instead :

git config --local gpg.x509.program gpg

I had this issue just now when VSCode updated. I figured the GPG agent was hanging, as the command took a good few seconds to run before erroring out. Running gpgconf --kill gpg-agent reset that and fixed it for me.